ABSTRACT
This paper presents a Factor Graph based framework called AttackTagger for highly accurate and preemptive detection of attacks, i.e., before the system misuse. We use security logs on real incidents that occurred over a six-year period at the National Center for Supercomputing Applications (NCSA) to evaluate AttackTagger. Our data consist of security incidents that led to compromise of the target system, i.e., the attacks in the incidents were only identified after the fact by security analysts. AttackTagger detected 74 percent of attacks, and the majority them were detected before the system misuse. Finally, AttackTagger uncovered six hidden attacks that were not detected by intrusion detection systems during the incidents or by security analysts in post-incident forensic analysis.
- Anderson, J. P. Computer security threat monitoring and surveillance. Tech. rep., 1980.Google Scholar
- Andres, B. e. a. An empirical comparison of inference algorithms for graphical models with higher order factors using opengm. In Pattern Recognition. Springer, 2010, pp. 353--362. Google ScholarDigital Library
- Bro. Bro intrusion detection system. www.bro-ids.org.Google Scholar
- Cao, P., Chung, K.-w., Kalbarczyk, Z., Iyer, R., and Slagell, A. J. Preemptive intrusion detection. In Proceedings of the 2014 Symposium and Bootcamp on the Science of Security (2014), ACM, p. 21. Google ScholarDigital Library
- Carter, C. K., and Kohn, R. On gibbs sampling for state space models. Biometrika 81, 3 (1994), 541--553.Google ScholarCross Ref
- Denning, D. E. An intrusion-detection model. IEEE Transactions on Software Engineering, 2 (1987), 222--232. Google ScholarDigital Library
- Fava, D. S. e. a. Projecting cyberattacks through variable-length markov models. Information Forensics and Security, IEEE Trans. on (2008). Google ScholarDigital Library
- Frey, B. J., Kschischang, F. R., Loeliger, H.-A., and Wiberg, N. Factor graphs and algorithms. In Proceedings of the Annual Allerton Conference on Communication Control and Computing (1997), pp. 666--680.Google Scholar
- Hu, J., Yu, X., Qiu, D., and Chen, H.-H. A simple and efficient hidden markov model scheme for host-based anomaly intrusion detection. Network, IEEE 23, 1 (January 2009), 42--47. Google ScholarDigital Library
- Lafferty, J., McCallum, A., and Pereira, F. C. Conditional random fields: Probabilistic models for segmenting and labeling sequence data.Google Scholar
- Lamport, L. Time, clocks, and the ordering of events in a distributed system. Communications of the ACM 21 (1978). Google ScholarDigital Library
- Nikovski, D. Constructing bayesian networks for medical diagnosis from incomplete and partially correct statistics. Knowledge and Data Engineering, IEEE Transactions on 12, 4 (2000), 509--516. Google ScholarDigital Library
- Pecchia, A., Sharma, A., Kalbarczyk, Z., Cotroneo, D., and Iyer, R. K. Identifying compromised users in shared computing infrastructures: a data-driven bayesian network approach. In Proc. of Reliable Distributed Systems (SRDS) (2011), IEEE. Google ScholarDigital Library
- Pedregosa, F. e. a. Scikit-learn: Machine learning in python. JMLR 12 (2011). Google ScholarDigital Library
- Qin, X., and Lee, W. Attack plan recognition and prediction using causal networks. In Computer Security Applications Conference, 2004. 20th Annual (2004), IEEE, pp. 370--379. Google ScholarDigital Library
- Robert, C. P., and Casella, G. Monte Carlo Statistical Methods (Springer Texts in Statistics). Springer-Verlag New York, Inc., Secaucus, NJ, USA, 2005. Google Scholar
- Sadoddin, R., and Ghorbani, A. Alert correlation survey: framework and techniques. In Proc. of Intl. Conference on Privacy, Security and Trust (2006), ACM. Google ScholarDigital Library
- Sharma, A., Kalbarczyk, Z., Barlow, J., and Iyer, R. Analysis of security data from a large computing organization. In Dependable Systems & Networks (DSN) (2011), IEEE. Google ScholarDigital Library
- Sheskin, D. J. Handbook of parametric and nonparametric statistical procedures. crc Press, 2003. Google ScholarDigital Library
- Shulman, A. The underground credentials market. Computer Fraud & Security 2010, 3 (2010), 5--8.Google ScholarCross Ref
Index Terms
- Preemptive intrusion detection: theoretical framework and real-world measurements
Recommendations
Preemptive intrusion detection
HotSoS '14: Proceedings of the 2014 Symposium and Bootcamp on the Science of SecurityThis paper presents a system named SPOT to achieve high accuracy and preemptive detection of attacks. We use security logs of real-incidents that occurred over a six-year period at National Center for Supercomputing Applications (NCSA) to evaluate SPOT. ...
A Survey on Intrusion Detection and Prevention Systems
AbstractIn the digital world, malicious activities that violate the confidentiality, integrity, or availability of data and devices are known as intrusions. An intrusion detection system (IDS) analyses the activities of a single system or a network to ...
Network intrusion detection
Intrusion detection is a new, retrofit approach for providing a sense of security in existing computers and data networks, while allowing them to operate in their current "open" mode. The goal of intrusion detection is to identify unauthorized use, ...
Comments