nach oben

Telecommunication Systems

Erschienen in:

01.05.2016

Effective network security monitoring: from attribution to target-centric monitoring

verfasst von: Siraj Ahmed Shaikh, Harsha Kumara Kalutarage

Erschienen in: Telecommunication Systems | Ausgabe 1/2016

Einloggen

Aktivieren Sie unsere intelligente Suche, um passende Fachinhalte oder Patente zu finden.

search-config

KI-gestützte Suche

Aus

Abstract

Network security monitoring remains a challenge. As global networks scale up, in terms of traffic, volume and speed, effective attribution of cyber attacks is increasingly difficult. The problem is compounded by a combination of other factors, including the architecture of the Internet, multi-stage attacks and increasing volumes of nonproductive traffic. This paper proposes to shift the focus of security monitoring from the source to the target. Simply put, resources devoted to detection and attribution should be redeployed to efficiently monitor for targeting and prevention of attacks. The effort of detection should aim to determine whether a node is under attack, and if so, effectively prevent the attack. This paper contributes by systematically reviewing the structural, operational and legal reasons underlying this argument, and presents empirical evidence to support a shift away from attribution to favour of a target-centric monitoring approach. A carefully deployed set of experiments are presented and a detailed analysis of the results is achieved.

Vorheriger Artikel An adaptive cache invalidation technique for wireless environments

Nächster Artikel Intelligent cooperation management among solar powered base stations towards a green cellular network in a country with an equatorial climate

Sie haben noch keine Lizenz? Dann Informieren Sie sich jetzt über unsere Produkte:

Springer Professional "Wirtschaft+Technik"

Online-Abonnement

Mit Springer Professional "Wirtschaft+Technik" erhalten Sie Zugriff auf:

über 102.000 Bücher
über 537 Zeitschriften

aus folgenden Fachgebieten:

Automobil + Motoren
Bauwesen + Immobilien
Business IT + Informatik
Elektrotechnik + Elektronik
Energie + Nachhaltigkeit
Finance + Banking
Management + Führung
Marketing + Vertrieb
Maschinenbau + Werkstoffe
Versicherung + Risiko

Jetzt Wissensvorsprung sichern!

Jetzt informieren

Springer Professional "Technik"

Online-Abonnement

Mit Springer Professional "Technik" erhalten Sie Zugriff auf:

über 67.000 Bücher
über 390 Zeitschriften

aus folgenden Fachgebieten:

Automobil + Motoren
Bauwesen + Immobilien
Business IT + Informatik
Elektrotechnik + Elektronik
Energie + Nachhaltigkeit
Maschinenbau + Werkstoffe

Jetzt Wissensvorsprung sichern!

Jetzt informieren

Springer Professional "Wirtschaft"

Online-Abonnement

Mit Springer Professional "Wirtschaft" erhalten Sie Zugriff auf:

über 67.000 Bücher
über 340 Zeitschriften

aus folgenden Fachgebieten:

Bauwesen + Immobilien
Business IT + Informatik
Finance + Banking
Management + Führung
Marketing + Vertrieb
Versicherung + Risiko

Jetzt Wissensvorsprung sichern!

Jetzt informieren

Axelrad, E.T., Sticha, P.J., Brdiczka, O., Shen, J. (2013). A bayesian network model for predicting insider threats. In: 2013 IEEE Security and Privacy Workshops, https://www.ieee-security.org/TC/SPW2013/papers/data/5017a082.pdf

Basu, R., Cunningham, R.K., Webster, S.E., Lippmann, R.P. (2001). Detecting low-profile probes and novel denial-of-service attacks. Tech. rep., IEEE SMC IA&S Workshop 2001, West Point, New York, USA.

BBC (2013) China IP address link to South Korea cyber-attack. http://www.bbc.co.uk/news/world-asia-21873017

BBC (2014) Hack attack causes ’massive damage’ at steel works. http://www.bbc.co.uk/news/technology-30575104

Berk, V.H., Cybenko, G., Souza, I.G.D., Murphy, J.P. (2012). Managing malicious insider risk through bandit. In: System Science (HICSS), 2012 45th Hawaii International Conference on IEEE (pp. 2422–2430).

Bhuyan, M.H., Bhattacharyya, D.K., Kalita, J.K. (2011). Survey on incremental approaches for network anomaly detection. In: International Journal of Communication Networks and Information Security (IJCNIS).

Bhuyan, M.H., Bhattacharyya, D., Kalita, J.K. (2012). Survey on incremental approaches for network anomaly detection. arXiv preprint arXiv:1211.4493.

Bradford, P.G., Brown, M., Self, B., Perdue, J. (2004). Towards proactive computer system forensics. In: International Conference on Information Technology: Coding and Computing, IEEE Computer Society.

Brown, C., Cowperthwaite, A., Hijazi, A., Somayaji, A. (2009). Analysis of the 1999 darpa/lincoln laboratory ids evaluation data with netadhict. In: Computational Intelligence for Security and Defense Applications, 2009. CISDA 2009. IEEE Symposium on IEEE (pp. 1–7).

10.

Brugger, S. T., & Chow, J. (2007). An assessment of the darpa ids evaluation dataset using snort. UCDAVIS Department of Computer Science, 1(2007), 22.

11.

Brynielsson, J., Horndahl, A., Johansson, F., Kaati, L., Mårtenson, C., & Svenson, P. (2013). Harvesting and analysis of weak signals for detecting lone wolf terrorists. Security Informatics, 2(1), 11.CrossRef

12.

Chandola, V., Banerjee, A., & Kumar, V. (2009a). Anomaly detection: A survey. ACM Computing Surveys, 41(3), 15:1–15:58. doi:10.1145/1541880.1541882.CrossRef

13.

Chandola, V., Banerjee, A., Kumar, V. (2009b). Anomaly detection: A survey. In: ACM Computing Surveys 41.

14.

Chatfield, C. (2003). The analysis of time series: An introduction. Boca Raton: CRC Press.

15.

Chatzigiannakis, V., Androulidakis, G., Pelechrinis, K., Papavassiliou, S., Maglaris, V. (2007). Data fusion algorithms for network anomaly detection: classification and evaluation. In: Networking and Services, 2007. ICNS. Third International Conference on IEEE (pp. 50–50).

16.

Chen, T., & Abu-Nimeh, S. (2011). Lessons from stuxnet. Computer, 44(4), 91–93. doi:10.1109/MC.2011.115.CrossRef

17.

Chivers, H., Nobles, P., Shaikh, S.A., Clark, J.A., Chen, H. (2009). Accumulating Evidence of Insider Attacks. In: Proceedings of the 1st International Workshop on Managing Insider Security Threats (MIST-2009).

18.

Chivers, H., Clark, J. A., Nobles, P., Shaikh, S. A., & Chen, H. (2013). Knowing who to watch: Identifying attackers whose actions are hidden within false alarms and background noise. Information Systems Frontiers, 15(1), 17–34.CrossRef

19.

Clark, D.D., Landau, S. (2010). The problem isn’t attribution: it’s multi-stage attacks. In: Proceedings of the Re-Architecting the Internet Workshop, ReARCH ’10 (pp. 11:1–11:6).

20.

Das, K., Schneider, J. (2007). Detecting anomalous records in categorical datasets. In: Proceedings of the 13th ACM SIGKDD International Conference on Knowledge Discovery and Data Mining ACM (pp. 220–229).

21.

Davidoff, S., & Ham, J. (2012). Network Forensics: Tracking Hackers Through Cyberspace. New Delhi: Prentice Hall.

22.

Deeks, A. (2013). The geography of cyber conflict: Through a glass darkly. Journal of International Law Studies, 89, 1–20.

23.

Eldardiry, H., Bart, E., Liu, J., Hanley, J., Price, B., Brdiczka, O. (2013). Multi-domain information fusion for insider threat detection. In: 2013 IEEE Security and Privacy Workshops, https://www.ieee-security.org/TC/SPW2013/papers/data/5017a045.pdf

24.

Gonzalez, J.M., Paxson, V., Weaver, N. (2007). Shunting: a hardware/software architecture for flexible, high-performance network intrusion prevention. In: Proceedings of the 14th ACM Conference on Computer and Communications Security (pp. 139–149).

25.

Grubbs, R. E. (1969). Procedures for Detecting Outlying Observations in Samples. Technometrics, 11(1), 1–21.CrossRef

26.

Heberlein, T. (2002). Tactical operations and strategic intelligence: Sensor purpose and placement. Net Squared Inc, Tech Rep TR-2002-0402.

27.

Kalutarage, H. (2013). Effective monitoring of slow suspicious activites on computer networks. PhD thesis, Coventry: Coventry University, https://curve.coventry.ac.uk/open/file/afdbba5c-2c93-41a7-90c3-2f0f3261b794/1/Kalutarage2013.pdf

28.

Kalutarage, H.K., Shaikh, S.A., Zhou, Q., James, A.E. (2012). Sensing for suspicion at scale: A bayesian approach for cyber conflict attribution and reasoning. In: 4th International Conference on Cyber Conflict (CYCON) 2012, NATO CCDCOE (pp. 1–19).

29.

Kalutarage, H.K., Shaikh, S.A., Zhou, Q., James, A.E. (2013a). How do we effectively monitor for slow suspicious activities? In: Proceedings of the International Symposium on Engineering Secure Software and Systems (ESSoS-DS 2013) CEUR Workshop Proceedings.

30.

Kalutarage, H. K., Shaikh, S. A., Zhou, Q., & James, A. E. (2013b). Monitoring for slow suspicious activities using a target centric approach. In A. Bagchi & I. Ray (Eds.), Information Systems Security, Lecture Notes in Computer Science (Vol. 8303, pp. 163–168). Berlin, Heidelberg: Springer.

31.

Kalutarage, H. K., Shaikh, S. A., Zhou, Q., & James, A. E. (2013c). Tracing sources of anonymous slow suspicious activities. In J. Lopez, X. Huang, & R. Sandhu (Eds.), Network and System Security , Lecture Notes in Computer Science (Vol. 7873, pp. 122–134). Berlin, Heidelberg: Springer.

32.

Kandias, M., Mylonas, A., Virvilis, N., Theoharidou, M., Gritzalis, D. (2010). An insider threat prediction model. In: S. Katsikas, J. Lopez, & M. Soriano (Eds.), Trust, Privacy and Security in Digital Business, Lecture Notes in Computer Science (Vol. 6264, pp. 26–37). Berlin, Heidelberg: Springer.

33.

Kumar, S., Spafford, E.H. (1994). An application of pattern matching in intrusion detection. In: Technical Report CSDTR-94-013 The COAST Project, Department of Computer Sciences Purdue University, West Lafayette, IN.

34.

Lesk, M. (2007). The new front line: Estonia under cyberassault. IEEE Security & Privacy 5(4), 76–79, http://doi.ieeecomputersociety.org/10.1109/MSP.2007.98

35.

Lippmann, R.P., Fried, D.J., Graf, I., Haines, J.W., Kendall, K.R., McClung, D., Weber, D., Webster, S.E., Wyschogrod, D., Cunningham, R.K., et al. (2000). Evaluating intrusion detection systems: The 1998 darpa off-line intrusion detection evaluation. In: DARPA Information Survivability Conference and Exposition, 2000. DISCEX’00. Proceedings IEEE, vol 2, (pp. 12–26).

36.

Nakashima, E., Warrick, J. (2012). Stuxnet was work of U.S. and Israeli experts, officials say. http://www.washingtonpost.com/world/national-security/stuxnet-was-work-of-us-and-israeli-experts-officials-say/2012/06/01/gJQAlnEy6U_story.html

37.

Notknown (2006). Googlebot. http://www.lightbluetouchpaper.org/2006/02/15/complexities-in-criminalising-denial-of-service-attacks/

38.

Paget, F. (2013). Hacking Summit Names Nations With Cyberwarfare Capabilities. http://blogs.mcafee.com/mcafee-labs/hacking-summit-names-nations-with-cyberwarfare-capabilities

39.

Pang, R., Yegneswaran, V., Barford, P., Paxson, V., Peterson, L. (2004). Characteristics of internet background radiation. In: Proceedings of the 4th ACM SIGCOMM Conference on Internet Measurement (pp. 27–40).

40.

Parikh, D., & Chen, T. (2008). Data fusion and cost minimization for intrusion detection. Information Forensics and Security, IEEE Transactions on, 3(3), 381–389.CrossRef

41.

Patcha, A., Park, J.M. (2007). An overview of anomaly detection techniques: Existing solutions and latest technological trends. In: Computer Networks (Elsevier).

42.

Peng, T., Leckie, C., Ramamohanarao, K. (2004). Proactively detecting distributed denial of service attacks using source ip address monitoring. In: NETWORKING 2004. Networking Technologies, Services, and Protocols; Performance of Computer and Communication Networks; Mobile and Wireless Communications Springer, (pp. 771–782).

43.

Shaikh, S. A., Chivers, H., Nobles, P., Clark, J. A., & Chen, H. (2008). Characterising intrusion detection sensors. Network Security, 2008(9), 10–12.CrossRef

44.

Shaikh, S. A., Chivers, H., Nobles, P., Clark, J. A., & Chen, H. (2008). Characterising intrusion detection sensors, part 2. Network Security, 2008(10), 8–11.CrossRef

45.

Siaterlis, C., Maglaris, B. (2004). Towards multisensor data fusion for dos detection. In: Proceedings of the 2004 ACM symposium on Applied computing ACM, (pp. 439–446).

46.

Streilein, W.W., Cunningham, R.K., Webster, S.E. (2002). Improved detection of low profile probe and novel denial of service attacks. In: Workshop on Statistical and Machine Learning Techniques in Computer Intrusion Detection.

47.

Time, L.A. (2014). Sony insider - not North Korea - likely involved in hack, experts say. http://www.latimes.com/entertainment/envelope/cotown/la-et-ct-sony-hack-inside-job-not-north-korea-20141231-story.html

48.

Vokorokos, L., Chovanec, M., Látka, O., Kleinova, A. (2008). Security of distributed intrusion detection system based on multisensor fusion. In: Applied Machine Intelligence and Informatics, 2008. SAMI 2008. 6th International Symposium on IEEE, (pp. 19–24).

49.

Whyte, D., van Oorschot, P.C., Kranakis, E. (2006). Exposure maps: removing reliance on attribution during scan detection. In: Proceedings of the 1st USENIX Workshop on Hot Topics in Security (HOTSEC’06).

50.

Whyte, D., Oorschot, P.C., Kranakis, E. (2007). Tracking darkports for network defense. In: 23rd Computer Security Applications Conference (pp. 161–171).

51.

Yankov, D., Keogh, E., & Rebbapragada, U. (2008). Disk aware discord discovery: Finding unusual time series in terabyte sized datasets. Knowledge and Information Systems, 17(2), 241–262.CrossRef

52.

Ye, N., Xu, M., Emran, S. (2000). Probabilistic networks with undirected links for anomaly detection. In: IEEE Systems, Man, and Cybernetics Information Assurance and Security Workshop (pp. 175–179).

53.

ZDNet (2015) Sony takes ${\$}15\text{ M }$ hit after North Korea cyberattack. http://www.zdnet.com/article/sony-hack-cost-it-15-million-so-far/

Titel: Effective network security monitoring: from attribution to target-centric monitoring
verfasst von: Siraj Ahmed Shaikh
Harsha Kumara Kalutarage
Publikationsdatum: 01.05.2016
Verlag: Springer US
Erschienen in: Telecommunication Systems / Ausgabe 1/2016
Print ISSN: 1018-4864
Elektronische ISSN: 1572-9451
DOI: https://doi.org/10.1007/s11235-015-0071-0

Neuer Inhalt

Bildnachweise

VDI-Icon, Profil Icon, inhalt2, Springer Professional Modul/© Springer Fachmedien Wiesbaden GmbH, Nachhaltigkeitsaward Key Visual/© Cometis AG/Global ESG Monitor | Daniel Rupp | Generiert mit KI, Search Icon, Banner Hanser, Kryptowährungen/© gopixa / Getty Images / iStock, MG4 aus China auf dem Prüfstand im ADAC-Technik-Zentrum in Landsberg am Lech/© ADAC e.V., Chassis eines Elektrofahrzeugs/© chesky / stock.adobe.com, Zeitschrift Wissensmanagement Cover, PatentFit-Logo/© Springer Fachmedien Wiesbaden GmbH, Sustainibility Finance/© Robert Kneschke / stock.adobe.com / Springer Fachmedien Wiesbaden GmbH, Zukunftswerkstatt Sales Excellence 2024/© AndreyPopov / Getty Images / iStock, 2023_Antrieb/© supervisuell

Springer Professional

Abstract

Bitte loggen Sie sich ein, um Zugang zu Ihrer Lizenz zu erhalten.

Sie haben noch keine Lizenz? Dann Informieren Sie sich jetzt über unsere Produkte:

Springer Professional "Wirtschaft+Technik"

Springer Professional "Technik"

Springer Professional "Wirtschaft"

Weitere Artikel der Ausgabe 1/2016

A context-aware search system for Internet of Things based on hierarchical context model

Secure and efficient data transmission in the Internet of Things

Optimized interference aware joint channel assignment model for wireless mesh network

Blocking probabilities of elastic and adaptive calls in the Erlang multirate loss model under the threshold policy

Residual energy aware mobile data gathering in wireless sensor networks

Proposing an optimal structure for the architecture of wireless networks on chip

Neuer Inhalt

Bitte loggen Sie sich ein, um Zugang zu Ihrer Lizenz zu erhalten.

Bitte loggen Sie sich ein, um Zugang zu Ihrer Lizenz zu erhalten.