nach oben

Erschienen in:

2019 | OriginalPaper | Buchkapitel

Triage of IoT Attacks Through Process Mining

verfasst von : Simone Coltellese, Fabrizio Maria Maggi, Andrea Marrella, Luca Massarelli, Leonardo Querzoni

Erschienen in: On the Move to Meaningful Internet Systems: OTM 2019 Conferences

Verlag: Springer International Publishing

Einloggen

Aktivieren Sie unsere intelligente Suche, um passende Fachinhalte oder Patente zu finden.

search-config

KI-gestützte Suche

Aus

Abstract

The impressive growth of the IoT we witnessed in the recent years came together with a surge in cyber attacks that target it. Factories adhering to digital transformation programs are quickly adopting the IoT paradigm and are thus increasingly exposed to a large number of cyber threats that need to be detected, analyzed and appropriately mitigated. In this scenario, a common approach that is used in large organizations is to setup an attack triage system. In this setting, security operators can cherry-pick new attack patterns requiring further in-depth investigation from a mass of known attacks that can be managed automatically. In this paper, we propose an attack triage system that helps operators to quickly identify attacks with unknown behaviors, and later analyze them in detail. The novelty introduced by our solution is in the usage of process mining techniques to model known attacks and identify new variants. We demonstrate the feasibility of our approach through an evaluation based on three well-known IoT botnets, BASHLITE, LIGHTAIDRA and MIRAI, and on real current attack patterns collected through an IoT honeypot.

Sie haben noch keine Lizenz? Dann Informieren Sie sich jetzt über unsere Produkte:

Springer Professional "Wirtschaft+Technik"

Online-Abonnement

Mit Springer Professional "Wirtschaft+Technik" erhalten Sie Zugriff auf:

über 102.000 Bücher
über 537 Zeitschriften

aus folgenden Fachgebieten:

Automobil + Motoren
Bauwesen + Immobilien
Business IT + Informatik
Elektrotechnik + Elektronik
Energie + Nachhaltigkeit
Finance + Banking
Management + Führung
Marketing + Vertrieb
Maschinenbau + Werkstoffe
Versicherung + Risiko

Jetzt Wissensvorsprung sichern!

Jetzt informieren

Springer Professional "Technik"

Online-Abonnement

Mit Springer Professional "Technik" erhalten Sie Zugriff auf:

über 67.000 Bücher
über 390 Zeitschriften

aus folgenden Fachgebieten:

Automobil + Motoren
Bauwesen + Immobilien
Business IT + Informatik
Elektrotechnik + Elektronik
Energie + Nachhaltigkeit
Maschinenbau + Werkstoffe

Jetzt Wissensvorsprung sichern!

Jetzt informieren

Springer Professional "Wirtschaft"

Online-Abonnement

Mit Springer Professional "Wirtschaft" erhalten Sie Zugriff auf:

über 67.000 Bücher
über 340 Zeitschriften

aus folgenden Fachgebieten:

Bauwesen + Immobilien
Business IT + Informatik
Finance + Banking
Management + Führung
Marketing + Vertrieb
Versicherung + Risiko

Jetzt Wissensvorsprung sichern!

Jetzt informieren

Vorheriges Kapitel JusticeChain: Using Blockchain to Protect Justice Logs

Nächstes Kapitel An Automatic Emotion Recognition System for Annotating Spotify’s Songs

The name comes from the process used by ER-units in hospitals to quickly prioritize incoming patients depending on the severity of their health status.

In this phase, the botnet issues commands on the shell of a device found on the internet to identify its architecture before deploying the appropriate attack payload. See Sect. 2 for further details.

We use multisets because the same trace can appear multiple times in an event log.

Note that distinguishing attack interactions from bening interactions, namely detecting attacks, is a different problem that is out of the scope of this paper. We assume that data fed as input only contains traces of attacks.

ProM (http://www.promtools.org/) is an open-source framework for implementing process mining tools and algorithms.

Many commercial IoT devices are based on linux-like operating systems.

Cowrie. https://github.com/cowrie/cowrie

The ddos that didn’t break the camel’s vac. https://goo.gl/p9kUCy (2017)

van der Aalst, W.M.P.: The application of Petri nets to workflow management. J. Circ. Syst. Comput. 8(01), 21–66 (1998)CrossRef

van der Aalst, W.M.P.: Data science in action. Process Mining, pp. 3–23. Springer, Heidelberg (2016). https://doi.org/10.1007/978-3-662-49851-4_1CrossRef

van Aalst, W.M.P., van Hee, K.M., van Werf, J.M., Verdonk, M.: Auditing 2.0: using process mining to support tomorrow’s auditor. Computer 43(3), 90–93 (2010)CrossRef

van der Aalst, W.M.P., Alves de Medeiros, A.K.: Process mining and security: detecting anomalous process executions and checking process conformance. Electron. Notes Theor. Comput. Sci. 121, 3–21 (2005)CrossRef

Accorsi, R., Stocker, T.: On the exploitation of process mining for security audits: the conformance checking case. In: SAC 2012, pp. 1709–1716 (2012)

Accorsi, R., Stocker, T., Müller, G.: On the exploitation of process mining for security audits: the process discovery case. In: SAC 2013, pp. 1462–1468 (2013)

Adriansyah, A., Sidorova, N., van Dongen, B.F.: Cost-based fitness in conformance checking. In: ACSD 2011 (2011)

10.

de Alvarenga, S.C., Zarpel, B., Miani, R.: Discovering attack strategies using process mining. In: AICT 2015, pp. 119–125 (2015)

11.

Angrishi, K.: Turning internet of things (iot) into internet of vulnerabilities (iov): Iot botnets. Technical report. arXiv preprint arXiv:1702.03681 (2017)

12.

Antonakakis, M., et al.: Understanding the mirai botnet. In: 26th USENIX Security Symposium, pp. 1093–1110 (2017)

13.

Augusto, A., et al.: Automated discovery of process models from event logs: review and benchmark. IEEE TKDE 31(4), 686–705 (2018)MathSciNet

14.

Bernardi, M.L., Cimitile, M., Distante, D., Martinelli, F., Mercaldo, F.: Dynamic malware detection and phylogeny analysis using process mining. Int. J. Inf. Secur. 18(3), 1–28 (2018)

15.

Bertino, E., Islam, N.: Botnets and internet of things security. IEEE Comput. 2, 76–79 (2017)CrossRef

16.

Burattin, A.: Applicability of process mining techniques in business environments. Ph.D. thesis, University of Bologna, Italy (2013)

17.

Burattin, A., Cimitile, M., Maggi, F.M., Sperduti, A.: Online discovery of declarative process models from event streams. IEEE Trans. Serv. Comp. 8(6), 833–846 (2015)CrossRef

18.

Calleja, A., Martín, A., Menéndez, H.D., Tapiador, J., Clark, D.: Picking on the family: disrupting android malware triage by forcing misclassification. Expert Syst. Appl. 95, 113–126 (2018)CrossRef

19.

Cozzi, E., Graziano, M., Fratantonio, Y., Balzarotti, D.: Understanding linux malware. In: 39th IEEE Symposium on Security and Privacy (SP), pp. 161–175 (2018)

20.

De Giacomo, G., Maggi, F.M., Marrella, A., Patrizi, F.: On the disruptive effectiveness of automated planning for LTLf-based trace alignment. In: AAAI 2017, pp. 3555–3561 (2017)

21.

van Dongen, B.F.: Efficiently computing alignments. In: BPM 2018 (2018)

22.

Dumas, M., La Rosa, M., Mendling, J., Reijers, H.A., et al.: Fundamentals of Business Process Management, vol. 1. Springer, Heidelberg (2013). https://doi.org/10.1007/978-3-662-56509-4CrossRef

23.

Hossain, M.M., Fotouhi, M., Hasan, R.: Towards an analysis of security issues, challenges, and open problems in the internet of things. In: SERVICES 2015 (2015)

24.

Huang, L., Joseph, A.D., Nelson, B., Rubinstein, B.I., Tygar, J.: Adversarial machine learning. In: AISEC 2011, pp. 43–58 (2011)

25.

Jang, J., Brumley, D., Venkataraman, S.: Bitshred: feature hashing malware for scalable triage and semantic analysis. In: CCS 2011, pp. 309–320 (2011)

26.

Jans, M., Alles, M., Vasarhelyi, M.: The case for process mining in auditing: sources of value added and areas of application. Int. J. Acc. Inf. Syst. 14(1), 1–20 (2013)CrossRef

27.

Kirat, D., Nataraj, L., Vigna, G., Manjunath, B.: Sigmal: a static signal processing based malware triage. In: ACSAC 2013, pp. 89–98 (2013)

28.

de Leoni, M., Marrella, A.: Aligning real process executions and prescriptive process models through automated planning. Expert Syst. Appl. 82, 162–183 (2017)CrossRef

29.

Maggi, F.M., Burattin, A., Cimitile, M., Sperduti, A.: Online process discovery to detect concept drifts in ltl-based declarative process models. In: CoopIS 2013 (2013)CrossRef

30.

Maggi, F.M., Di Francescomarino, C., Dumas, M., Ghidini, C.: Predictive monitoring of business processes. In: CAiSE 2014, pp. 457–472 (2014)

31.

Marzano, A., et al.: The evolution of Bashlite and Mirai IoT Botnets. In: ISCC 2018, pp. 813–818 (2018)

32.

Shen, Y., Stringhini, G.: Attack2vec: Leveraging temporal word embeddings to understand the evolution of cyberattacks. In: 28th Usenix Security Symposium (2019)

33.

The OSWAP Fundation: OWASP Internet of Things Project. https://tinyurl.com/yc3plqr9 (2014)

34.

Weijters, A.J.M.M., van der Aalst, W.M.P.: Rediscovering workflow models from event-based data using little thumb. Int. Comp.-Aided Eng. 10(2), 151–162 (2003)CrossRef

Titel: Triage of IoT Attacks Through Process Mining
verfasst von: Simone Coltellese
Fabrizio Maria Maggi
Andrea Marrella
Luca Massarelli
Leonardo Querzoni
Verlag: Springer International Publishing
Buch: On the Move to Meaningful Internet Systems: OTM 2019 Conferences
Print ISBN: 978-3-030-33245-7

Electronic ISBN: 978-3-030-33246-4

Copyright-Jahr: 2019
DOI: https://doi.org/10.1007/978-3-030-33246-4_22

Springer Professional

Abstract

Bitte loggen Sie sich ein, um Zugang zu Ihrer Lizenz zu erhalten.

Sie haben noch keine Lizenz? Dann Informieren Sie sich jetzt über unsere Produkte:

Springer Professional "Wirtschaft+Technik"

Springer Professional "Technik"

Springer Professional "Wirtschaft"

Premium Partner