Abstract
Intrusion detection and alert correlation are valuable and complementary techniques for identifying security threats in complex networks. Intrusion detection systems monitor network traffic for suspicious behavior, and trigger security alerts. Alert correlation methods can aggregate such alerts into multi-step attacks scenarios. However, both methods rely on models encoding a priori knowledge of either normal or malicious behavior. As a result, these methods are incapable of quantifying how well the underlying models explain what is observed on the network. To overcome this limitation, we present a framework for evaluating the probability that a sequence of events is not explained by a given a set of models. We leverage important properties of this framework to estimate such probabilities efficiently, and design fast algorithms for identifying sequences of events that are unexplained with a probability above a given threshold. Our framework can operate both at the intrusion detection level and at the alert correlation level. Experiments on a prototype implementation of the framework show that our approach scales well and provides accurate results.
This is a preview of subscription content, log in via an institution to check access.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Notes
- 1.
At the intrusion detection level, observable events may simply be observable packet features. At the alert correlation level, observable events are alerts generated by the underlying intrusion detection system.
- 2.
At the intrusion detection level, \( \fancyscript{A} \) is a set of IDS rules. At the alert correlation level, \( \fancyscript{A} \) is a set of attack models, such as attack graphs.
- 3.
- 4.
Probabilities of occurrences must be normalized in order to enable comparison of occurrences of different behavior models.
- 5.
This assumption makes modeling simpler, but it can be removed or modified in situations where certain atomic events are shared among multiple attack patterns.
- 6.
For instance, highly threatening behaviors may be assigned a high weight.
- 7.
We do not list all the worlds for reason of space.
- 8.
This objective function is the sum of 34 variables and is not shown for reasons of space.
- 9.
Indeed, the set of constraints becomes non-linear with the addition of the constraints reflecting the independence assumption.
- 10.
The problem of finding all the maximal intersecting sets of occurrences is a generalization of the problem of finding maximal intersecting families of \( k \)-sets, but it is more general as occurrences are not required to have the same length \( k \). As we need to compute maximal intersecting sets for small sets \( \fancyscript{O}^{*} \) of occurrences, complexity of this problem is not an issue.
- 11.
This is a variant of the set cover problem. This is known to be NP-complete, however we need to solve only small instances of this problem, so complexity is not an issue.
References
P. GarcĂa-Teodoro, J. DĂaz-Verdejo, G. Maciá-Fernández, E. Vázquez, Anomaly-based network intrusion detection: techniques, systems and challenges. Comput. Secur. 28(1–2), 18–28 (2009)
A. Jones, S. Li, Temporal signatures for intrusion detection, in Proceedings of the 17th Annual Computer Security Applications Conference (ACSAC 2001) (IEEE Computer Society, 2001), New Orleans, pp. 252–261
B. Mukherjee, L.T. Heberlein, K.N. Levitt, Network intrusion detection. IEEE Netw. 8(3), 26–41 (1994)
S.O. Al-Mamory, H. Zhang, Ids alerts correlation using grammar-based approach. J. Comput. Virol. 5(4), 271–282 (2009)
H. Debar, A. Wespi, Aggregation and correlation of intrusion-detection alerts, in Proceedings of the 4th International Symposium on Recent Advances in Intrusion Detection (RAID 2001), eds. W. Lee, L. Mé, A. Wespi. Lecture Notes in Computer Science, vol. 2212 (Springer, 2001), Davis, pp. 85–103
P. Ning, Y. Cui, D.S. Reeves, Constructing attack scenarios through correlation of in- trusion alerts, in Proceedings of the 9th ACM Conference on Computer and Communications Security(CCS 2002) (ACM, 2002), Washington, pp. 245–254
S. Noel, E. Robertson, S. Jajodia, Correlating intrusion events and building attack scenarios through attack graph distances, in Proceedings of the 20th Annual Computer Security Applications Conference (ACSAC 2004) (2004), Tucson, pp. 350–359
L. Wang, A. Liu, S. Jajodia, Using attack graphs for correlating, hypothesizing, and predicting intrusion alerts. Comput. Commun. 29(15), 2917–2933 (2006)
J.P. Anderson, Computer security threat monitoring and surveillance. Technical report, James Anderson Co., Fort Washington, Apr 1980
O. Sheyner, J. Haines, S. Jha, R. Lippmann, J.M. Wing, Automated generation and analysis of attack graphs, in Proceedings of the 2002 IEEE Symposium on Security and Privacy (S&P 2002), Berkeley, 2002, pp. 273–284
X. Qin, A probabilistic-based framework for INFOSEC alert correlation. Ph.D. thesis, Georgia Institute of Technology, 2005
X. Qin, W. Lee, Statistical causality analysis of INFOSEC alert data, in Proceedings of the 6th International Symposium on Re- cent Advances in Intrusion Detection (RAID 2003), eds. G. Vigna, C. Kruegel, E. Jonsson. Lecture Notes in Computer Science, vol. 2820 (Springer, 2003), Pittsburgh pp. 73–93
A.J. Oliner, A.V. Kulkarni, A. Aiken, Community epidemic detection using time- correlated anomalies, in Proceedings of the 13th International Symposium on Recent Advances in Intrusion Detection (RAID 2010), eds. S. Jha, R. Sommer, C. Kreibich. Lecture Notes in Computer Science, vol. 6307 (Springer, 2010), Ottawa, pp. 360–381
M. Albanese, C. Molinaro, F. Persia, A. Picariello, V.S. Subrahmanian, Finding “un- explained” activities in video, in Proceedings of the 22nd International Joint Conference on Artificial Intelligence (IJCAI 2011), Barcelona, 2011, pp. 1628–1634
M. Albanese, S. Jajodia, A. Pugliese, V.S. Subrahmanian, Scalable analysis of attack scenarios, in Proceedings of the 16th European Symposium on Research in Computer Security (ESORICS 2011) (Springer, 2011), Leuven, pp. 416–433
Acknowledgments
The work presented in this chapter is supported in part by the Army Research Office under MURI award number W911NF-09-1-05250525, and by the Office of Naval Research under award number N00014-12-1-0461. Part of the work was performed while Sushil Jajodia was a Visiting Researcher at the US Army Research Laboratory.
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2014 Springer Science+Business Media New York
About this chapter
Cite this chapter
Albanese, M. et al. (2014). Recognizing Unexplained Behavior in Network Traffic. In: Pino, R. (eds) Network Science and Cybersecurity. Advances in Information Security, vol 55. Springer, New York, NY. https://doi.org/10.1007/978-1-4614-7597-2_3
Download citation
DOI: https://doi.org/10.1007/978-1-4614-7597-2_3
Published:
Publisher Name: Springer, New York, NY
Print ISBN: 978-1-4614-7596-5
Online ISBN: 978-1-4614-7597-2
eBook Packages: Computer ScienceComputer Science (R0)