Skip to main content
Springer Nature Link
Log in

An Architecture for Processing a Dynamic Heterogeneous Information Network of Security Intelligence

  • Conference paper
  • First Online:
Network and System Security (NSS 2021)

Part of the book series: Lecture Notes in Computer Science ((LNSC,volume 13041))

Included in the following conference series:

  • 1094 Accesses

Abstract

Security intelligence is widely used to solve cyber security issues in computer and network systems, such as incident prevention, detection, and response, by applying machine learning (ML) and other data-driven methods. To this end, there is a large body of prior research works aiming to solve security issues in specific scenarios, using specific types of data or applying specific algorithms. However, by being specific it has the drawback of becoming cumbersome to adjust existing solutions to new use cases, data, or problems. Furthermore, all prior research, that strives to be more generic, is either able to operate with complex relations (graph-based), or to work with time varying intelligence (time series), but rarely with both. In this paper, we present the reference architecture of the SecDNS framework for representing the collected intelligence data with a model based on a graph structure, which simultaneously encompasses the time variance of these data and providing a modular architecture for both the data model and the algorithms. In addition, we leverage on the concept of belief propagation to infer the maliciousness of an entity based on its relations with other malicious or benign entities or events. This way, we offer a generic platform for processing dynamic and heterogeneous security intelligence with an evolving collection of sources and algorithms. Finally, to demonstrate the modus operandi of our proposal, we implement a proof of concept of the platform, and we deploy it in the use case of phishing email attack scenario.

This research is carried out in the SecDNS project, funded by Innovation Fund Denmark.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution

Subscribe and save

Springer+ Basic
$34.99 /Month
  • Get 10 units per month
  • Download Article/Chapter or eBook
  • 1 Unit = 1 Article or 1 Chapter
  • Cancel anytime
Subscribe now

Buy Now

Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

Similar content being viewed by others

Notes

  1. 1.

    A rough, qualitative distinction can be made between features and beliefs in that the former represent raw intelligence whereas the latter represent “business-grade”—i.e., actionable—intelligence.

  2. 2.

    Note that \(\boldsymbol{b}\) need not add up to unity since the threats may overlap. Indeed, the threats to be predicted fall into a taxonomy which is eminently domain-specific and beyond the scope of this article.

  3. 3.

    The concatenation of vectors shall be represented by the symbol \(\oplus \) for the direct sum.

References

  1. Anagnostopoulos, M., Kambourakis, G., Gritzalis, S.: New facets of mobile botnet: architecture and evaluation. Int. J. Inf. Sec. 15(5), 455–473 (2016)

    Article  Google Scholar 

  2. Barnum, S.: Standardizing cyber threat intelligence information with the structured threat information expression (stix). Mitre Corporation 11, 1–22 (2012)

    Google Scholar 

  3. Choi, H., Lee, H.: Identifying botnets by capturing group activities in DNS traffic. Comput. Netw. 56(1), 20–33 (2012)

    Article  Google Scholar 

  4. Gao, Y., Xiaoyong, L., Hao, P., Fang, B., Yu, P.: Hincti: A cyber threat intelligence modeling and identification system based on heterogeneous information network. IEEE Trans. Knowl. Data Eng., 1–1 (2020). https://doi.org/10.1109/TKDE.2020.2987019

  5. Garcia-Lebron, R.B., Schweitzer, K.M., Bateman, R.M., Xu, S.: A framework for characterizing the evolution of cyber attacker-victim relation graphs. In: MILCOM 2018–2018 IEEE Military Communications Conference (MILCOM), pp. 70–75. IEEE (2018)

    Google Scholar 

  6. Hageman, K., Kidmose, E., Hansen, R.R., Pedersen, J.M.: Can a TLS Certificate Be Phishy? In: 18th International Conference on Security and Cryptography, SECRYPT 2021, pp. 38–49 (2021)

    Google Scholar 

  7. Hamilton, W.L., Ying, R., Leskovec, J.: Inductive representation learning on large graphs. In: Proceedings of the 31st International Conference on Neural Information Processing Systems, pp. 1025–1035 (2017)

    Google Scholar 

  8. Khalil, I., Yu, T., Guan, B.: Discovering malicious domains through passive DNS data graph analysis. In: Proceedings of the 11th ACM ASIACCS, pp. 663–674. ACM (2016)

    Google Scholar 

  9. Laghaout, A.: Supervised learning on heterogeneous, attributed entities interacting over time. arXiv preprint arXiv:2007.11455 (2020)

  10. Li, V.G., Dunn, M., Pearce, P., McCoy, D., Voelker, G.M., Savage, S.: Reading the tea leaves: a comparative analysis of threat intelligence. In: 28th USENIX Security Symposium, pp. 851–867 (2019)

    Google Scholar 

  11. Manadhata, P.K., Yadav, S., Rao, P., Horne, W.: Detecting malicious domains via graph inference. In: Kutyłowski, M., Vaidya, J. (eds.) ESORICS 2014. LNCS, vol. 8712, pp. 1–18. Springer, Cham (2014). https://doi.org/10.1007/978-3-319-11203-9_1

    Chapter  Google Scholar 

  12. Modi, A., et al.: Towards automated threat intelligence fusion. In: 2nd IEEE CIC, pp. 408–416. IEEE (2016)

    Google Scholar 

  13. Moura, G.C., Müller, M., Wullink, M., Hesselman, C.: ndews: a new domains early warning system for TLDS. In: NOMS 2016, pp. 1061–1066. IEEE (2016)

    Google Scholar 

  14. Panum, T.K., Hageman, K., Hansen, R.R., Pedersen, J.M.: Towards adversarial phishing detection. In: 13th USENIX Workshop on CSET20 (2020)

    Google Scholar 

  15. Qamar, S., Anwar, Z., Rahman, M.A., Al-Shaer, E., Chu, B.T.: Data-driven analytics for cyber-threat intelligence and information sharing. COSE 67, 35–58 (2017)

    Google Scholar 

  16. Rahbarinia, B., Perdisci, R., Antonakakis, M.: Segugio: efficient behavior-based tracking of malware-control domains in large ISP networks. In: 45th Annual IEEE/IFIP DSN, pp. 403–414. IEEE (2015)

    Google Scholar 

  17. Sun, X., Wang, Z., Yang, J., Liu, X.: Deepdom: malicious domain detection with scalable and heterogeneous graph convolutional networks. COSE 99, 102057 (2020)

    Google Scholar 

  18. Tran, H., Nguyen, A., Vo, P., Vu, T.: Dns graph mining for malicious domain detection. In: 2017 IEEE International Conference on Big Data (Big Data), pp. 4680–4685. IEEE (2017)

    Google Scholar 

  19. Wagner, T.D., Mahbub, K., Palomar, E., Abdallah, A.E.: Cyber threat intelligence sharing: survey and research directions. COSE 87, 101589 (2019)

    Google Scholar 

  20. Zhang, J., Shi, X., Xie, J., Ma, H., King, I., Yeung, D.Y.: GaAN: gated attention networks for learning on large and spatiotemporal graphs. arXiv preprint arXiv:1803.07294 (2018)

Download references

Author information

Authors and Affiliations

  1. Department of Electronic Systems, Aalborg University, Copenhagen, Denmark

    Marios Anagnostopoulos & Jens M. Pedersen

  2. Department of Electronic Systems, Aalborg University, Aalborg, Denmark

    Egon Kidmose & Rasmus L. Olsen

  3. CSIS Security Group A/S, Vestergade 2B, 4. sal, Copenhagen K, Denmark

    Amine Laghaout

  4. Department of Applied Mathematics and Computer Science, Technical University of Denmark, Kongens Lyngby, Denmark

    Sajad Homayoun & Christian D. Jensen

Authors
  1. Marios Anagnostopoulos
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Egon Kidmose
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Amine Laghaout
    View author publications

    You can also search for this author in PubMed Google Scholar

  4. Rasmus L. Olsen
    View author publications

    You can also search for this author in PubMed Google Scholar

  5. Sajad Homayoun
    View author publications

    You can also search for this author in PubMed Google Scholar

  6. Christian D. Jensen
    View author publications

    You can also search for this author in PubMed Google Scholar

  7. Jens M. Pedersen
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Marios Anagnostopoulos .

Editor information

Editors and Affiliations

  1. Fudan University, Shanghai, China

    Min Yang

  2. James Cook University, Townsville, QLD, Australia

    Chao Chen

  3. Nanyang Technological University, Singapore, Singapore

    Yang Liu

Rights and permissions

Reprints and permissions

Copyright information

© 2021 Springer Nature Switzerland AG

About this paper

Check for updates. Verify currency and authenticity via CrossMark

Cite this paper

Anagnostopoulos, M. et al. (2021). An Architecture for Processing a Dynamic Heterogeneous Information Network of Security Intelligence. In: Yang, M., Chen, C., Liu, Y. (eds) Network and System Security. NSS 2021. Lecture Notes in Computer Science(), vol 13041. Springer, Cham. https://doi.org/10.1007/978-3-030-92708-0_11

Download citation

  • DOI: https://doi.org/10.1007/978-3-030-92708-0_11

  • Published:

  • Publisher Name: Springer, Cham

  • Print ISBN: 978-3-030-92707-3

  • Online ISBN: 978-3-030-92708-0

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics