Skip to main content
SpringerLink
Log in

Segmenting Large-Scale Cyber Attacks for Online Behavior Model Generation

  • Conference paper
Social Computing, Behavioral-Cultural Modeling and Prediction (SBP 2014)

Part of the book series: Lecture Notes in Computer Science ((LNISA,volume 8393))

Abstract

Large-scale cyber attack traffic can present challenges to identify which packets are relevant and what attack behaviors are present. Existing works on Host or Flow Clustering attempt to group similar behaviors to expedite analysis, often phrasing the problem as offline unsupervised machine learning. This work proposes online processing to simultaneously segment traffic observables and generate attack behavior models that are relevant to a target. The goal is not just to aggregate similar attack behaviors, but to provide situational awareness by grouping relevant traffic that exhibits one or more behaviors around each asset. The seemingly clustering problem is recast as a supervised learning problem: classifying received traffic to the most likely attack model, and iteratively introducing new models to explain received traffic. A graph-based prior is defined to extract the macroscopic attack structure, which complements security-based features for classification. Malicious traffic captures from CAIDA are used to demonstrate the capability of the proposed attack segmentation and model generation (ASMG) process.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution
Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD 39.99
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD 54.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

Preview

Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.

References

  1. Du, H., Yang, S.J.: Discovering Collaborative Cyber Attack Patterns Using Social Network Analysis. In: Salerno, J., Yang, S.J., Nau, D., Chai, S.-K. (eds.) SBP 2011. LNCS, vol. 6589, pp. 129–136. Springer, Heidelberg (2011)

    Chapter  Google Scholar 

  2. Aben, E., et al.: The CAIDA UCSD Network Telescope Two Days in November 2008 Dataset. Technical report (access Date: May 2012-August 2013)

    Google Scholar 

  3. Fukuda, K., Hirotsu, T., Akashi, O., Sugawara, T.: A PCA Analysis of Daily Unwanted Traffic. In: Proceedings of 24th IEEE International Conference on Advanced Information Networking and Applications, pp. 377–384 (April 2010)

    Google Scholar 

  4. Gu, G., Perdisci, R., Zhang, J., Lee, W.: BotMiner: Clustering Analysis of Network Traffic for Protocol- and Structure-Independent Botnet Detection. In: Proceedings of the 17th USENIX Conference on Security Symposium, Berkeley, CA, USA, pp. 139–154 (2008)

    Google Scholar 

  5. Karagiannis, T., Papagiannaki, K., Faloutsos, M.: BLINC: multilevel traffic classification in the dark. ACM Comp. Commun. Rev. 35(4), 229–240 (2005)

    Article  Google Scholar 

  6. Latora, V., Marchiori, M.: Efficient behavior of small-world networks. Phys. Rev. Lett. 87, 198701 (2001)

    Article  Google Scholar 

  7. Lee, D., Carpenter, B., Brownlee, N.: Observations of udp to tcp ratio and port numbers. In: Proceedings of Fifth International Conference on Internet Monitoring and Protection, pp. 99–104 (2010)

    Google Scholar 

  8. McGregor, A., Hall, M., Lorier, P., Brunskill, J.: Flow Clustering Using Machine Learning Techniques. In: Proceedings of Passive and Active Measurement Workshop, pp. 205–214 (2004)

    Google Scholar 

  9. Newman, M.E.J.: Scientific collaboration networks. ii. shortest paths, weighted networks, and centrality. Phys. Rev. E 64, 016132 (2001)

    Google Scholar 

  10. Ohta, M., Kanda, Y., Fukuda, K., Sugawara, T.: Analysis of Spoofed IP Traffic Using Time-to-Live and Identification Fields in IP Headers. In: Proceedings of IEEE International Conference on Advanced Information Networking and Applications, Washington, DC, USA, pp. 355–361 (2011)

    Google Scholar 

  11. Shannon, C., Moore, D.: Network Telescopes: Remote Monitoring of Internet Worms and Denial-of-Service Attacks Technical report (2013) (Technical Presentation-access Date: May 2012-August 2013)

    Google Scholar 

  12. Treurniet, J.: A Network Activity Classification Schema and Its Application to Scan Detection. IEEE/ACM Tran. on Networking 19(5), 1396–1404 (2011)

    Article  Google Scholar 

  13. Wei, S., Mirkovic, J., Kissel, E.: Profiling and Clustering Internet Hosts. In: Proceedings of International Conference on Data Mining (DMIN) (June 2006)

    Google Scholar 

  14. Xu, K., Wang, F., Gu, L.: Network-aware behavior clustering of Internet end hosts. In: Proceedings of IEEE INFOCOM, pp. 2078–2086 (April 2011)

    Google Scholar 

  15. Zseby, T.: Comparable Metrics for IP Darkspace Analysis. In: Proceedings of 1st International Workshop on Darkspace and UnSolicited Traffic Analysis (May 2012)

    Google Scholar 

Download references

Author information

Authors and Affiliations

  1. Department of Computer Engineering, Rochester Institute of Technology, Rochester, New York, 14623, USA

    Steven Strapp & Shanchieh Jay Yang

Authors
  1. Steven Strapp
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Shanchieh Jay Yang
    View author publications

    You can also search for this author in PubMed Google Scholar

Editor information

Editors and Affiliations

  1. Center for Social Complexity and Department of Computational Social Science, George Mason University, 4400 University Drive, MS 6B2, 22030-4400, Fairfax, VA, USA

    William G. Kennedy

  2. University of Arkansas at Little Rock, 2801 South University Avenue, EIT Building, Room 553, 72204, Little Rock, AR, USA

    Nitin Agarwal

  3. Department of Computer Engineering, Rochester Institute of Technology, 83 Lomb Memorial Drive, Bldg 09, 14623-5603, Rochester, NY, USA

    Shanchieh Jay Yang

Rights and permissions

Reprints and permissions

Copyright information

© 2014 Springer International Publishing Switzerland

About this paper

Cite this paper

Strapp, S., Yang, S.J. (2014). Segmenting Large-Scale Cyber Attacks for Online Behavior Model Generation. In: Kennedy, W.G., Agarwal, N., Yang, S.J. (eds) Social Computing, Behavioral-Cultural Modeling and Prediction. SBP 2014. Lecture Notes in Computer Science, vol 8393. Springer, Cham. https://doi.org/10.1007/978-3-319-05579-4_21

Download citation

  • DOI: https://doi.org/10.1007/978-3-319-05579-4_21

  • Publisher Name: Springer, Cham

  • Print ISBN: 978-3-319-05578-7

  • Online ISBN: 978-3-319-05579-4

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Search

Navigation