Abstract
Attackers can exploit vulnerabilities to incrementally penetrate a network and compromise critical systems. The enormous amount of raw security data available to analysts and the complex interdependencies among vulnerabilities make manual analysis extremely labor-intensive and error-prone. To address this important problem, we build on previous work on topological vulnerability analysis, and propose an automated framework to manage very large attack graphs and monitor high volumes of incoming alerts for the occurrence of known attack patterns in real-time. Specifically, we propose (i) a data structure that merges multiple attack graphs and enables concurrent monitoring of multiple types of attacks; (ii) an index structure that can effectively index millions of time-stamped alerts; (iii) a real-time algorithm that can process a continuous stream of alerts, update the index, and detect attack occurrences. We show that the proposed solution significantly improves the state of the art in cyber attack detection, enabling real-time attack detection.
This material is based upon work supported by the Army Research Office under MURI grant W911NF-09-1-0525 and DURIP grant W911NF-11-1-0340.
This is a preview of subscription content, log in via an institution to check access.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Preview
Unable to display preview. Download preview PDF.
References
Albanese, M., Pugliese, A., Subrahmanian, V.S., Udrea, O.: MAGIC: A multi-activity graph index for activity detection. In: Proc. of the IEEE Intl. Conference on Information Reuse and Integration (IRI 2007), pp. 267–272 (August 2007)
Avrahami-Zilberbrand, D., Kaminka, G., Zarosim, H.: Fast and Complete Symbolic Plan Recognition: Allowing for Duration, Interleaved Execution, and Lossy Observations. In: Proc. of the AAAI Workshop on Modeling Others from Observations, MOO-2005 (2005)
Dain, O., Cunningham, R.K.: Fusing a heterogeneous alert stream into scenarios. In: Proc. of the 2001 Workshop on Data Mining for Sec. App., pp. 1–13 (2001)
Duong, T.V., Bui, H.H., Phung, D.Q., Venkatesh, S.: Activity Recognition and Abnormality Detection with the Switching Hidden Semi-Markov Model. In: Proc. of IEEE CVPR-2005, vol. 1, pp. 838–845 (2005)
Habra, N., Charlier, B., Mounji, A., Mathieu, I.: ASAX: Software Architecture and Rule-Based Language for Universal Audit Trail Analysis. In: Deswarte, Y., Quisquater, J.-J., Eizenberg, G. (eds.) ESORICS 1992. LNCS, vol. 648, pp. 435–450. Springer, Heidelberg (1992)
Hamid, R., Maddi, S., Johnson, A.Y., Bobick, A.F., Essa, I.A., Isbel Jr., C.L.: A novel sequence representation for unsupervised analysis of human activities. Artificial Intelligence 173(14), 1221–1244 (2009)
Jajodia, S., Noel, S.: Topological Vulnerability Analysis. In: Cyber Situational Awareness, pp. 139–154. Springer, Heidelberg (2010)
Lühr, S., Bui, H.H., Venkatesh, S., West, G.A.W.: Recognition of human activity through hierarchical stochastic learning. In: Proc. of the 1st IEEE Intl. Conf. on Pervasive Computing and Comm. (PerCom-2003), pp. 416–422 (2003)
Ning, P., Xu, D.: Learning attack strategies from intrusion alerts. In: Proc. of the 10th Conf. on Computer and Comm. Security (CCS 2003), pp. 200–209 (2003)
Noel, S., Robertson, E., Jajodia, S.: Correlating intrusion events and building attack scenarios through attack graph distances. In: Proc. of the 20th Annual Computer Security Applications Conference, ACSAC 2004, pp. 350–359 (2004)
Paxson, V.: Bro: a system for detecting network intruders in real-time. Computer Networks 31(23-24), 2435–2463 (1999)
Qin, X., Lee, W.: Statistical Causality Analysis of INFOSEC Alert Data. In: Vigna, G., Krügel, C., Jonsson, E. (eds.) RAID 2003. LNCS, vol. 2820, pp. 73–93. Springer, Heidelberg (2003)
Valdes, A., Skinner, K.: Probabilistic Alert Correlation. In: Lee, W., Mé, L., Wespi, A. (eds.) RAID 2001. LNCS, vol. 2212, pp. 54–68. Springer, Heidelberg (2001)
Wang, L., Liu, A., Jajodia, S.: Using attack graphs for correlating, hypothesizing, and predicting intrusion alerts. Computer Comm. 29(15), 2917–2933 (2006)
Author information
Authors and Affiliations
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2011 Springer-Verlag Berlin Heidelberg
About this paper
Cite this paper
Albanese, M., Jajodia, S., Pugliese, A., Subrahmanian, V.S. (2011). Scalable Detection of Cyber Attacks. In: Chaki, N., Cortesi, A. (eds) Computer Information Systems – Analysis and Technologies. Communications in Computer and Information Science, vol 245. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-642-27245-5_4
Download citation
DOI: https://doi.org/10.1007/978-3-642-27245-5_4
Publisher Name: Springer, Berlin, Heidelberg
Print ISBN: 978-3-642-27244-8
Online ISBN: 978-3-642-27245-5
eBook Packages: Computer ScienceComputer Science (R0)