Skip to main content
SpringerLink
Log in

Using the KBTA method for inferring computer and network security alerts from time-stamped, raw system metrics

  • Original Paper
  • Published:
Journal in Computer Virology Aims and scope Submit manuscript

Abstract

In this study, we propose a new approach for detecting previously unencountered instances of known classes of malicious software based on their temporal behavior. In the proposed approach, time-stamped security data are continuously monitored within the target computer system or network and then processed by the knowledge-based temporal abstraction (KBTA) methodology. Using KBTA, continuously measured data (e.g., the number of running processes) and events (e.g., installation of a software) are integrated with a security-domain, temporal-abstraction knowledge-base (i.e., a security ontology for abstracting meaningful patterns from raw, time-oriented security data), to create higher-level, time-oriented concepts and patterns, also known as temporal abstractions. Automatically-generated temporal abstractions can be monitored to detect suspicious temporal patterns. These patterns are compatible with a set of predefined classes of malware as defined by a security expert employing a set of time and value constraints. The new approach was applied for detecting worm-related malware using two different ontologies. Evaluation results demonstrated the effectiveness of the new approach. The approach can be used for detecting other types of malware by updating the security ontology with new definitions of temporal patterns.

This is a preview of subscription content, log in via an institution to check access.

Access this article

Log in via an institution

Price excludes VAT (USA)
Tax calculation will be finalised during checkout.

Instant access to the full article PDF.

Institutional subscriptions

Similar content being viewed by others

References

  1. Kienzle, D.M., Elder, M.C.: Internet WORMS: past, present, and future: recent worms: a survey and trends. In: Proceedings of the ACM Workshop on Rapid Malcode (2003)

  2. Heidari, M.: Malicious codes in depth. Security docs. http://www.securitydocs.com/pdf/2742.PDF (2004)

  3. Dikinson, J.: The new anti-virus formula. 2005. http://www.ironport.com/pdf/ironport_new_anti-virus_formula.pdf

  4. Seleznyov, A., Mazhelis, O.: Learning temporal patterns for anomaly intrusion detection. In: Proceedings of the 17th ACM Symposium on Applied Computing (2002)

  5. Ye, N.: A Markov chain of temporal behavior for anomaly detection. In: Workshop on Information Assurance and Security (2000)

  6. Shahar Y.: A framework for knowledge-based temporal abstraction. Artif. Intell. 90(1–2), 79–133 (1997)

    Article  MATH  Google Scholar 

  7. Shahar Y., Musen M.A.: Knowledge-based temporal abstraction in clinical domains. Artif. Intell. Med. 8(3), 267–298 (1996)

    Article  Google Scholar 

  8. Jones A.K., Sielken R.S.: Computer System Intrusion Detection: A Survey. Technical Report, Computer Science Department, University of Virginia, USA (2000)

  9. Axelsson, S.: Intrusion Detection Systems: A Survey and Taxonomy. Technical Report, Department of Computer Engineering, Chalmers University, Sweden (2000)

  10. Christodorescu M., Jha S.: Testing malware detectors. ACM SIGSOFT Softw. Eng. Notes 29(4), 34–44 (2004)

    Article  Google Scholar 

  11. Jacob G., Debar H., Filiol E.: Behavioral detection of malware: from a survey towards an established taxonomy. J. Comput. Virol. 4, 251–266 (2008)

    Article  Google Scholar 

  12. Idika, N., Mathur, A.P.: A Survey of Malware Detection Techniques. Technical Report, Department of Computer Science, Purdue University, USA (2007)

  13. Estevez-Tapiador J.M. et al.: Anomaly detection methods in wired networks: a survey and taxonomy. Comput. Commun. 27(16), 1569–1584 (2004)

    Article  Google Scholar 

  14. Moskovitch R., Elovici Y., Rokach L.: Detection of unknown computer worms based on behavioral classification of the host. Comput. Stat. Data. Anal. 52(9), 4544–4566 (2008)

    Article  MATH  MathSciNet  Google Scholar 

  15. Lane T., Brodley C.E.: Temporal sequence learning and data reduction for anomaly detection. ACM Trans. Inf. Syst. Secur. 2(3), 295–331 (1999)

    Article  Google Scholar 

  16. Ghosh, A.K., Schwartzbard, A., Schatz, M.: Using program behavior profiles for intrusion detection. In: Proceedings of the 1st USENIX Workshop on Intrusion Detection and Network Monitoring (1999)

  17. Naldurg, P. et al.: A temporal logic based framework for intrusion detection. In: Proceedings of the 24th Formal Techniques for Networked and Distributed Systems International Conference (2004)

  18. Ning P., Jajodia S., Wang X.S.: Abstraction-based intrusion detection in distributed environments. ACM Trans. Inf. Syst. Secur. 4(4), 407–452 (2001)

    Article  Google Scholar 

  19. Kohout, L.J., Yasinsac, A., McDuffie, E.: Activity profiles for intrusion detection. In: North American Fuzzy Information Processing Society-Fuzzy Logic and the Internet (2002)

  20. Allen J.F.: Maintaining knowledge about temporal intervals. Commun. ACM 26(11), 832–843 (1983)

    Article  MATH  Google Scholar 

  21. Li Y. et al.: Enhancing profiles for anomaly detection using time granularities. J Comput. Secur. 10(1–2), 137–157 (2002)

    Google Scholar 

  22. Talbi, M., Mejry, M., Bouhoula, A.: Specification and evaluation of polymorphic shellcode properties using a new temporal logic. J. Comput. Virol. (2008)

  23. Morin, B., Debar, H.: Correlation of intrusion symptoms: an application of chronicles. In: Proceedings Recent Advances in Intrusion Detection (RAID) Symposium (2003)

  24. Cuppens, F., Miege, A.: Alert correlation in a cooperative intrusion detection framework. In: Proceedings of the 2002 IEEE Symposium on Security and Privacy (2002)

  25. Eckmann S.T., Vigna G., Kemmerer R.A.: STATL: an attack language for state-based intrusion detection. J. Comput. Secur. 10(1), 71–104 (2002)

    Google Scholar 

  26. Lindqvist, U., Porras, P.A.: Detecting computer and network misuse through the production-based expert system toolset (P-BEST). In: Proceedings of the 1999 IEEE Symposium on Security and Privacy (1999)

  27. Chakravarty S., Shahar Y.: CAPSUL: a constraint-based specification of repeating patterns in time-oriented data. Ann. Math. AI 30(1–4), 3–22 (2000)

    MATH  Google Scholar 

  28. Shabtai, A., Shahar, Y., Elovici, Y.: Monitoring for malware using a temporal-abstraction knowledge base. In: Proceedings of the 8th International Symposium on System and Information Security (2006)

  29. Shabtai, A., Shahar, Y., Elovici, Y.: Using the knowledge-based temporal-abstraction (KBTA) method for detection of electronic threats. In: Proceedings of the 5th European Conference on Information Warfare and Security (2006)

  30. Spokoiny, A., Shahar, Y.: An active database architecture for knowledge-based incremental abstraction of complex concepts from continuously arriving time-oriented raw data. J. Intell. Inf. Syst. 28(3), 199–231 (2007)

    Google Scholar 

  31. Shabtai A., Klimov D., Shahar Y., Elovici Y.: An intelligent, interactive tool for exploration and visualization of time-oriented security data. In: Proceedings of the 3rd International Workshop on Visualization for Computer Security (2006)

  32. Shabtai, A., Atlas, M., Shahar, Y., Elovici, Y.: Evaluation of a temporal-abstraction knowledge acquisition tool in the network security domain. In: Proceedings of the 4th International Conference on Knowledge Capture (2007)

  33. Stopel, D., Moskovitch, R., Boger, Z., Shahar, Y., Elovici, Y.: Using artificial neural networks to detect unknown computer worms. J. Neural Comput. Appl. (2009)

  34. Moskovitch, R., et al.: Host based intrusion detection using machine learning. IEEE Inf. Secur. Inf. (2007)

  35. Puzis, R., Tubi, M., Elovici, Y., Glezer, C.: A decision support system for placement of intrusion detection and prevention devices in large-scale networks. Submitted to ACM Transactions on Information and System Security (TISSEC)

  36. Tubi, M., Puzis, R., Elovici, Y.: Deployment of DNIDS in social networks. ISI (2007)

  37. Moore, D. et al.: Inside the slammer worm. IEEE Secur. Priv. (2003)

  38. CERT 2000. Love letter worm. http://www.cert.org/advisories/CA-2000-04.html

  39. Thommes, R., Coates, M.: Epidemiological modeling of peer-to-peer viruses and pollution. In: Proceedings of IEEE Infocom (2006)

Download references

Author information

Authors and Affiliations

  1. Deutsche Telekom Laboratories at Ben-Gurion University, and Department of Information Systems Engineering, Ben-Gurion University, 84105, Beer Sheba, Israel

    Asaf Shabtai, Yuval Fledel, Yuval Elovici & Yuval Shahar

Authors
  1. Asaf Shabtai
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Yuval Fledel
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Yuval Elovici
    View author publications

    You can also search for this author in PubMed Google Scholar

  4. Yuval Shahar
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Asaf Shabtai.

Rights and permissions

Reprints and permissions

About this article

Cite this article

Shabtai, A., Fledel, Y., Elovici, Y. et al. Using the KBTA method for inferring computer and network security alerts from time-stamped, raw system metrics. J Comput Virol 6, 239–259 (2010). https://doi.org/10.1007/s11416-009-0125-5

Download citation

  • Received:

  • Accepted:

  • Published:

  • Issue Date:

  • DOI: https://doi.org/10.1007/s11416-009-0125-5

Keywords

Search

Navigation