skip to main content
10.1145/2557547.2557562acmconferencesArticle/Chapter ViewAbstractPublication PagescodaspyConference Proceedingsconference-collections
research-article

Situational awareness through reasoning on network incidents

Published: 03 March 2014 Publication History

Abstract

Corporations worldwide work with teams of often dedicated system administrators to maintain, detect and prevent network infringements. This is a highly user-driven process that consumes hundreds (if not thousands) of man hours yearly. User reporting, the basis of most of these incident detection systems suffers from various biases and leads to below-par security measures. In the paper, we provide an approach for near real-time analysis of ongoing events on controlled networks, while requiring no end-user interaction and saving on system administrator's effort. Our proposed solution, ReasONets, a lightweight, distributed system, provides situational awareness in case of network incidents. ReasONets combines aspects of anomaly detection with Case-Based Reasoning (CBR) methodologies to reason about ongoing security events in a network, including their nature, severity and sources. We build a fully running prototype of ReasONets, to demonstrate the accuracy of the system, in doing reasoning and inference on the network status by exploiting events and network features. To the best of our knowledge, ReasONets is the first of its kind system combining detection and classification of network events with realtime reasoning while being capable of scaling up to large network sizes.

References

[1]
Snort, a lightweight network intrusion detection system. http://www.snort.org/.
[2]
Stefan Axelsson. The base-rate fallacy and the difficulty of intrusion detection. ACM Trans. Inf. Syst. Secur., 3(3):186--205, August 2000.
[3]
Leyla Bilge, Davide Balzarotti, William Robertson, Engin Kirda, and Christopher Kruegel. Disclosure: detecting botnet command and control servers through large-scale netflow analysis. In Proceedings of the 28th Annual Computer Security Applications Conference, pages 129--138. ACM, 2012.
[4]
Leyla Bilge, Engin Kirda, Christopher Kruegel, and Marco Balduzzi. Exposure: Finding malicious domains using passive dns analysis. In NDSS, 2011.
[5]
BitTorrent. Official website for bittorrent. http://www.bittorrent.com.
[6]
Eleazar Eskin. Anomaly detection over noisy data using learned probability distributions. 2000. http://academiccommons.columbia.edu/item/ac:125813.
[7]
Mansour Esmaili, Bala Balachandran, Reihaneh Safavi-Naini, and Josef Pieprzyk. Case-based reasoning for intrusion detection. In Computer Security Applications Conference, 1996., 12th Annual, pages 214--223. IEEE, 1996.
[8]
Juan M. Estévez-Tapiador, Pedro Garcia-Teodoro, and Jesús E. Díaz-Verdejo. Measuring normality in http traffic for anomaly-based intrusion detection. Computer Networks, 45(2):175--193, 2004.
[9]
P. García-Teodoro, J. Díaz-Verdejo, G. Maciá-Fernández, and E. Vázquez. Anomaly-based network intrusion detection: Techniques, systems and challenges. Computers & Security, 28(1-2):18--28, 2009.
[10]
R. Guha, O. Kachirski, D. Schwartz, S. Stoecklin, and Y. Yilmaz. Case-based agents for packet-level intrusion detection in ad hoc networks. In Proceedings of the 17th International Symposium on Computer and Information Sciences, pages 315--320. CRC Press, October 2002.
[11]
Paul Hick. The CAIDA DDoS Attack 2007 Dataset (collection). http://imdc.datcat.org/collection/1-06Y1-W=The+CAIDA+DDoS+Attack+2007+Dataset (accessed on 2013).
[12]
Xuan Dau Hoang, Jiankun Hu, and Peter Bertok. A multi-layer model for anomaly intrusion detection using program sequences of system calls. In Proc. 11th IEEE Int'l. Conf. Citeseer.
[13]
Steven A. Hofmeyr, Stephanie Forrest, and Anil Somayaji. Intrusion detection using sequences of system calls. Journal of Computer Security, 6(3):151--180, 01 1998.
[14]
Eyke Hüllermeier, Didier Dubois, Henri Prade, De Toulouse, and Universit'e Paul Sabatier. Fuzzy rules in case-based reasoning. In in Conf. AFIA99 Raisonnement à Partir de Cas, pages 45--54, 1999.
[15]
Christopher Kruegel and Thomas Toth. Using decision trees to improve signature-based intrusion detection. In Recent Advances in Intrusion Detection, pages 173--191. Springer, 2003.
[16]
David B. Leake. Case-based reasoning. The Knowledge Engineering Review, 9(01):61--64, 1994.
[17]
Wenke Lee, S. J. Stolfo, and K. W. Mok. A data mining framework for building intrusion detection models. In Proceedings of the 1999 IEEE Symposium on Security and Privacy, pages 120--132, 1999.
[18]
Malware Domain List. http://www.malwaredomainlist.com.
[19]
Microsoft. Windows based performance counter data logger. http://technet.microsoft.com/en-us/library/bb490960.aspx.
[20]
Mitre. Common attack pattern enumeration and classification. http://capec.mitre.org/data/definitions/113.html.
[21]
Mitre. Structured threat information expression. http://stix.mitre.org/.
[22]
Soumyo D. Moitra. Situational awareness metrics from flow and other data sources. 2013.
[23]
Official Website for uTorrent. http://www.utorrent.com.
[24]
Roberto Perdisci, Wenke Lee, and Nick Feamster. Behavioral clustering of http-based malware and signature generation using malicious network traces. In Proceedings of the 7th USENIX conference on Networked systems design and implementation, NSDI'10, pages 26--26, Berkeley, CA, USA, 2010. USENIX Association.
[25]
Predict. Protected repository for the defense of infrastructure against cyberthreats. http://www.predict.org.
[26]
J. Reason. Too little and too late: A commentary on accident and incident reporting systems. 1991.
[27]
Timothy J. Ross. Fuzzy Logic, pages i-xxi. John Wiley & Sons, Ltd, 2010.
[28]
Sans Education. https://isc.sans.edu/feeds/suspiciousdomains_high.txt.
[29]
Shalla Secure Services KG. Shalla list website blacklist database. http://www.shallalist.de/Downloads/shallalist.tar.gz.
[30]
Jessica Steinberger, Lisa Schehlmann, Sebastian Abt, and Harald Baier. Anomaly detection and mitigation at internet scale: A survey. In Emerging Management Mechanisms for the Future Internet, pages 49--60. Springer, 2013.
[31]
Vimal Vaidya. Dynamic signature inspection-based network intrusion detection, August 21 2001. US Patent 6,279,113.
[32]
Christina Warrender, Stephanie Forrest, and Barak Pearlmutter. Detecting intrusions using system calls: Alternative data models. In Security and Privacy, 1999. Proceedings of the 1999 IEEE Symposium on, pages 133--145. IEEE, 1999.
[33]
M. West-Brown, D. Stikvoort, K.-P. Kossakowski, G. Killcrece, R. Ruefle, and M. Zajicek. Handbook for computer security incident response teams (csirts), 2003. Technical Report Carnegie Mellon University/SEI-2003-HB-002.
[34]
Dit-Yan Yeung and Yuxin Ding. Host-based intrusion detection using dynamic and static behavioral models. Pattern Recognition, 36(1):229--243, 2003.
[35]
Zeus Tracker Domain Blocklist. https://secure.mayhemiclabs.com/malhosts/malhosts.txt.
[36]
Loai Zomlot, Sathya Chandran Sundaramurthy, Kui Luo, Xinming Ou, and S. Raj Rajagopalan. Prioritizing intrusion analysis using dempster-shafer theory. In Proceedings of the 4th ACM workshop on Security and artificial intelligence, AISec '11, pages 59--70, New York, NY, USA, 2011. ACM.

Cited By

View all
  • (2023)A quest for research and knowledge gaps in cybersecurity awareness for small and medium-sized enterprisesComputer Science Review10.1016/j.cosrev.2023.10059250(100592)Online publication date: Nov-2023
  • (2021)Network Problem Diagnostics using Typographic Error Correction2021 17th International Conference on Network and Service Management (CNSM)10.23919/CNSM52442.2021.9615525(482-490)Online publication date: 25-Oct-2021
  • (2020)Online Reasoning about the Root Causes of Software Rollout Failures in the Smart Grid2020 IEEE International Conference on Communications, Control, and Computing Technologies for Smart Grids (SmartGridComm)10.1109/SmartGridComm47815.2020.9303005(1-7)Online publication date: 11-Nov-2020
  • Show More Cited By

Recommendations

Comments

Information & Contributors

Information

Published In

cover image ACM Conferences
CODASPY '14: Proceedings of the 4th ACM conference on Data and application security and privacy
March 2014
368 pages
ISBN:9781450322782
DOI:10.1145/2557547
Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]

Sponsors

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 03 March 2014

Permissions

Request permissions for this article.

Check for updates

Author Tags

  1. case-base reasoning
  2. incident detection
  3. situational awareness

Qualifiers

  • Research-article

Conference

CODASPY'14
Sponsor:

Acceptance Rates

CODASPY '14 Paper Acceptance Rate 19 of 119 submissions, 16%;
Overall Acceptance Rate 149 of 789 submissions, 19%

Contributors

Other Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

  • Downloads (Last 12 months)4
  • Downloads (Last 6 weeks)0
Reflects downloads up to 25 Feb 2025

Other Metrics

Citations

Cited By

View all
  • (2023)A quest for research and knowledge gaps in cybersecurity awareness for small and medium-sized enterprisesComputer Science Review10.1016/j.cosrev.2023.10059250(100592)Online publication date: Nov-2023
  • (2021)Network Problem Diagnostics using Typographic Error Correction2021 17th International Conference on Network and Service Management (CNSM)10.23919/CNSM52442.2021.9615525(482-490)Online publication date: 25-Oct-2021
  • (2020)Online Reasoning about the Root Causes of Software Rollout Failures in the Smart Grid2020 IEEE International Conference on Communications, Control, and Computing Technologies for Smart Grids (SmartGridComm)10.1109/SmartGridComm47815.2020.9303005(1-7)Online publication date: 11-Nov-2020
  • (2019)Automating Network Security Analysis at Packet-level by using Rule-based EngineProceedings of the 6th Conference on the Engineering of Computer Based Systems10.1145/3352700.3352714(1-8)Online publication date: 2-Sep-2019
  • (2017)Evidential Network Modeling for Cyber-Physical System State InferenceIEEE Access10.1109/ACCESS.2017.27184985(17149-17164)Online publication date: 2017
  • (2017)Cyber Situational Awareness for CPS, 5G and IoTFrontiers in Electronic Technologies10.1007/978-981-10-4235-5_10(147-161)Online publication date: 24-Mar-2017
  • (2015)Context Awareness through Reasoning on Private Analysis for Android ApplicationProceedings of the 2015 IEEE 2nd International Conference on Cyber Security and Cloud Computing (CSCloud)10.1109/CSCloud.2015.63(148-156)Online publication date: 3-Nov-2015

View Options

Login options

View options

PDF

View or Download as a PDF file.

PDF

eReader

View online with eReader.

eReader

Figures

Tables

Media

Share

Share

Share this Publication link

Share on social media