research-article

Situational awareness through reasoning on network incidents

Authors:

Anna Cinzia Squicciarini,

Giuseppe Petracca,

William G. Horne,

Aurnob NathAuthors Info & Claims

CODASPY '14: Proceedings of the 4th ACM conference on Data and application security and privacy

Pages 111 - 122

https://doi.org/10.1145/2557547.2557562

Published: 03 March 2014 Publication History

Abstract

Corporations worldwide work with teams of often dedicated system administrators to maintain, detect and prevent network infringements. This is a highly user-driven process that consumes hundreds (if not thousands) of man hours yearly. User reporting, the basis of most of these incident detection systems suffers from various biases and leads to below-par security measures. In the paper, we provide an approach for near real-time analysis of ongoing events on controlled networks, while requiring no end-user interaction and saving on system administrator's effort. Our proposed solution, ReasONets, a lightweight, distributed system, provides situational awareness in case of network incidents. ReasONets combines aspects of anomaly detection with Case-Based Reasoning (CBR) methodologies to reason about ongoing security events in a network, including their nature, severity and sources. We build a fully running prototype of ReasONets, to demonstrate the accuracy of the system, in doing reasoning and inference on the network status by exploiting events and network features. To the best of our knowledge, ReasONets is the first of its kind system combining detection and classification of network events with realtime reasoning while being capable of scaling up to large network sizes.

References

[1]

Snort, a lightweight network intrusion detection system. http://www.snort.org/.

[2]

Stefan Axelsson. The base-rate fallacy and the difficulty of intrusion detection. ACM Trans. Inf. Syst. Secur., 3(3):186--205, August 2000.

Digital Library

[3]

Leyla Bilge, Davide Balzarotti, William Robertson, Engin Kirda, and Christopher Kruegel. Disclosure: detecting botnet command and control servers through large-scale netflow analysis. In Proceedings of the 28th Annual Computer Security Applications Conference, pages 129--138. ACM, 2012.

Digital Library

[4]

Leyla Bilge, Engin Kirda, Christopher Kruegel, and Marco Balduzzi. Exposure: Finding malicious domains using passive dns analysis. In NDSS, 2011.

[5]

BitTorrent. Official website for bittorrent. http://www.bittorrent.com.

[6]

Eleazar Eskin. Anomaly detection over noisy data using learned probability distributions. 2000. http://academiccommons.columbia.edu/item/ac:125813.

Digital Library

[7]

Mansour Esmaili, Bala Balachandran, Reihaneh Safavi-Naini, and Josef Pieprzyk. Case-based reasoning for intrusion detection. In Computer Security Applications Conference, 1996., 12th Annual, pages 214--223. IEEE, 1996.

Digital Library

[8]

Juan M. Estévez-Tapiador, Pedro Garcia-Teodoro, and Jesús E. Díaz-Verdejo. Measuring normality in http traffic for anomaly-based intrusion detection. Computer Networks, 45(2):175--193, 2004.

Digital Library

[9]

P. García-Teodoro, J. Díaz-Verdejo, G. Maciá-Fernández, and E. Vázquez. Anomaly-based network intrusion detection: Techniques, systems and challenges. Computers & Security, 28(1-2):18--28, 2009.

Digital Library

[10]

R. Guha, O. Kachirski, D. Schwartz, S. Stoecklin, and Y. Yilmaz. Case-based agents for packet-level intrusion detection in ad hoc networks. In Proceedings of the 17th International Symposium on Computer and Information Sciences, pages 315--320. CRC Press, October 2002.

[11]

Paul Hick. The CAIDA DDoS Attack 2007 Dataset (collection). http://imdc.datcat.org/collection/1-06Y1-W=The+CAIDA+DDoS+Attack+2007+Dataset (accessed on 2013).

[12]

Xuan Dau Hoang, Jiankun Hu, and Peter Bertok. A multi-layer model for anomaly intrusion detection using program sequences of system calls. In Proc. 11th IEEE Int'l. Conf. Citeseer.

[13]

Steven A. Hofmeyr, Stephanie Forrest, and Anil Somayaji. Intrusion detection using sequences of system calls. Journal of Computer Security, 6(3):151--180, 01 1998.

[14]

Eyke Hüllermeier, Didier Dubois, Henri Prade, De Toulouse, and Universit'e Paul Sabatier. Fuzzy rules in case-based reasoning. In in Conf. AFIA99 Raisonnement à Partir de Cas, pages 45--54, 1999.

[15]

Christopher Kruegel and Thomas Toth. Using decision trees to improve signature-based intrusion detection. In Recent Advances in Intrusion Detection, pages 173--191. Springer, 2003.

[16]

David B. Leake. Case-based reasoning. The Knowledge Engineering Review, 9(01):61--64, 1994.

[17]

Wenke Lee, S. J. Stolfo, and K. W. Mok. A data mining framework for building intrusion detection models. In Proceedings of the 1999 IEEE Symposium on Security and Privacy, pages 120--132, 1999.

[18]

Malware Domain List. http://www.malwaredomainlist.com.

[19]

Microsoft. Windows based performance counter data logger. http://technet.microsoft.com/en-us/library/bb490960.aspx.

[20]

Mitre. Common attack pattern enumeration and classification. http://capec.mitre.org/data/definitions/113.html.

[21]

Mitre. Structured threat information expression. http://stix.mitre.org/.

[22]

Soumyo D. Moitra. Situational awareness metrics from flow and other data sources. 2013.

[23]

Official Website for uTorrent. http://www.utorrent.com.

[24]

Roberto Perdisci, Wenke Lee, and Nick Feamster. Behavioral clustering of http-based malware and signature generation using malicious network traces. In Proceedings of the 7th USENIX conference on Networked systems design and implementation, NSDI'10, pages 26--26, Berkeley, CA, USA, 2010. USENIX Association.

Digital Library

[25]

Predict. Protected repository for the defense of infrastructure against cyberthreats. http://www.predict.org.

[26]

J. Reason. Too little and too late: A commentary on accident and incident reporting systems. 1991.

[27]

Timothy J. Ross. Fuzzy Logic, pages i-xxi. John Wiley & Sons, Ltd, 2010.

[28]

Sans Education. https://isc.sans.edu/feeds/suspiciousdomains_high.txt.

[29]

Shalla Secure Services KG. Shalla list website blacklist database. http://www.shallalist.de/Downloads/shallalist.tar.gz.

[30]

Jessica Steinberger, Lisa Schehlmann, Sebastian Abt, and Harald Baier. Anomaly detection and mitigation at internet scale: A survey. In Emerging Management Mechanisms for the Future Internet, pages 49--60. Springer, 2013.

Digital Library

[31]

Vimal Vaidya. Dynamic signature inspection-based network intrusion detection, August 21 2001. US Patent 6,279,113.

[32]

Christina Warrender, Stephanie Forrest, and Barak Pearlmutter. Detecting intrusions using system calls: Alternative data models. In Security and Privacy, 1999. Proceedings of the 1999 IEEE Symposium on, pages 133--145. IEEE, 1999.

[33]

M. West-Brown, D. Stikvoort, K.-P. Kossakowski, G. Killcrece, R. Ruefle, and M. Zajicek. Handbook for computer security incident response teams (csirts), 2003. Technical Report Carnegie Mellon University/SEI-2003-HB-002.

[34]

Dit-Yan Yeung and Yuxin Ding. Host-based intrusion detection using dynamic and static behavioral models. Pattern Recognition, 36(1):229--243, 2003.

[35]

Zeus Tracker Domain Blocklist. https://secure.mayhemiclabs.com/malhosts/malhosts.txt.

[36]

Loai Zomlot, Sathya Chandran Sundaramurthy, Kui Luo, Xinming Ou, and S. Raj Rajagopalan. Prioritizing intrusion analysis using dempster-shafer theory. In Proceedings of the 4th ACM workshop on Security and artificial intelligence, AISec '11, pages 59--70, New York, NY, USA, 2011. ACM.

Digital Library

Cited By

Chaudhary SGkioulos VKatsikas S(2023)A quest for research and knowledge gaps in cybersecurity awareness for small and medium-sized enterprisesComputer Science Review10.1016/j.cosrev.2023.10059250(100592)Online publication date: Nov-2023
https://doi.org/10.1016/j.cosrev.2023.100592
Holkovic MBohus MRysavy O(2021)Network Problem Diagnostics using Typographic Error Correction2021 17th International Conference on Network and Service Management (CNSM)10.23919/CNSM52442.2021.9615525(482-490)Online publication date: 25-Oct-2021
https://doi.org/10.23919/CNSM52442.2021.9615525
Piatkowska EGavriluta CSmith PAndren F(2020)Online Reasoning about the Root Causes of Software Rollout Failures in the Smart Grid2020 IEEE International Conference on Communications, Control, and Computing Technologies for Smart Grids (SmartGridComm)10.1109/SmartGridComm47815.2020.9303005(1-7)Online publication date: 11-Nov-2020
https://doi.org/10.1109/SmartGridComm47815.2020.9303005
Show More Cited By

Index Terms

Situational awareness through reasoning on network incidents

Recommendations

From Situational Awareness to Actionability: Towards Improving the Utility of Social Media Data for Crisis Response

People are increasingly sharing information on social media during disaster events. This information could be valuable to emergency responders, but there remain challenges for using it to inform response efforts---including filtering relevant information ...
Situational Awareness in Context
CONTEXT 2013: Proceedings of the 8th International and Interdisciplinary Conference on Modeling and Using Context - Volume 8175

In this paper we analyze the relationship between context and situational awareness with the aim to get a better understanding of how context information influences situation assessment. The analysis is based on previous research on situational ...
An Extraction Method of Situational Factors for Network Security Situational Awareness
ICICSE '08: Proceedings of the 2008 International Conference on Internet Computing in Science and Engineering

The proposal of network security situational awareness (NSSA) research means a great breakthrough and an innovation to the traditional network security technologies, and it has become a new hot research topic in network security field. First the current ...

Comments

Information & Contributors

Information

Published In

cover image ACM Conferences

CODASPY '14: Proceedings of the 4th ACM conference on Data and application security and privacy

March 2014

368 pages

ISBN:9781450322782

DOI:10.1145/2557547

General Chairs:
Elisa Bertino
Purdue University, USA
,
Ravi Sandhu
University of Texas at San Antonio, USA
,
Program Chair:
Jaehong Park
University of Texas at San Antonio, USA

Copyright © 2014 ACM.

Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]

Sponsors

SIGSAC: ACM Special Interest Group on Security, Audit, and Control

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 03 March 2014

Permissions

Request permissions for this article.

Request Permissions

Check for updates

Author Tags

Qualifiers

Research-article

Conference

CODASPY'14

Sponsor:

SIGSAC

CODASPY'14: Fourth ACM Conference on Data and Application Security and Privacy

March 3 - 5, 2014

Texas, San Antonio, USA

Acceptance Rates

CODASPY '14 Paper Acceptance Rate 19 of 119 submissions, 16%;

Overall Acceptance Rate 149 of 789 submissions, 19%

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

7
Total Citations
View Citations
288
Total Downloads

Downloads (Last 12 months)4
Downloads (Last 6 weeks)0

Reflects downloads up to 25 Feb 2025

Other Metrics

View Author Metrics

Citations

Cited By

Chaudhary SGkioulos VKatsikas S(2023)A quest for research and knowledge gaps in cybersecurity awareness for small and medium-sized enterprisesComputer Science Review10.1016/j.cosrev.2023.10059250(100592)Online publication date: Nov-2023
https://doi.org/10.1016/j.cosrev.2023.100592
Holkovic MBohus MRysavy O(2021)Network Problem Diagnostics using Typographic Error Correction2021 17th International Conference on Network and Service Management (CNSM)10.23919/CNSM52442.2021.9615525(482-490)Online publication date: 25-Oct-2021
https://doi.org/10.23919/CNSM52442.2021.9615525
Piatkowska EGavriluta CSmith PAndren F(2020)Online Reasoning about the Root Causes of Software Rollout Failures in the Smart Grid2020 IEEE International Conference on Communications, Control, and Computing Technologies for Smart Grids (SmartGridComm)10.1109/SmartGridComm47815.2020.9303005(1-7)Online publication date: 11-Nov-2020
https://doi.org/10.1109/SmartGridComm47815.2020.9303005
Holkovič MRyšavý ODudek J(2019)Automating Network Security Analysis at Packet-level by using Rule-based EngineProceedings of the 6th Conference on the Engineering of Computer Based Systems10.1145/3352700.3352714(1-8)Online publication date: 2-Sep-2019
https://dl.acm.org/doi/10.1145/3352700.3352714
Friedberg IHong XMclaughlin KSmith PMiller P(2017)Evidential Network Modeling for Cyber-Physical System State InferenceIEEE Access10.1109/ACCESS.2017.27184985(17149-17164)Online publication date: 2017
https://doi.org/10.1109/ACCESS.2017.2718498
Chang EGottwalt FZhang Y(2017)Cyber Situational Awareness for CPS, 5G and IoTFrontiers in Electronic Technologies10.1007/978-981-10-4235-5_10(147-161)Online publication date: 24-Mar-2017
https://doi.org/10.1007/978-981-10-4235-5_10
Han HLi RHu JQiu M(2015)Context Awareness through Reasoning on Private Analysis for Android ApplicationProceedings of the 2015 IEEE 2nd International Conference on Cyber Security and Cloud Computing (CSCloud)10.1109/CSCloud.2015.63(148-156)Online publication date: 3-Nov-2015
https://dl.acm.org/doi/10.1109/CSCloud.2015.63

View Options

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

View options

PDF

View or Download as a PDF file.

eReader

View online with eReader.

Figures

Tables

Media

View Table of Conten