ABSTRACT
Corporations worldwide work with teams of often dedicated system administrators to maintain, detect and prevent network infringements. This is a highly user-driven process that consumes hundreds (if not thousands) of man hours yearly. User reporting, the basis of most of these incident detection systems suffers from various biases and leads to below-par security measures. In the paper, we provide an approach for near real-time analysis of ongoing events on controlled networks, while requiring no end-user interaction and saving on system administrator's effort. Our proposed solution, ReasONets, a lightweight, distributed system, provides situational awareness in case of network incidents. ReasONets combines aspects of anomaly detection with Case-Based Reasoning (CBR) methodologies to reason about ongoing security events in a network, including their nature, severity and sources. We build a fully running prototype of ReasONets, to demonstrate the accuracy of the system, in doing reasoning and inference on the network status by exploiting events and network features. To the best of our knowledge, ReasONets is the first of its kind system combining detection and classification of network events with realtime reasoning while being capable of scaling up to large network sizes.
- Snort, a lightweight network intrusion detection system. http://www.snort.org/.Google Scholar
- Stefan Axelsson. The base-rate fallacy and the difficulty of intrusion detection. ACM Trans. Inf. Syst. Secur., 3(3):186--205, August 2000. Google ScholarDigital Library
- Leyla Bilge, Davide Balzarotti, William Robertson, Engin Kirda, and Christopher Kruegel. Disclosure: detecting botnet command and control servers through large-scale netflow analysis. In Proceedings of the 28th Annual Computer Security Applications Conference, pages 129--138. ACM, 2012. Google ScholarDigital Library
- Leyla Bilge, Engin Kirda, Christopher Kruegel, and Marco Balduzzi. Exposure: Finding malicious domains using passive dns analysis. In NDSS, 2011.Google Scholar
- BitTorrent. Official website for bittorrent. http://www.bittorrent.com.Google Scholar
- Eleazar Eskin. Anomaly detection over noisy data using learned probability distributions. 2000. http://academiccommons.columbia.edu/item/ac:125813. Google ScholarDigital Library
- Mansour Esmaili, Bala Balachandran, Reihaneh Safavi-Naini, and Josef Pieprzyk. Case-based reasoning for intrusion detection. In Computer Security Applications Conference, 1996., 12th Annual, pages 214--223. IEEE, 1996. Google ScholarDigital Library
- Juan M. Estévez-Tapiador, Pedro Garcia-Teodoro, and Jesús E. Díaz-Verdejo. Measuring normality in http traffic for anomaly-based intrusion detection. Computer Networks, 45(2):175--193, 2004. Google ScholarDigital Library
- P. García-Teodoro, J. Díaz-Verdejo, G. Maciá-Fernández, and E. Vázquez. Anomaly-based network intrusion detection: Techniques, systems and challenges. Computers & Security, 28(1-2):18--28, 2009.Google ScholarDigital Library
- R. Guha, O. Kachirski, D. Schwartz, S. Stoecklin, and Y. Yilmaz. Case-based agents for packet-level intrusion detection in ad hoc networks. In Proceedings of the 17th International Symposium on Computer and Information Sciences, pages 315--320. CRC Press, October 2002.Google Scholar
- Paul Hick. The CAIDA DDoS Attack 2007 Dataset (collection). http://imdc.datcat.org/collection/1-06Y1-W=The+CAIDA+DDoS+Attack+2007+Dataset (accessed on 2013).Google Scholar
- Xuan Dau Hoang, Jiankun Hu, and Peter Bertok. A multi-layer model for anomaly intrusion detection using program sequences of system calls. In Proc. 11th IEEE Int'l. Conf. Citeseer.Google Scholar
- Steven A. Hofmeyr, Stephanie Forrest, and Anil Somayaji. Intrusion detection using sequences of system calls. Journal of Computer Security, 6(3):151--180, 01 1998. Google ScholarCross Ref
- Eyke Hüllermeier, Didier Dubois, Henri Prade, De Toulouse, and Universit'e Paul Sabatier. Fuzzy rules in case-based reasoning. In in Conf. AFIA99 Raisonnement à Partir de Cas, pages 45--54, 1999.Google Scholar
- Christopher Kruegel and Thomas Toth. Using decision trees to improve signature-based intrusion detection. In Recent Advances in Intrusion Detection, pages 173--191. Springer, 2003.Google ScholarCross Ref
- David B. Leake. Case-based reasoning. The Knowledge Engineering Review, 9(01):61--64, 1994.Google ScholarCross Ref
- Wenke Lee, S. J. Stolfo, and K. W. Mok. A data mining framework for building intrusion detection models. In Proceedings of the 1999 IEEE Symposium on Security and Privacy, pages 120--132, 1999.Google Scholar
- Malware Domain List. http://www.malwaredomainlist.com.Google Scholar
- Microsoft. Windows based performance counter data logger. http://technet.microsoft.com/en-us/library/bb490960.aspx.Google Scholar
- Mitre. Common attack pattern enumeration and classification. http://capec.mitre.org/data/definitions/113.html.Google Scholar
- Mitre. Structured threat information expression. http://stix.mitre.org/.Google Scholar
- Soumyo D. Moitra. Situational awareness metrics from flow and other data sources. 2013.Google Scholar
- Official Website for uTorrent. http://www.utorrent.com.Google Scholar
- Roberto Perdisci, Wenke Lee, and Nick Feamster. Behavioral clustering of http-based malware and signature generation using malicious network traces. In Proceedings of the 7th USENIX conference on Networked systems design and implementation, NSDI'10, pages 26--26, Berkeley, CA, USA, 2010. USENIX Association. Google ScholarDigital Library
- Predict. Protected repository for the defense of infrastructure against cyberthreats. http://www.predict.org.Google Scholar
- J. Reason. Too little and too late: A commentary on accident and incident reporting systems. 1991.Google Scholar
- Timothy J. Ross. Fuzzy Logic, pages i-xxi. John Wiley & Sons, Ltd, 2010.Google Scholar
- Sans Education. https://isc.sans.edu/feeds/suspiciousdomains_high.txt.Google Scholar
- Shalla Secure Services KG. Shalla list website blacklist database. http://www.shallalist.de/Downloads/shallalist.tar.gz.Google Scholar
- Jessica Steinberger, Lisa Schehlmann, Sebastian Abt, and Harald Baier. Anomaly detection and mitigation at internet scale: A survey. In Emerging Management Mechanisms for the Future Internet, pages 49--60. Springer, 2013. Google ScholarDigital Library
- Vimal Vaidya. Dynamic signature inspection-based network intrusion detection, August 21 2001. US Patent 6,279,113.Google Scholar
- Christina Warrender, Stephanie Forrest, and Barak Pearlmutter. Detecting intrusions using system calls: Alternative data models. In Security and Privacy, 1999. Proceedings of the 1999 IEEE Symposium on, pages 133--145. IEEE, 1999.Google ScholarCross Ref
- M. West-Brown, D. Stikvoort, K.-P. Kossakowski, G. Killcrece, R. Ruefle, and M. Zajicek. Handbook for computer security incident response teams (csirts), 2003. Technical Report Carnegie Mellon University/SEI-2003-HB-002.Google Scholar
- Dit-Yan Yeung and Yuxin Ding. Host-based intrusion detection using dynamic and static behavioral models. Pattern Recognition, 36(1):229--243, 2003.Google ScholarCross Ref
- Zeus Tracker Domain Blocklist. https://secure.mayhemiclabs.com/malhosts/malhosts.txt.Google Scholar
- Loai Zomlot, Sathya Chandran Sundaramurthy, Kui Luo, Xinming Ou, and S. Raj Rajagopalan. Prioritizing intrusion analysis using dempster-shafer theory. In Proceedings of the 4th ACM workshop on Security and artificial intelligence, AISec '11, pages 59--70, New York, NY, USA, 2011. ACM. Google ScholarDigital Library
Index Terms
- Situational awareness through reasoning on network incidents
Recommendations
From Situational Awareness to Actionability: Towards Improving the Utility of Social Media Data for Crisis Response
People are increasingly sharing information on social media during disaster events. This information could be valuable to emergency responders, but there remain challenges for using it to inform response efforts---including filtering relevant ...
Situational Awareness in Context
CONTEXT 2013: Proceedings of the 8th International and Interdisciplinary Conference on Modeling and Using Context - Volume 8175In this paper we analyze the relationship between context and situational awareness with the aim to get a better understanding of how context information influences situation assessment. The analysis is based on previous research on situational ...
An Extraction Method of Situational Factors for Network Security Situational Awareness
ICICSE '08: Proceedings of the 2008 International Conference on Internet Computing in Science and EngineeringThe proposal of network security situational awareness (NSSA) research means a great breakthrough and an innovation to the traditional network security technologies, and it has become a new hot research topic in network security field. First the current ...
Comments