research-article

Predicting Cyber Security Incidents Using Feature-Based Characterization of Network-Level Malicious Activities

Authors:

Michael BaileyAuthors Info & Claims

IWSPA '15: Proceedings of the 2015 ACM International Workshop on International Workshop on Security and Privacy Analytics

Pages 3 - 9

https://doi.org/10.1145/2713579.2713582

Published: 04 March 2015 Publication History

Abstract

This study offers a first step toward understanding the extent to which we may be able to predict cyber security incidents (which can be of one of many types) by applying machine learning techniques and using externally observed malicious activities associated with network entities, including spamming, phishing, and scanning, each of which may or may not have direct bearing on a specific attack mechanism or incident type. Our hypothesis is that when viewed collectively, malicious activities originating from a network are indicative of the general cleanness of a network and how well it is run, and that furthermore, collectively they exhibit fairly stable and thus predictive behavior over time. To test this hypothesis, we utilize two datasets in this study: (1) a collection of commonly used IP address-based/host reputation blacklists (RBLs) collected over more than a year, and (2) a set of security incident reports collected over roughly the same period. Specifically, we first aggregate the RBL data at a prefix level and then introduce a set of features that capture the dynamics of this aggregated temporal process. A comparison between the distribution of these feature values taken from the incident dataset and from the general population of prefixes shows distinct differences, suggesting their value in distinguishing between the two while also highlighting the importance of capturing dynamic behavior (second order statistics) in the malicious activities. These features are then used to train a support vector machine (SVM) for prediction. Our preliminary results show that we can achieve reasonably good prediction performance over a forecasting window of a few months.

References

[1]

Barracuda Reputation Blocklist. http://www.barracudacentral.org/.

[2]

Composite Blocking List. http://cbl.abuseat.org/.

[3]

DShield. http://www.dshield.org/.

[4]

Global Security Reports. http://globalsecuritymap.com/.

[5]

Global Spamming Rank. http://www.spamrankings.net/.

[6]

hpHosts for your pretection. http://hosts-file.net/.

[7]

OpenBL. http://www.openbl.org/.

[8]

PhishTank. http://www.phishtank.com/.

[9]

SpamCop Blocking List. http://www.spamcop.net/.

[10]

SURBL: URL REPUTATION DATA. http://www.surbl.org/.

[11]

The SPAMHAUS project: SBL, XBL, PBL, ZEN Lists. http://www.spamhaus.org/.

[12]

UCEPROTECTOR Network. http://www.uceprotect.net/.

[13]

Web Hacking Incidence Reports. http://hackmageddon.com/.

[14]

WPBL: Weighted Private Block List. http://www.wpbl.info/.

[15]

Bishop, C. M., et al. Pattern Recognition and Machine Learning, vol. 1. springer New York.

Digital Library

[16]

Deng, R., Yang, Z., Chen, J., and Chow, M.-Y. Load Scheduling With Price Uncertainty and Temporally-Coupled Constraints in Smart Grids.

[17]

Xie, Y., Yu, F., Achan, K., Gillum, E., Goldszmidt, M., and Wobber, T. How Dynamic Are IP Addresses? In Proceedings of SIGCOMM (New York, NY, USA, 2007), ACM, pp. 301--312.

Digital Library

Cited By

Durumeric ZAdrian DStephens PWustrow EHalderman JVallina-Rodríguez NSuarez-Tángil GLevin DPelsser C(2024)Ten Years of ZMapProceedings of the 2024 ACM on Internet Measurement Conference10.1145/3646547.3689012(139-148)Online publication date: 4-Nov-2024
https://dl.acm.org/doi/10.1145/3646547.3689012
Gao MWang RZhu HXin Y(2023)CDSTAEP: Cross-Domain Spatial-Temporal Association Learning for Abnormal Events PredictionApplied Sciences10.3390/app1306365513:6(3655)Online publication date: 13-Mar-2023
https://doi.org/10.3390/app13063655
Dambra SBilge LBalzarotti D(2023)A Comparison of Systemic and Systematic Risks of Malware Encounters in Consumer and Enterprise EnvironmentsACM Transactions on Privacy and Security10.1145/356536226:2(1-30)Online publication date: 12-Apr-2023
https://dl.acm.org/doi/10.1145/3565362
Show More Cited By

Index Terms

Predicting Cyber Security Incidents Using Feature-Based Characterization of Network-Level Malicious Activities
1. Networks
  1. Network services
    1. Network monitoring
2. Security and privacy
  1. Network security

Recommendations

Malicious Bots Threaten Network Security

Viruses, worms, Trojan horses, and network intrusions are among the threats that security administrators worry about on a regular basis. However, there is a less familiar threat that many experts say could be just as dangerous: malicious bot software. A ...
Towards Countermeasure of Insider Threat in Network Security
INCOS '11: Proceedings of the 2011 Third International Conference on Intelligent Networking and Collaborative Systems

We discuss countermeasure against insider threats in network security aspect. In the context of countermeasure against insider threats, there is no perimeter for access control in a network. A traditional access control process by using a firewall on a ...
Cyber Deception: Virtual Networks to Defend Insider Reconnaissance
MIST '16: Proceedings of the 8th ACM CCS International Workshop on Managing Insider Security Threats

Advanced targeted cyber attacks often rely on reconnaissance missions to gather information about potential targets and their location in a networked environment to identify vulnerabilities which can be exploited for further attack maneuvers. Advanced ...

Comments

Information & Contributors

Information

Published In

cover image ACM Conferences

IWSPA '15: Proceedings of the 2015 ACM International Workshop on International Workshop on Security and Privacy Analytics

March 2015

64 pages

ISBN:9781450333412

DOI:10.1145/2713579

Conference Chair:
Stephen Huang
University of Houston
,
Program Chair:
Rakesh Verma
University of Houston

Copyright © 2015 ACM.

Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than the author(s) must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected].

Sponsors

SIGSAC: ACM Special Interest Group on Security, Audit, and Control

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 04 March 2015

Permissions

Request permissions for this article.

Request Permissions

Check for updates

Author Tags

Qualifiers

Research-article

Funding Sources

the Department of Homeland Security (DHS) Science and Technology Directorate, Homeland Security Advanced Research Projects Agency (HSARPA), Cyber Security Division (DHS S&T/HSARPA/CSD), BAA 11-02

Conference

CODASPY'15

Sponsor:

SIGSAC

CODASPY'15: Fifth ACM Conference on Data and Application Security and Privacy

March 4, 2015

Texas, San Antonio, USA

Acceptance Rates

IWSPA '15 Paper Acceptance Rate 4 of 13 submissions, 31%;

Overall Acceptance Rate 18 of 58 submissions, 31%

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

13
Total Citations
View Citations
524
Total Downloads

Downloads (Last 12 months)36
Downloads (Last 6 weeks)5

Reflects downloads up to 05 Mar 2025

Other Metrics

View Author Metrics

Citations

Cited By

Durumeric ZAdrian DStephens PWustrow EHalderman JVallina-Rodríguez NSuarez-Tángil GLevin DPelsser C(2024)Ten Years of ZMapProceedings of the 2024 ACM on Internet Measurement Conference10.1145/3646547.3689012(139-148)Online publication date: 4-Nov-2024
https://dl.acm.org/doi/10.1145/3646547.3689012
Gao MWang RZhu HXin Y(2023)CDSTAEP: Cross-Domain Spatial-Temporal Association Learning for Abnormal Events PredictionApplied Sciences10.3390/app1306365513:6(3655)Online publication date: 13-Mar-2023
https://doi.org/10.3390/app13063655
Dambra SBilge LBalzarotti D(2023)A Comparison of Systemic and Systematic Risks of Malware Encounters in Consumer and Enterprise EnvironmentsACM Transactions on Privacy and Security10.1145/356536226:2(1-30)Online publication date: 12-Apr-2023
https://dl.acm.org/doi/10.1145/3565362
Bitit RDerhab AGuerroumi MBelaoued M(2023)Cyber-attack Proactive Defense Using Multivariate Time Series and Machine Learning with Fuzzy Inference-based Decision SystemMachine Learning for Networking10.1007/978-3-031-36183-8_3(24-35)Online publication date: 7-Jul-2023
https://doi.org/10.1007/978-3-031-36183-8_3
E Silva Gde Neira ANogueira M(2022)A Deep Learning-based System for DDoS Attack Anticipation2022 IEEE Latin-American Conference on Communications (LATINCOM)10.1109/LATINCOM56090.2022.10000427(1-6)Online publication date: 30-Nov-2022
https://doi.org/10.1109/LATINCOM56090.2022.10000427
DeCastro-García NEscudero García DCarriegos M(2022)A mathematical analysis about the geo-temporal characterization of the multi-class maliciousness of an IP addressWireless Networks10.1007/s11276-022-03215-230:6(5033-5048)Online publication date: 31-Dec-2022
https://doi.org/10.1007/s11276-022-03215-2
Zhang HZou F(2020)A Survey of the Dark Web and Dark Market Research2020 IEEE 6th International Conference on Computer and Communications (ICCC)10.1109/ICCC51575.2020.9345271(1694-1705)Online publication date: 11-Dec-2020
https://doi.org/10.1109/ICCC51575.2020.9345271
Ji TZhang XSelf NFu KLu CRamakrishnan N(2019)Feature driven learning framework for cybersecurity event detectionProceedings of the 2019 IEEE/ACM International Conference on Advances in Social Networks Analysis and Mining10.1145/3341161.3342871(196-203)Online publication date: 27-Aug-2019
https://dl.acm.org/doi/10.1145/3341161.3342871
Sarkar SAlmukaynizi MShakarian JShakarian P(2019)Mining user interaction patterns in the darkweb to predict enterprise cyber incidentsSocial Network Analysis and Mining10.1007/s13278-019-0603-99:1Online publication date: 30-Sep-2019
https://doi.org/10.1007/s13278-019-0603-9
Shen YMariconti EVervier PStringhini GLie DMannan MBackes MWang X(2018)TiresiasProceedings of the 2018 ACM SIGSAC Conference on Computer and Communications Security10.1145/3243734.3243811(592-605)Online publication date: 15-Oct-2018
https://dl.acm.org/doi/10.1145/3243734.3243811
Show More Cited By

View Options

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

View options

PDF

View or Download as a PDF file.

eReader

View online with eReader.

Figures

Tables

Media

View Table of Conten