Yang Liu
ABSTRACT
This study offers a first step toward understanding the extent to which we may be able to predict cyber security incidents (which can be of one of many types) by applying machine learning techniques and using externally observed malicious activities associated with network entities, including spamming, phishing, and scanning, each of which may or may not have direct bearing on a specific attack mechanism or incident type. Our hypothesis is that when viewed collectively, malicious activities originating from a network are indicative of the general cleanness of a network and how well it is run, and that furthermore, collectively they exhibit fairly stable and thus predictive behavior over time. To test this hypothesis, we utilize two datasets in this study: (1) a collection of commonly used IP address-based/host reputation blacklists (RBLs) collected over more than a year, and (2) a set of security incident reports collected over roughly the same period. Specifically, we first aggregate the RBL data at a prefix level and then introduce a set of features that capture the dynamics of this aggregated temporal process. A comparison between the distribution of these feature values taken from the incident dataset and from the general population of prefixes shows distinct differences, suggesting their value in distinguishing between the two while also highlighting the importance of capturing dynamic behavior (second order statistics) in the malicious activities. These features are then used to train a support vector machine (SVM) for prediction. Our preliminary results show that we can achieve reasonably good prediction performance over a forecasting window of a few months.
- Barracuda Reputation Blocklist. http://www.barracudacentral.org/.Google Scholar
- Composite Blocking List. http://cbl.abuseat.org/.Google Scholar
- DShield. http://www.dshield.org/.Google Scholar
- Global Security Reports. http://globalsecuritymap.com/.Google Scholar
- Global Spamming Rank. http://www.spamrankings.net/.Google Scholar
- hpHosts for your pretection. http://hosts-file.net/.Google Scholar
- OpenBL. http://www.openbl.org/.Google Scholar
- PhishTank. http://www.phishtank.com/.Google Scholar
- SpamCop Blocking List. http://www.spamcop.net/.Google Scholar
- SURBL: URL REPUTATION DATA. http://www.surbl.org/.Google Scholar
- The SPAMHAUS project: SBL, XBL, PBL, ZEN Lists. http://www.spamhaus.org/.Google Scholar
- UCEPROTECTOR Network. http://www.uceprotect.net/.Google Scholar
- Web Hacking Incidence Reports. http://hackmageddon.com/.Google Scholar
- WPBL: Weighted Private Block List. http://www.wpbl.info/.Google Scholar
- Bishop, C. M., et al. Pattern Recognition and Machine Learning, vol. 1. springer New York.Google ScholarDigital Library
- Deng, R., Yang, Z., Chen, J., and Chow, M.-Y. Load Scheduling With Price Uncertainty and Temporally-Coupled Constraints in Smart Grids.Google Scholar
- Xie, Y., Yu, F., Achan, K., Gillum, E., Goldszmidt, M., and Wobber, T. How Dynamic Are IP Addresses? In Proceedings of SIGCOMM (New York, NY, USA, 2007), ACM, pp. 301--312. Google ScholarDigital Library
Index Terms
- Predicting Cyber Security Incidents Using Feature-Based Characterization of Network-Level Malicious Activities
Recommendations
Malicious Bots Threaten Network Security
Viruses, worms, Trojan horses, and network intrusions are among the threats that security administrators worry about on a regular basis. However, there is a less familiar threat that many experts say could be just as dangerous: malicious bot software. A ...
Towards Countermeasure of Insider Threat in Network Security
INCOS '11: Proceedings of the 2011 Third International Conference on Intelligent Networking and Collaborative SystemsWe discuss countermeasure against insider threats in network security aspect. In the context of countermeasure against insider threats, there is no perimeter for access control in a network. A traditional access control process by using a firewall on a ...
Cyber Deception: Virtual Networks to Defend Insider Reconnaissance
MIST '16: Proceedings of the 8th ACM CCS International Workshop on Managing Insider Security ThreatsAdvanced targeted cyber attacks often rely on reconnaissance missions to gather information about potential targets and their location in a networked environment to identify vulnerabilities which can be exploited for further attack maneuvers. Advanced ...
Comments