George Chin
ABSTRACT
The number and sophistication of cyberattacks on industries and governments have dramatically grown in recent years. To counter this movement, new advanced tools and techniques are needed to detect cyberattacks in their early stages such that defensive actions may be taken to avert or mitigate potential damage. From a cybersecurity analysis perspective, detecting cyberattacks may be cast as a problem of identifying patterns in computer network traffic. Logically and intuitively, these patterns may take on the form of a directed graph that conveys how an attack or intrusion propagates through the computers of a network.
We are researching and developing graph-centric approaches and algorithms for dynamic cyberattack detection and packaging them into a streaming network analysis framework we call StreamWorks. With StreamWorks, a scientist or analyst may detect and identify precursor events and patterns as they emerge in complex networks. This analysis framework is intended to be used in a dynamic environment where network data is streamed in and is appended to a large-scale dynamic graph. Specific graphical query patterns are decomposed and collected into a graph query library. The individual decomposed subpatterns in the library are continuously and efficiently matched against the dynamic graph as it evolves to identify and detect early, partial subgraph patterns.
- W. Fan, J. Li, J. Luo, Z. Tan, X. Wang, and Y. Wu, "Incremental Graph Pattern Matching," Proc. 2011 ACM SIGMOD International Conference on Management of Data, ACM Press, 2011, pp. 925--936. Google Scholar
Digital Library
- L. Chen and C. Wang, "Continuous Subgraph Pattern Search Over Certain and Uncertain Graph Streams," IEEE Trans. on Know. and Data Eng., vol. 22, no. 8, 2010, pp. 1093--1109. Google ScholarDigital Library
- A. Godiyal, M. Garland, and J. C. Hart, "Enhancing Network Traffic Visualization by Graph Pattern Analysis," 2010, https://agora.cs.illinois.edu/download/attachments/18744303/netflowpatterngraphs.pdf.Google Scholar
- S. Staniford-Chen, S. Cheung, R. Crawford, M. Dilger, J. Frank, J. Hoagland, K. Levitt, C. Wee, R. Yip, and D. Zerkle, "GrIDS a Graph Based Intrusion Detection System for Large Networks," Proc. 19th National Information Systems Security Conference, 1996, pp. 1--10.Google Scholar
- S. Ganguly, M. Garofalakis, R. Rastogi, and K. Sabnani, "Streaming Algorithms for Robust, Real-Time Detection of DDoS Attacks," Proc. 27th International Conference on Distributed Computing Systems, IEEE Press, 2007, pp. 1--4. Google ScholarDigital Library
- S. Venkataraman, D. Song, Phillip B. Gibbons, and A. Blum, "New Streaming Algorithms for Fast Detection of Superspreaders," Proc. 12th ISOC Symposium on Network and Distributed System Security Symposium (SNDSS), IEEE Press, 2005, pp. 21--30.Google Scholar
- Gephi, an Open Source Graph Visualization and Manipulation Software, http://www.gephi.org/.Google Scholar
Index Terms
- Predicting and detecting emerging cyberattack patterns using StreamWorks
Recommendations
A Scientific Approach to Cyberattack Detection
Attack-norm separation uses rigorous signal detection models to isolate attack signals from normal data before attack identification. By drawing from science instead of heuristics, this approach promises more efficient, accurate, and inclusive attack ...
Detecting metamorphic malwares using code graphs
SAC '10: Proceedings of the 2010 ACM Symposium on Applied ComputingMalware writers and detectors have been running an endless battle. Self-defense is the weapon most malware writers prepare against malware detectors. Malware writers have tried to evade the improved detection techniques of anti-virus(AV) products. ...
Detecting and Defending against Worm Attacks Using Bot-honeynet
ISECS '09: Proceedings of the 2009 Second International Symposium on Electronic Commerce and Security - Volume 01We proposed a worm detection and defense system named bot-honeynet in this paper, which combines the best features of honeynet, anomaly detection and botnet. The combination of honeynet and anomaly detection system offers a tradeoff between false ...
Comments