skip to main content
10.1145/3011141.3011157acmotherconferencesArticle/Chapter ViewAbstractPublication PagesiiwasConference Proceedingsconference-collections
research-article

TAON: an ontology-based approach to mitigating targeted attacks

Published: 28 November 2016 Publication History

Abstract

Targeted attacks on IT systems are a rising threat against the confidentiality of sensitive data and the availability of systems and infrastructures. Planning for the eventuality of a data breach or sabotage attack has become an increasingly difficult task with the emergence of advanced persistent threats (APTs), a class of highly sophisticated cyber-attacks that are nigh impossible to detect using conventional signature-based systems.
Understanding, interpreting, and correlating the particulars of such advanced targeted attacks is a major research challenge that needs to be tackled before behavior-based approaches can evolve from their current state to truly semantics-aware solutions. Ontologies offer a versatile foundation well suited for depicting the complex connections between such behavioral data and the diverse technical and organizational properties of an IT system.
In order to facilitate the development of novel behavior-based detection systems, we present TAON, an OWL-based ontology offering a holistic view on actors, assets, and threat details, which are mapped to individual abstracted events and anomalies that can be detected by today's monitoring data providers. TOAN offers a straightforward means to plan an organization's defense against APTs and helps to understand how, why, and by whom certain resources are targeted. Populated by concrete data, the proposed ontology becomes a smart correlation framework able to combine several data sources into a semantic assessment of any targeted attack.

References

[1]
Fateme Abdoli and Mohsen Kahani. "Ontology-based distributed intrusion detection system". In: 14th Int'l Computer Conference. IEEE, 2009, pp. 65--70.
[2]
Theodoros Anagnostopoulos, Christos Anagnostopoulos, and Stathes Hadjiefthymiades. "Enabling attack behavior prediction in ubiquitous environments". In: Pervasive Services, 2005. ICPS'05. Proc. Int'l Conference on. IEEE, 2005, pp. 425--428.
[3]
Michael Atighetchi et al. "Federated Access to Cyber Observables for Detection of Targeted Attacks". In: IEEE, Oct. 2014, pp. 60--66. isbn: 978-1-4799-6770-4.
[4]
Leyla Bilge and Tudor Dumitras. "Before we knew it an empirical study of zero-day attacks in the real world". In: Proc. of the 2012 ACM conference on Computer and communications security. ACM, 2012, pp. 833--844.
[5]
Hsiu-Sen Chiang and Woei-Jiunn Tsaur. "Ontology-based Mobile Malware Behavioral Analysis". In: 4th Joint Workshop on Information Security. Da-Yeh University, 2009.
[6]
Sheng-Hui Chien et al. "Attack subplan-based attack scenario correlation". In: Int'l Conference on Machine Learning and Cybernetics. Vol. 4. IEEE, 2007, pp. 1881--1887.
[7]
Jelle De Vries et al. "Systems for Detecting Advanced Persistent Threats: A Development Roadmap Using Intelligent Data Analysis". In: Intl. Conference on Cyber Security. IEEE, 2012, pp. 54--61. url: http://ieeexplore.ieee.org/xpls/abs_all.jsp?arnumber=6542526 (visited on 07/27/2015).
[8]
Hermann Dornhackl et al. "Malicious behavior patterns". In: 2014 IEEE 8th Intl. Symposium on Service Oriented System Engineering (SOSE). IEEE, 2014, pp. 384--389. url: http://www.computer.org/csdl/proceedings/sose/2014/3616/00/3616a384-abs.html (visited on 07/27/2015).
[9]
Andreas Ekelhart et al. "Ontological mapping of common criteria's security assurance requirements". In: IFIP Int'l Information Security Conference. Springer. 2007, pp. 85--95.
[10]
Andreas Ekelhart et al. "Security ontologies: Improving quantitative risk analysis". In: 40th Annual Hawaii Int'l Conference on System Sciences. IEEE. 2007.
[11]
Mark S. Fox, Mihai Barbuceanu, and Michael Gruninger. "An organisation ontology for enterprise modelling: preliminary concepts for linking structure and behaviour". In: Proc. of the Fourth Workshop on Enabling Technologies: Infrastructure for Collaborative Enterprises. IEEE, 1995, pp. 71--81.
[12]
Paul Giura and Wei Wang. "A context-based detection framework for advanced persistent threats". In: Int'l Conference on Cyber Security. IEEE, 2012, pp. 69--74.
[13]
Adam Greenberg. Russians fingered for 'Uroburos' spy malware campaign, went undetected for years - SC Magazine. Accessed 2015-07-29. url: http://www.scmagazine.com/russians-fingered-for-uroburos-spy-malware-campaign-went-undetected-for-years/article/336570/.
[14]
Liona Herman. Malware Attack at US Health Organization Went Undetected for 2 Years. Accessed 2015-10-20. url: http://www.hackbusters.com/news/stories/187232-malware-attack-at-us-health-organization-went-undetected-for-2-years.
[15]
Hsien-Der Huang et al. "Ontology-based intelligent system for malware behavioral analysis". In: IEEE Int'l Conference on Fuzzy Systems. IEEE, 2010, pp. 1--6.
[16]
Eric M. Hutchins, Michael J. Cloppert, and Rohan M. Amin. "Intelligence-driven computer network defense informed by analysis of adversary campaigns and intrusion kill chains". In: Leading Issues in Information Warfare & Security Research 1 (2011), p. 80.
[17]
Grégoire Jacob, Hervé Debar, and Eric Filiol. "Behavioral detection of malware: from a survey towards an established taxonomy". In: Journal in computer Virology 4.3 (2008), pp. 251--266.
[18]
Kaspersky Lab. What is Flame Malware | Definition and Risks | Kaspersky Lab. Accessed 2015-07-29. url: http://www.kaspersky.com/flame.
[19]
Kaspersky Lab's Global Research & Analysis Team. Gauss: Abnormal Distribution - Securelist. Accessed 2015-07-29. url: https://securelist.com/analysis/36620/gauss-abnormal-distribution/.
[20]
Shawn Knight. Sophisticated malware dubbed 'The Mask' went undetected for the past seven years - TechSpot. Accessed 2015-07-29. url: http://www.techspot.com/news/55640-sophisticated-malware-dubbed-the-mask-went-undetected-for-the-past-seven-years.html.
[21]
Carl E. Landwehr et al. "A taxonomy of computer program security flaws". In: ACM Computing Surveys (CSUR) 26.3 (1994), pp. 211--254.
[22]
Frankie Li, Anthony Lai, and Ddl Ddl. "Evidence of Advanced Persistent Threat: A case study of malware for political espionage". In: 6th Int'l Conference on Malicious and Unwanted Software. IEEE, 2011, pp. 102--109.
[23]
Maria B. Line et al. "Targeted Attacks against Industrial Control Systems: Is the Power Industry Prepared?" en. In: ACM Press, 2014, pp. 13--22.
[24]
Robert Luh et al. "Semantics-aware detection of targeted attacks: a survey". In: Journal of Computer Virology and Hacking Techniques (2016), pp. 1--39.
[25]
Deborah L. McGuinness, Frank Van Harmelen, et al. "OWL web ontology language overview". In: W3C recommendation 10.10 (2004).
[26]
Elinor Mills. A who's who of Mideast-targeted malware. Accessed 2015-09-18. url: http://www.cnet.com/news/a-whos-who-of-mideast-targeted-malware/.
[27]
Christopher Munsey. Economic Espionage: Competing For Trade By Stealing Industrial Secrets. Accessed 2015-09-15. url: https://leb.fbi.gov/2013/october-november/economic-espionage-competing-for-trade-by-stealing-industrial-secrets.
[28]
Abdul Razzaq et al. "Ontology for attack detection: An intelligent approach to web application security". In: Computers & Security 45 (2014), pp. 124--146. issn: 01674048.
[29]
Abdul Razzaq et al. "Semantic security against web application attacks". en. In: Information Sciences 254 (Jan. 2014), pp. 19--38. issn: 00200255.
[30]
Alireza Sadighian et al. "Semantic-based context-aware alert fusion for distributed Intrusion Detection Systems". In: Int'l Conference on Risks and Security of Internet and Systems. IEEE, 2013, pp. 1--6.
[31]
Seculert. Mahdi - The Cyberwar Savior? Accessed 2015-07-29. url: http://www.seculert.com/blog/2012/07/mahdi-cyberwar-savior.html.
[32]
Aditya K. Sood and Richard J. Enbody. "Targeted cyberattacks: a superset of advanced persistent threats". In: IEEE security & privacy 1 (2013), pp. 54--61.
[33]
Symantec. Regin: Top-tier espionage tool enables stealthy surveillance. Accessed 2015-09-15. url: http://www.symantec.com/connect/blogs/regin-top-tier-espionage-tool-enables-stealthy-surveillance.
[34]
Symantec. "Symantec Internet Security Threat Report Volume XX". In: Whitepaper 20 (2015).
[35]
The Hacker News. Harkonnen Operation --- Malware Campaign that Went Undetected for 12 Years. Accessed 2015-07-29. url: http://thehackernews.com/2014/09/harkonnen-operation-malware-campaign_16.html.
[36]
University of Manchester. OWL: FaCT++. Accessed 2016-07-27. url: http://owl.man.ac.uk/factplusplus/.
[37]
University of Toronto. GRL Syntax. Accessed 2015-07-27. url: http://www.cs.toronto.edu/km/GRL/grl_syntax.html.
[38]
Simos Veloudis and Iraklis Paraskakis. "PaaSword: Access Policies Model". In: PaaSword (2015).
[39]
Wei Yan, Edwin Hou, and Nirwan Ansari. "Extracting attack knowledge using principal-subordinate consequence tagging case grammar and alerts semantic networks". In: Local Computer Networks, 2004. 29th Annual IEEE Int'l Conference on. IEEE, 2004, pp. 110--117.

Cited By

View all
  • (2024)Advanced Persistent Threat Attack Detection Systems: A Review of Approaches, Challenges, and TrendsDigital Threats: Research and Practice10.1145/36960145:4(1-37)Online publication date: 17-Sep-2024
  • (2024)A systematic literature review on advanced persistent threat behaviors and its detection strategyJournal of Cybersecurity10.1093/cybsec/tyad02310:1Online publication date: 2-Jan-2024
  • (2024)An Overview of Techniques for Obfuscated Android Malware DetectionSN Computer Science10.1007/s42979-024-02637-35:4Online publication date: 16-Mar-2024
  • Show More Cited By

Recommendations

Comments

Information & Contributors

Information

Published In

cover image ACM Other conferences
iiWAS '16: Proceedings of the 18th International Conference on Information Integration and Web-based Applications and Services
November 2016
528 pages
ISBN:9781450348072
DOI:10.1145/3011141
Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than the author(s) must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected].

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 28 November 2016

Permissions

Request permissions for this article.

Check for updates

Author Tags

  1. behavioral data
  2. ontology
  3. targeted attacks
  4. threat model

Qualifiers

  • Research-article

Conference

iiWAS '16

Contributors

Other Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

  • Downloads (Last 12 months)12
  • Downloads (Last 6 weeks)0
Reflects downloads up to 10 Feb 2025

Other Metrics

Citations

Cited By

View all
  • (2024)Advanced Persistent Threat Attack Detection Systems: A Review of Approaches, Challenges, and TrendsDigital Threats: Research and Practice10.1145/36960145:4(1-37)Online publication date: 17-Sep-2024
  • (2024)A systematic literature review on advanced persistent threat behaviors and its detection strategyJournal of Cybersecurity10.1093/cybsec/tyad02310:1Online publication date: 2-Jan-2024
  • (2024)An Overview of Techniques for Obfuscated Android Malware DetectionSN Computer Science10.1007/s42979-024-02637-35:4Online publication date: 16-Mar-2024
  • (2022)ThreMA: Ontology-Based Automated Threat Modeling for ICT InfrastructuresIEEE Access10.1109/ACCESS.2022.321906310(116514-116526)Online publication date: 2022
  • (2022)Semantic-Based Approach for Cyber-Physical Cascading Effects Within Healthcare InfrastructuresIEEE Access10.1109/ACCESS.2022.317125210(53398-53417)Online publication date: 2022
  • (2021)SafecareOnto: A Cyber-Physical Security Ontology for Healthcare SystemsDatabase and Expert Systems Applications10.1007/978-3-030-86475-0_3(22-34)Online publication date: 1-Sep-2021
  • (2019)PenQuest: a gamified attacker/defender meta model for cyber security assessment and educationJournal of Computer Virology and Hacking Techniques10.1007/s11416-019-00342-xOnline publication date: 22-Nov-2019
  • (2019)AlertVision: Visualizing Security AlertsG Protein-Coupled Receptor Signaling10.1007/978-3-030-17982-3_14(173-184)Online publication date: 12-Apr-2019
  • (2018)SEQUIN: a grammar inference framework for analyzing malicious system behaviorJournal of Computer Virology and Hacking Techniques10.1007/s11416-018-0318-x14:4(291-311)Online publication date: 26-Mar-2018
  • (2017)PosterProceedings of the 22nd ACM on Symposium on Access Control Models and Technologies10.1145/3078861.3084162(119-120)Online publication date: 7-Jun-2017

View Options

Login options

View options

PDF

View or Download as a PDF file.

PDF

eReader

View online with eReader.

eReader

Figures

Tables

Media

Share

Share

Share this Publication link

Share on social media