ABSTRACT
Modern distributed systems are characterized by complex deployment designed to ensure high availability through replication and diversity, to tolerate the presence of failures and to limit the possibility of successful compromising. However, software is not free from bugs that generate vulnerabilities that could be exploited by an attacker through multiple steps.
This paper presents an attack-graph based multi-step attack detector aiming at detecting a possible on-going attack early enough to take proper countermeasures through; a Visualization interfaced with the described attack detector presents the security operator with the relevant pieces of information, allowing a better comprehension of the network status and providing assistance in managing attack situations (i.e., reactive analysis mode). We first propose an architecture and then we present the implementation of each building block. Finally, we provide an evaluation of the proposed approach aimed at highlighting the existing trade-off between accuracy of the detection and detection time.
- {n. d.}. Common Vulnerabilities and Exposures: the Standard for Information Security Vulnerability Names. https://cve.mitre.org. ({n. d.}).Google Scholar
- {n. d.}. The Esper project. http://esper.codehaus.org/. ({n. d.}).Google Scholar
- {n. d.}. The PANOPTESEC Project. http://www.panoptesec.eu. ({n. d.}).Google Scholar
- Ahmed Aleroud and George Karabatis. 2017. Contextual information fusion for intrusion detection: a survey and taxonomy. Knowledge and Information Systems (2017), 1--57. Google ScholarDigital Library
- Marco Angelini, Nicolas Prigent, and Giuseppe Santucci. 2015. PERCIVAL: proactive and reactive attack and response assessment for cyber incidents using visual analytics. In Visualization for Cyber Security (VizSec), 2015 IEEE Symposium on. IEEE, 1--8.Google ScholarCross Ref
- Marco Angelini and Giuseppe Santucci. 2017. Cyber situational awareness: from geographical alerts to high-level management. Journal of Visualization 20, 3 (2017), 453--459. Google ScholarDigital Library
- Marco Angelini and Giuseppe Santucci. August 24-26, 2015, Tokyo, Japan. Visual Cyber Situational Awareness for Critical Infrastructures. In Proceedings of ACM VINCI '15. Google ScholarDigital Library
- J. M. Bonifacio, A. M. Cansian, A. C. P. L. F. De Carvalho, and E. S. Moreira. 1998. Neural networks applied in intrusion detection systems. In 1998 IEEE International Joint Conference on Neural Networks Proceedings. IEEE World Congress on Computational Intelligence (Cat. No.98CH36227), Vol. 1. 205--210 vol.1.Google Scholar
- Yacine Bouzida and Sylvain Gombault. 2003. Intrusion detection using principal component analysis. In Proceedings of the 7th World Multiconference on Systemics, Cybernetics and Informatics. Citeseer.Google Scholar
- Rung-Ching Chen and Su-Ping Chen. 2008. Intrusion detection using a hybrid support vector machine based on entropy and TF-IDF. International Journal of Innovative Computing, Information, and Control (IJICIC) 4, 2 (2008), 413--424.Google Scholar
- Domenico Cotroneo, Andrea Paudice, and Antonio Pecchia. 2016. Automated Root Cause Identification of Security Alerts. Future Gener. Comput. Syst. 56, C (March 2016), 375--387. Google ScholarDigital Library
- Ozgur Depren, Murat Topallar, Emin Anarim, and M. Kemal Ciliz. 2005. An Intelligent Intrusion Detection System (IDS) for Anomaly and Misuse Detection in Computer Networks. Expert Syst. Appl. 29, 4 (Nov. 2005), 713--722. Google ScholarDigital Library
- Bingrui Foo, Yu-Chun Mao, and Eugene Spafford. 2005. ADEPTS: Adaptive Intrusion Response Using Attack Graphs in an E-Commerce Environment. In Proceedings of the 2005 International Conference on Dependable Systems and Networks (DSN '05). IEEE Computer Society, Washington, DC, USA, 508--517. Google ScholarDigital Library
- Emden R. Gansner and Stephen C. North. 2000. An open graph visualization system and its applications to software engineering. SOFTWARE - PRACTICE AND EXPERIENCE 30, 11 (2000), 1203--1233. Google ScholarDigital Library
- Richard P. Lippmann. 2002. NetSPA: a Network Security Planning Architecture. Master Thesis. (2002).Google Scholar
- Guisong Liu, Zhang Yi, and Shangming Yang. 2007. A hierarchical intrusion detection model based on the {PCA} neural networks. Neurocomputing 70, 7âAŞ9 (2007), 1561--1568. Advances in Computational Intelligence and Learning 14th European Symposium on Artificial Neural Networks 200614th European Symposium on Artificial Neural Networks 2006. Google ScholarDigital Library
- S. Mathew, R. Giomundo, S. Upadhyaya, M. Sudit, and A. Stotz. 2006. Understanding Multistage Attacks by Attack-Track based Visualization of Heterogeneous Event Streams. In VizSec 2006. Google ScholarDigital Library
- S. Mathew, C. Shah, and S. Upadhyaya. 2005. An alert fusion framework for situation awareness of coordinated multistage attacks. In Third IEEE International Workshop on Information Assurance (IWIA'05). 95--104. Google ScholarDigital Library
- S Noel, E Harley, KH Tam, M Limiero, and M Share. 2016. CyGraph: Graph-Based Analytics and Visualization for Cybersecurity. Handbook of Statistics 35 (2016), 117--167.Google ScholarCross Ref
- Steven Noel and Sushil Jajodia. 2005. Understanding Complex Network Attack Graphs Through Clustered Adjacency Matrices. In Proceedings of the 21st Annual Computer Security Applications Conference (ACSAC '05). IEEE Computer Society, Washington, DC, USA, 160--169. Google ScholarDigital Library
- Steven Noel, Sushil Jajodia, Brian O'Berry, and Michael Jacobs. 2003. Efficient Minimum-Cost Network Hardening Via Exploit Dependency Graphs. In Proceedings of the 19th Annual Computer Security Applications Conference (ACSAC '03). IEEE Computer Society, Washington, DC, USA, 86--. http://dl.acm.org/citation.cfm?id=956415.956451 Google ScholarDigital Library
- Steven Noel, Eric Robertson, and Sushil Jajodia. 2004. Correlating Intrusion Events and Building Attack Scenarios Through Attack Graph Distances. In Proceedings of the 20th Annual Computer Security Applications Conference (ACSAC '04). IEEE Computer Society, Washington, DC, USA, 350--359. Google ScholarDigital Library
- Xinming Ou, Sudhakar Govindavajhala, and Andrew W. Appel. 2005. MulVAL: A Logic-based Network Security Analyzer. In Proceedings of the 14th Conference on USENIX Security Symposium - Volume 14 (SSYM'05). USENIX Association, Berkeley, CA, USA, 8--8. http://dl.acm.org/citation.cfm?id=1251398.1251406 Google ScholarDigital Library
- Ali Ahmadian Ramaki, Morteza Amini, and Reza Ebrahimi Atani. 2015. RTECA: Real time episode correlation algorithm for multi-step attack scenarios detection. Computers & Security 49 (2015), 206--219. Google ScholarDigital Library
- P. M. Rathod, N. Marathe, and A. V. Vidhate. 2014. A survey on Finite Automata based pattern matching techniques for network Intrusion Detection System (NIDS). In 2014 International Conference on Advances in Electronics Computers and Communications. 1--5.Google Scholar
- Indrajit Ray and Nayot Poolsapassit. 2005. Using Attack Trees to Identify Malicious Attacks from Authorized Insiders. In Proceedings of the 10th European Conference on Research in Computer Security (ESORICS'05). Springer-Verlag, Berlin, Heidelberg, 231--246. Google ScholarDigital Library
- Layal Samarji, Frédéric Cuppens, Nora Cuppens-Boulahia, Wael Kanoun, and Samuel Dubus. 2013. Situation Calculus and Graph Based Defensive Modeling of Simultaneous Attacks. In Cyberspace Safety and Security - 5th International Symposium, CSS 2013, Zhangjiajie, China, November 13-15, 2013, Proceedings. 132--150.Google Scholar
- Oleg Sheyner, Joshua Haines, Somesh Jha, Richard Lippmann, and Jeannette M. Wing. 2002. Automated Generation and Analysis of Attack Graphs. In Proceedings of the 2002 IEEE Symposium on Security and Privacy (SP '02). IEEE Computer Society, Washington, DC, USA, 273--. http://dl.acm.org/citation.cfm?id=829514.830526 Google ScholarDigital Library
- Grant Vandenberghe. 2008. Network Traffic Exploration Application: A Tool to Assess, Visualize, and Analyze Network Security Events. In VizSec 2008. Google ScholarDigital Library
- Wei Wang and T. E. Daniels. 2005. Building evidence graphs for network forensics analysis. In 21st Annual Computer Security Applications Conference (ACSAC'05). 11 pp.--266. Google ScholarDigital Library
- Leevar Williams, Richard Lippmann, and Kyle Ingols. 2007. An Interactive Attack Graph Cascade and Reachability Display. In VizSec 2007.Google Scholar
- Saman A. Zonouz, Himanshu Khurana, William H. Sanders, and Timothy M. Yardley. 2014. RRE: A Game-Theoretic Intrusion Response and Recovery Engine. IEEE Trans. Parallel Distrib. Syst. 25, 2 (Feb. 2014), 395--406. Google ScholarDigital Library
Index Terms
- An Attack Graph-based On-line Multi-step Attack Detector
Recommendations
Low-Rate DoS Attack Detection Based on Two-Step Cluster Analysis
Information and Communications SecurityAbstractThe low-rate denial of service (LDoS) attacks reduce the throughput of TCP traffic by sending high rate and short duration bursts periodically to the victim. Although many LDoS attack detection methods have been proposed, LDoS attacks are still ...
Multi-step attack detection in industrial control systems using causal analysis
AbstractIn the old generation of industrial control systems (ICSs), their sub-components communicated within private networks and, therefore, it was assumed that ICSs are safe from cyber-attacks. However, new advanced ICS sub-components need ...
DDoSniffer: Detecting DDoS attack at the source agents
Distributed Denial of Service (DDoS) attacks are an important and challenging security threat. Despite the existing defence mechanisms, attackers manage to build large sets of impersonated hosts. Our approach consists in detecting DDoS directly on these ...
Comments