×

Attack chain detection. (English) Zbl 07260450

Summary: A targeted network intrusion typically evolves through multiple phases, termed the attack chain. When appropriate data are monitored, these phases will generate multiple events across the attack chain on a compromised host. It is shown empirically that events in different parts of the attack chain are largely independent under nonattack conditions. This suggests that a powerful detector can be constructed by combining across events spanning the attack. This article describes the development of such a detector for a larger network. To construct events that span the attack chain, multiple data sources are used, and the detector combines across events observed on the same machine, across local neighborhoods of machines linked by network communications, as well as across events observed on multiple computers. A probabilistic approach for evaluating the combined events is developed, and empirical investigations support the underlying assumptions. The detection power of the approach is studied by inserting plausible attack scenarios into observed network and host data, and an application to a real-world intrusion is given.

MSC:

62-XX Statistics
68-XX Computer science
PDFBibTeX XMLCite
Full Text: DOI

References:

[1] C. Tankard, Persistent threats and how to monitor and deter them, Netw Secur 8 (2011), 16-19.
[2] U. Rivner, Anatomy of an attack, 2011. http://blogs.rsa.com/ AN.
[3] K. Zetter, Google hack attack was ultra sophisticated, new details show, 2010. http://www.wired.com/.
[4] G. Smith, White House hacked in cyber attack that used spear-phishing to crack unclassified network, 2012, http:// www.huffingtonpost.com/.
[5] E. M. Hutchins, M. J. Cloppert, and R. M. Amin, Intelligence-driven computer network defense informed by analysis of adversary campaigns and intrusion kill chains, In 6th Annual conference on Information Warfare and Security, Washington, 2011.
[6] J. A. Lewis, Raising the bar for cyber security, Center for Security and International Studies, 2013, http://csis.org.
[7] K. Borders and A. Prakash, Web tap: detecting covert web traffic, In Proceedings of Conference on Computer and Communications Security, Washington DC, 2004, 110-120.
[8] G. Schwenk and K. Rieck, Adaptive detection of covert communication in HTTP requests, 2011 Seventh European Conference on Computer Network Defence, Gothenburg, Sweden, 2011.
[9] T. Nelms, R. Perdisci, and M. Ahamad, ExecScent: Mining for New C&C domains in live networks with adaptive control protocol template, In Proceedings of the 22nd USENIX Security Symposium, Washington, DC, 2013.
[10] V. Paxson, M. Christodorescu, M. Javed, J. Rao, R. Sailer, D. Schales, M. Stoecklin, K. Thomas, W. Venema, and N. Weaver, Practical comprehensive bounds on surreptitious communication over DNS, In Proceedings of the 22nd USENIX Security Symposium, Washington, DC, 2013.
[11] G. Farnham, Detecting DNS Tunneling, SANS Institute, Technical Report, 2013.
[12] R. Anthony, Detecting security incidents using windows work-station event logs, SANS Institute, Technical Report, 2013.
[13] National Security Agency, Spotting the adversery in with Windows event log monitoring, 2013, http://www.nsa.gov/.
[14] V. Chandola, A. Banerjee, and V. Kumar, Anomaly detection: a survey, ACM Comput Surv 41 (2009), 1-58.
[15] A. Patcha, and J.-M. Park, An overview of anomaly detection techniques: existing solutions and latest technological trends, Comput Netw 51 (2007), 3448-3470.
[16] P. Garcia-Teodoro, J. Diaz-Verdejo, G. Macia-Fernandez, and E. Vazquez, Anomaly-based network intrusion detection: Techniques, systems and challenges, Comput Secur 28 (2009), 18-28.
[17] R. Sommer, and V. Paxson, Outside the closed world: On using machine learning for network intrusion detection, 2010 IEEE Symp Secur Priv (2010), 305-316.
[18] C. Gates, and C. Taylor, Challenging the anomaly detection paradigm: a provocative discussion, In Proceedings of the 2006 Workshop on New Security Paradigms, Schloss Dagstuhl, Germany, 21-29.
[19] T. Bass, Intrusion detection systems and multisensor data fusion, Commun ACM 43 (2000), 99-105.
[20] M. Christodorescu and S. Rubin, Can cooperative intrusion detectors challenge the base-rate fallacy? Malware
[21] S. Salah, G. Macia-Fernandez, and J. E. Diaz-Verdejo, A model-based survey of alert correlation techniques, Comput Netw 57 (2009), 1289-1317.
[22] J. de Vries, H. Hoogstraaten, J. van den Berg, and S. Daskapan, Systems for detecting advanced persistent threats: a development roadmap using intelligent data analysis, 2012 International Conference on Cyber Security, Washington, DC, 2012, 54-61.
[23] P. Giura and W. Wang, A context-based detection framework for advanced persistent threats, 2012 International Conference on Cyber Security, Washington, DC, 2012, 69-74.
[24] G. Gu, R. Perdisci, J. Zhang, and W. Lee, BotMiner: clustering analysis of network traffic for protocol- and structure independent botnet detection, In Proceedings of the 17th Usenix Security Symposium, Berkeley, 2008.
[25] T. M. Loughin, A systematic comparison of methods for combining p-values from independent tests, Comput Stat Data Anal 47 (2004), 467-485. · Zbl 1430.62048
[26] J. Sexton, C. Storlie, J. Neil, and A. Kent, Detecting network intrusions via graph structured hypothesis testing, 2013 6th International Symposium on Resilient Control Systems, 2013, 86-91.
[27] J. Neil, C. Storlie, A. Brugh, C. Hash, and M. Fisk, Scan statistics for the online detection of locally anomalous subgraphs, Technometrics 55 (2013), 403-414.
[28] T. Hastie, R. Tibshirani, and J. Friedman, The Elements of Statistical Learning: Data Mining, Inference and Prediction, (2nd ed.), New York, Springer, 2011. · Zbl 0973.62007
[29] J. Sun, H. Qu, D. Chakrabarti, and C. Faloutsos, Relevance search and anomaly detection bipartite graphs, SIGKDD Explor 7 (2004), 48-55.
This reference list is based on information provided by the publisher or from digital mathematics libraries. Its items are heuristically matched to zbMATH identifiers and may contain data conversion errors. In some cases that data have been complemented/enhanced by data from zbMATH Open. This attempts to reflect the references listed in the original paper as accurately as possible without claiming completeness or a perfect matching.