Big knowledge-based semantic correlation for detecting slow and low-level advanced persistent threats

AbstractTargeted cyber attacks, which today are known as Advanced Persistent Threats (APTs), use low and slow patterns to bypass intrusion detection and alert correlation systems. Since most of the attack detection approaches use a short time-window, the slow APTs abuse this weakness to escape from the detection systems. In these situations, the intruders increase the time of attacks and move as slowly as possible by some tricks such as using sleeper and wake up functions and make detection difficult for such detection systems. In addition, low APTs use trusted subjects or agents to conceal any footprint and abnormalities in the victim system by some tricks such as code injection and stealing digital certificates. In this paper, a new solution is proposed for detecting both low and slow APTs. The proposed approach uses low-level interception, knowledge-based system, system ontology, and semantic correlation to detect low-level attacks. Since using semantic-based correlation is not applicable for detecting slow attacks due to its significant processing overhead, we propose a scalable knowledge-based system that uses three different concepts and approaches to reduce the time complexity including (1) flexible sliding window called Vermiform window to analyze and correlate system events instead of using fixed-size time-window, (2) effective inference using a scalable inference engine called SANSA, and (3) data reduction by ontology-based data abstraction. We can detect the slow APTs whose attack duration is about several months. Evaluation of the proposed approach on a dataset containing many APT scenarios shows 84.21% of sensitivity and 82.16% of specificity.

Download Full-text

Machine Learning-Based IoT-Botnet Attack Detection with Sequential Architecture

Sensors ◽

10.3390/s20164372 ◽

2020 ◽

Vol 20 (16) ◽

pp. 4372 ◽

Cited By ~ 1

Author(s):

Yan Naung Soe ◽

Yaokai Feng ◽

Paulus Insap Santosa ◽

Rudy Hartanto ◽

Kouichi Sakurai

Keyword(s):

Machine Learning ◽

High Performance ◽

Detection System ◽

Rapid Development ◽

Attack Detection ◽

Cyber Attacks ◽

Detection Systems ◽

Iot Devices ◽

Artificial Neural Network Ann ◽

Feature Selection Approach

With the rapid development and popularization of Internet of Things (IoT) devices, an increasing number of cyber-attacks are targeting such devices. It was said that most of the attacks in IoT environments are botnet-based attacks. Many security weaknesses still exist on the IoT devices because most of them have not enough memory and computational resource for robust security mechanisms. Moreover, many existing rule-based detection systems can be circumvented by attackers. In this study, we proposed a machine learning (ML)-based botnet attack detection framework with sequential detection architecture. An efficient feature selection approach is adopted to implement a lightweight detection system with a high performance. The overall detection performance achieves around 99% for the botnet attack detection using three different ML algorithms, including artificial neural network (ANN), J48 decision tree, and Naïve Bayes. The experiment result indicates that the proposed architecture can effectively detect botnet-based attacks, and also can be extended with corresponding sub-engines for new kinds of attacks.

Download Full-text

CONSTRUCTION OF ATTACK DETECTION SYSTEMS IN INFORMATION NETWORKS ON NEURAL NETWORK STRUCTURES

Cybersecurity Education Science Technique ◽

10.28925/2663-4023.2020.10.169183 ◽

2020 ◽

Vol 2 (10) ◽

pp. 169-183

Author(s):

Serhii Tolіupa ◽

Oleksandr Pliushch ◽

Ivan Parkhomenko

Keyword(s):

Neural Network ◽

Information Systems ◽

Detection System ◽

Attack Detection ◽

Cyber Attacks ◽

Network Structures ◽

Network Attack ◽

Detection Systems ◽

Protection Mechanisms ◽

Software Prototype

Systems for detecting network intrusions and detecting signs of attacks on information systems have long been used as one of the necessary lines of defense of information systems. Today, intrusion and attack detection systems are usually software or hardware-software solutions that automate the process of monitoring events occurring in an information system or network, as well as independently analyze these events in search of signs of security problems. As the number of different types and ways of organizing unauthorized intrusions into foreign networks has increased significantly in recent years, attack detection systems (ATS) have become a necessary component of the security infrastructure of most organizations. The article proposes a software prototype of a network attack detection system based on selected methods of data mining and neural network structures. The conducted experimental researches confirm efficiency of the created model of detection for protection of an information network. Experiments with a software prototype showed high quality detection of network attacks based on neural network structures and methods of intelligent data distribution. The state of protection of information systems to counter cyber attacks is analyzed, which made it possible to draw conclusions that to ensure the security of cyberspace it is necessary to implement a set of systems and protection mechanisms, namely systems: delimitation of user access; firewall; cryptographic protection of information; virtual private networks; anti-virus protection of ITS elements; detection and prevention of intrusions; authentication, authorization and audit; data loss prevention; security and event management; security management.

Download Full-text

Trusted Time-Based Verification Model for Automatic Man-in-the-Middle Attack Detection in Cybersecurity

Cryptography ◽

10.3390/cryptography2040038 ◽

2018 ◽

Vol 2 (4) ◽

pp. 38 ◽

Cited By ~ 3

Author(s):

James Jin Kang ◽

Kiran Fahd ◽

Sitalakshmi Venkatraman

Keyword(s):

Attack Detection ◽

Cyber Attacks ◽

Transport Layer ◽

Transmission Time ◽

Network Resource ◽

Robust Solution ◽

Detection Systems ◽

Proposed Model ◽

Man In The Middle ◽

Verification Model

Due to the prevalence and constantly increasing risk of cyber-attacks, new and evolving security mechanisms are required to protect information and networks and ensure the basic security principles of confidentiality, integrity, and availability—referred to as the CIA triad. While confidentiality and integrity can be achieved using Secure Sockets Layer (SSL)/Transport Layer Security (TLS) certificates, these depend on the correct authentication of servers, which could be compromised due to man-in-the-middle (MITM) attacks. Many existing solutions have practical limitations due to their operational complexity, deployment costs, as well as adversaries. We propose a novel scheme to detect MITM attacks with minimal intervention and workload to the network and systems. Our proposed model applies a novel inferencing scheme for detecting true anomalies in transmission time at a trusted time server (TTS) using time-based verification of sent and received messages. The key contribution of this paper is the ability to automatically detect MITM attacks with trusted verification of the transmission time using a learning-based inferencing algorithm. When used in conjunction with existing systems, such as intrusion detection systems (IDS), which require comprehensive configuration and network resource costs, it can provide a robust solution that addresses these practical limitations while saving costs by providing assurance.

Download Full-text

Techniques to Model and Derive a Cyber-Attacker’s Intelligence

Efficiency and Scalability Methods for Computational Intellect ◽

10.4018/978-1-4666-3942-3.ch008 ◽

2013 ◽

pp. 162-180 ◽

Cited By ~ 3

Author(s):

Peter J. Hawrylak ◽

Chris Hartney ◽

Michael Haney ◽

Jonathan Hamm ◽

John Hale

Keyword(s):

Intrusion Detection ◽

Attack Detection ◽

Cyber Attacks ◽

Intrusion Detection Systems ◽

Cyber Attack ◽

Computationally Efficient ◽

Attack Graph ◽

Detection Systems ◽

Specialized Hardware ◽

Time Required

Identifying the level of intelligence of a cyber-attacker is critical to detecting cyber-attacks and determining the next targets or steps of the adversary. This chapter explores intrusion detection systems (IDSs) which are the traditional tool for cyber-attack detection, and attack graphs which are a formalism used to model cyber-attacks. The time required to detect an attack can be reduced by classifying the attacker’s knowledge about the system to determine the traces or signatures for the IDS to look for in the audit logs. The adversary’s knowledge of the system can then be used to identify their most likely next steps from the attack graph. A computationally efficient technique to compute the likelihood and impact of each step of an attack is presented. The chapter concludes with a discussion describing the next steps for implementation of these processes in specialized hardware to achieve real-time attack detection.

Download Full-text

Utilising Deep Learning Techniques for Effective Zero-Day Attack Detection

Electronics ◽

10.3390/electronics9101684 ◽

2020 ◽

Vol 9 (10) ◽

pp. 1684

Author(s):

Hanan Hindy ◽

Robert Atkinson ◽

Christos Tachtatzis ◽

Jean-Noël Colin ◽

Ethan Bayne ◽

...

Keyword(s):

Deep Learning ◽

False Negative ◽

Attack Detection ◽

Cyber Attacks ◽

Support Vector ◽

Detection Accuracy ◽

Normal Behaviour ◽

Complex Zero ◽

Detection Systems ◽

And Performance

Machine Learning (ML) and Deep Learning (DL) have been used for building Intrusion Detection Systems (IDS). The increase in both the number and sheer variety of new cyber-attacks poses a tremendous challenge for IDS solutions that rely on a database of historical attack signatures. Therefore, the industrial pull for robust IDSs that are capable of flagging zero-day attacks is growing. Current outlier-based zero-day detection research suffers from high false-negative rates, thus limiting their practical use and performance. This paper proposes an autoencoder implementation for detecting zero-day attacks. The aim is to build an IDS model with high recall while keeping the miss rate (false-negatives) to an acceptable minimum. Two well-known IDS datasets are used for evaluation—CICIDS2017 and NSL-KDD. In order to demonstrate the efficacy of our model, we compare its results against a One-Class Support Vector Machine (SVM). The manuscript highlights the performance of a One-Class SVM when zero-day attacks are distinctive from normal behaviour. The proposed model benefits greatly from autoencoders encoding-decoding capabilities. The results show that autoencoders are well-suited at detecting complex zero-day attacks. The results demonstrate a zero-day detection accuracy of 89–99% for the NSL-KDD dataset and 75–98% for the CICIDS2017 dataset. Finally, the paper outlines the observed trade-off between recall and fallout.

Download Full-text

Metagames and Hypergames for Deception-Robust Control

ACM Transactions on Cyber-Physical Systems ◽

10.1145/3439430 ◽

2021 ◽

Vol 5 (3) ◽

pp. 1-25

Author(s):

Craig Bakker ◽

Arnab Bhattacharya ◽

Samrat Chatterjee ◽

Draguna L. Vrabie

Keyword(s):

Attack Detection ◽

Cyber Attacks ◽

Monitoring And Control ◽

Physical Systems ◽

Advanced Persistent Threats ◽

Optimal Bounds ◽

Physical Consequences ◽

Stealthy Attacks ◽

And Control

Increasing connectivity to the Internet for remote monitoring and control has made cyber-physical systems more vulnerable to deliberate attacks; purely cyber attacks can thereby have physical consequences. Long-term, stealthy attacks such as Stuxnet can be described as Advanced Persistent Threats (APTs). Here, we extend our previous work on hypergames and APTs to develop hypergame-based defender strategies that are robust to deception and do not rely on attack detection. These strategies provide provable bounds—and provably optimal bounds—on the attacker payoff. Strategies based on Bayesian priors do not provide such bounds. We then numerically demonstrate our approach on a building control subsystem and discuss next steps in extending this approach toward an operational capability.

Download Full-text

Survey of Cyber security approaches for Attack Detection and Prevention

Turkish Journal of Computer and Mathematics Education (TURCOMAT) ◽

10.17762/turcomat.v12i2.2406 ◽

2021 ◽

Vol 12 (2) ◽

pp. 3436-3441

Author(s):

MalathiEswaran, Et. al.

Keyword(s):

Cyber Security ◽

Personal Data ◽

Modern Technology ◽

Vital Role ◽

Attack Detection ◽

Cyber Attacks ◽

Storage Devices ◽

Detection Systems ◽

The People ◽

The World

In the world of modern technology many devices are frequently handled by the people via network. Since the network has been utilized in communication across the world and also in data sharing, there may be a chance of cyber-attacks and intruding into the personal data of the user. This survey provides a witness in large amount of cyber-attacks widespread in the recent times. The issue also deals with the system under use and with the storage devices concerned. Inorder to manage large amount of data, cloud computing plays a vital role in managing the data and also prevents data from intruders. Many intrusion detection systems help in detecting anomalies, that caused by various cyber-attacks. This proposed survey focuses on types of attacks and also the methodology involved in detecting such type of attacks.

Download Full-text

Strategy and Knowledge-Based XML Attack Detection Systems using Ontology

International Journal of Recent Technology and Engineering - 2 ◽

10.35940/ijrte.e5786.018520 ◽

2020 ◽

Vol 8 (5) ◽

pp. 798-801

Keyword(s):

Probabilistic Approach ◽

Attack Detection ◽

Data Detection ◽

Sensitive Data ◽

Detection Systems ◽

Knowledge Based ◽

Target Network ◽

Attack Path ◽

Original Size ◽

Degree Of Severity

Today's highly skilled attackers exploit many of the vulnerabilities in their network. On the other hand, the risk of data leakage has increased dramatically because software or application vulnerability is always left without a fix. Such vulnerability using the (Zero Day), hackers will receive the target network, and can steal sensitive data. Detection of zero day traditional defenses is difficult, because the signature information zero-day attacks are unknown. Therefore, the need for new security solutions, that detect zero-day attacks, and evaluate the identified zero day vulnerability severity. The paper proposed an approach for detecting unknown vulnerabilities. The system is a framework that is a comprehensive approach for detecting and prioritizing zero-day attacks and removes these detected attacks. The proposed framework is based on probabilistic approach, to determine the Zero-Day attack path, and the subsequent degree of severity of the identified zero-day vulnerability. It is a hybrid of detection and removal method based on the detection of unknown defects present in the network, which is not yet detected. The system also shows the file with original size and with an attacked size

Download Full-text