Abstract
Network security monitoring remains a challenge. As global networks scale up, in terms of traffic, volume and speed, effective attribution of cyber attacks is increasingly difficult. The problem is compounded by a combination of other factors, including the architecture of the Internet, multi-stage attacks and increasing volumes of nonproductive traffic. This paper proposes to shift the focus of security monitoring from the source to the target. Simply put, resources devoted to detection and attribution should be redeployed to efficiently monitor for targeting and prevention of attacks. The effort of detection should aim to determine whether a node is under attack, and if so, effectively prevent the attack. This paper contributes by systematically reviewing the structural, operational and legal reasons underlying this argument, and presents empirical evidence to support a shift away from attribution to favour of a target-centric monitoring approach. A carefully deployed set of experiments are presented and a detailed analysis of the results is achieved.
Similar content being viewed by others
References
Axelrad, E.T., Sticha, P.J., Brdiczka, O., Shen, J. (2013). A bayesian network model for predicting insider threats. In: 2013 IEEE Security and Privacy Workshops, https://www.ieee-security.org/TC/SPW2013/papers/data/5017a082.pdf
Basu, R., Cunningham, R.K., Webster, S.E., Lippmann, R.P. (2001). Detecting low-profile probes and novel denial-of-service attacks. Tech. rep., IEEE SMC IA&S Workshop 2001, West Point, New York, USA.
BBC (2013) China IP address link to South Korea cyber-attack. http://www.bbc.co.uk/news/world-asia-21873017
BBC (2014) Hack attack causes ’massive damage’ at steel works. http://www.bbc.co.uk/news/technology-30575104
Berk, V.H., Cybenko, G., Souza, I.G.D., Murphy, J.P. (2012). Managing malicious insider risk through bandit. In: System Science (HICSS), 2012 45th Hawaii International Conference on IEEE (pp. 2422–2430).
Bhuyan, M.H., Bhattacharyya, D.K., Kalita, J.K. (2011). Survey on incremental approaches for network anomaly detection. In: International Journal of Communication Networks and Information Security (IJCNIS).
Bhuyan, M.H., Bhattacharyya, D., Kalita, J.K. (2012). Survey on incremental approaches for network anomaly detection. arXiv preprint arXiv:1211.4493.
Bradford, P.G., Brown, M., Self, B., Perdue, J. (2004). Towards proactive computer system forensics. In: International Conference on Information Technology: Coding and Computing, IEEE Computer Society.
Brown, C., Cowperthwaite, A., Hijazi, A., Somayaji, A. (2009). Analysis of the 1999 darpa/lincoln laboratory ids evaluation data with netadhict. In: Computational Intelligence for Security and Defense Applications, 2009. CISDA 2009. IEEE Symposium on IEEE (pp. 1–7).
Brugger, S. T., & Chow, J. (2007). An assessment of the darpa ids evaluation dataset using snort. UCDAVIS Department of Computer Science, 1(2007), 22.
Brynielsson, J., Horndahl, A., Johansson, F., Kaati, L., Mårtenson, C., & Svenson, P. (2013). Harvesting and analysis of weak signals for detecting lone wolf terrorists. Security Informatics, 2(1), 11.
Chandola, V., Banerjee, A., & Kumar, V. (2009a). Anomaly detection: A survey. ACM Computing Surveys, 41(3), 15:1–15:58. doi:10.1145/1541880.1541882.
Chandola, V., Banerjee, A., Kumar, V. (2009b). Anomaly detection: A survey. In: ACM Computing Surveys 41.
Chatfield, C. (2003). The analysis of time series: An introduction. Boca Raton: CRC Press.
Chatzigiannakis, V., Androulidakis, G., Pelechrinis, K., Papavassiliou, S., Maglaris, V. (2007). Data fusion algorithms for network anomaly detection: classification and evaluation. In: Networking and Services, 2007. ICNS. Third International Conference on IEEE (pp. 50–50).
Chen, T., & Abu-Nimeh, S. (2011). Lessons from stuxnet. Computer, 44(4), 91–93. doi:10.1109/MC.2011.115.
Chivers, H., Nobles, P., Shaikh, S.A., Clark, J.A., Chen, H. (2009). Accumulating Evidence of Insider Attacks. In: Proceedings of the 1st International Workshop on Managing Insider Security Threats (MIST-2009).
Chivers, H., Clark, J. A., Nobles, P., Shaikh, S. A., & Chen, H. (2013). Knowing who to watch: Identifying attackers whose actions are hidden within false alarms and background noise. Information Systems Frontiers, 15(1), 17–34.
Clark, D.D., Landau, S. (2010). The problem isn’t attribution: it’s multi-stage attacks. In: Proceedings of the Re-Architecting the Internet Workshop, ReARCH ’10 (pp. 11:1–11:6).
Das, K., Schneider, J. (2007). Detecting anomalous records in categorical datasets. In: Proceedings of the 13th ACM SIGKDD International Conference on Knowledge Discovery and Data Mining ACM (pp. 220–229).
Davidoff, S., & Ham, J. (2012). Network Forensics: Tracking Hackers Through Cyberspace. New Delhi: Prentice Hall.
Deeks, A. (2013). The geography of cyber conflict: Through a glass darkly. Journal of International Law Studies, 89, 1–20.
Eldardiry, H., Bart, E., Liu, J., Hanley, J., Price, B., Brdiczka, O. (2013). Multi-domain information fusion for insider threat detection. In: 2013 IEEE Security and Privacy Workshops, https://www.ieee-security.org/TC/SPW2013/papers/data/5017a045.pdf
Gonzalez, J.M., Paxson, V., Weaver, N. (2007). Shunting: a hardware/software architecture for flexible, high-performance network intrusion prevention. In: Proceedings of the 14th ACM Conference on Computer and Communications Security (pp. 139–149).
Grubbs, R. E. (1969). Procedures for Detecting Outlying Observations in Samples. Technometrics, 11(1), 1–21.
Heberlein, T. (2002). Tactical operations and strategic intelligence: Sensor purpose and placement. Net Squared Inc, Tech Rep TR-2002-0402.
Kalutarage, H. (2013). Effective monitoring of slow suspicious activites on computer networks. PhD thesis, Coventry: Coventry University, https://curve.coventry.ac.uk/open/file/afdbba5c-2c93-41a7-90c3-2f0f3261b794/1/Kalutarage2013.pdf
Kalutarage, H.K., Shaikh, S.A., Zhou, Q., James, A.E. (2012). Sensing for suspicion at scale: A bayesian approach for cyber conflict attribution and reasoning. In: 4th International Conference on Cyber Conflict (CYCON) 2012, NATO CCDCOE (pp. 1–19).
Kalutarage, H.K., Shaikh, S.A., Zhou, Q., James, A.E. (2013a). How do we effectively monitor for slow suspicious activities? In: Proceedings of the International Symposium on Engineering Secure Software and Systems (ESSoS-DS 2013) CEUR Workshop Proceedings.
Kalutarage, H. K., Shaikh, S. A., Zhou, Q., & James, A. E. (2013b). Monitoring for slow suspicious activities using a target centric approach. In A. Bagchi & I. Ray (Eds.), Information Systems Security, Lecture Notes in Computer Science (Vol. 8303, pp. 163–168). Berlin, Heidelberg: Springer.
Kalutarage, H. K., Shaikh, S. A., Zhou, Q., & James, A. E. (2013c). Tracing sources of anonymous slow suspicious activities. In J. Lopez, X. Huang, & R. Sandhu (Eds.), Network and System Security , Lecture Notes in Computer Science (Vol. 7873, pp. 122–134). Berlin, Heidelberg: Springer.
Kandias, M., Mylonas, A., Virvilis, N., Theoharidou, M., Gritzalis, D. (2010). An insider threat prediction model. In: S. Katsikas, J. Lopez, & M. Soriano (Eds.), Trust, Privacy and Security in Digital Business, Lecture Notes in Computer Science (Vol. 6264, pp. 26–37). Berlin, Heidelberg: Springer.
Kumar, S., Spafford, E.H. (1994). An application of pattern matching in intrusion detection. In: Technical Report CSDTR-94-013 The COAST Project, Department of Computer Sciences Purdue University, West Lafayette, IN.
Lesk, M. (2007). The new front line: Estonia under cyberassault. IEEE Security & Privacy 5(4), 76–79, http://doi.ieeecomputersociety.org/10.1109/MSP.2007.98
Lippmann, R.P., Fried, D.J., Graf, I., Haines, J.W., Kendall, K.R., McClung, D., Weber, D., Webster, S.E., Wyschogrod, D., Cunningham, R.K., et al. (2000). Evaluating intrusion detection systems: The 1998 darpa off-line intrusion detection evaluation. In: DARPA Information Survivability Conference and Exposition, 2000. DISCEX’00. Proceedings IEEE, vol 2, (pp. 12–26).
Nakashima, E., Warrick, J. (2012). Stuxnet was work of U.S. and Israeli experts, officials say. http://www.washingtonpost.com/world/national-security/stuxnet-was-work-of-us-and-israeli-experts-officials-say/2012/06/01/gJQAlnEy6U_story.html
Notknown (2006). Googlebot. http://www.lightbluetouchpaper.org/2006/02/15/complexities-in-criminalising-denial-of-service-attacks/
Paget, F. (2013). Hacking Summit Names Nations With Cyberwarfare Capabilities. http://blogs.mcafee.com/mcafee-labs/hacking-summit-names-nations-with-cyberwarfare-capabilities
Pang, R., Yegneswaran, V., Barford, P., Paxson, V., Peterson, L. (2004). Characteristics of internet background radiation. In: Proceedings of the 4th ACM SIGCOMM Conference on Internet Measurement (pp. 27–40).
Parikh, D., & Chen, T. (2008). Data fusion and cost minimization for intrusion detection. Information Forensics and Security, IEEE Transactions on, 3(3), 381–389.
Patcha, A., Park, J.M. (2007). An overview of anomaly detection techniques: Existing solutions and latest technological trends. In: Computer Networks (Elsevier).
Peng, T., Leckie, C., Ramamohanarao, K. (2004). Proactively detecting distributed denial of service attacks using source ip address monitoring. In: NETWORKING 2004. Networking Technologies, Services, and Protocols; Performance of Computer and Communication Networks; Mobile and Wireless Communications Springer, (pp. 771–782).
Shaikh, S. A., Chivers, H., Nobles, P., Clark, J. A., & Chen, H. (2008). Characterising intrusion detection sensors. Network Security, 2008(9), 10–12.
Shaikh, S. A., Chivers, H., Nobles, P., Clark, J. A., & Chen, H. (2008). Characterising intrusion detection sensors, part 2. Network Security, 2008(10), 8–11.
Siaterlis, C., Maglaris, B. (2004). Towards multisensor data fusion for dos detection. In: Proceedings of the 2004 ACM symposium on Applied computing ACM, (pp. 439–446).
Streilein, W.W., Cunningham, R.K., Webster, S.E. (2002). Improved detection of low profile probe and novel denial of service attacks. In: Workshop on Statistical and Machine Learning Techniques in Computer Intrusion Detection.
Time, L.A. (2014). Sony insider - not North Korea - likely involved in hack, experts say. http://www.latimes.com/entertainment/envelope/cotown/la-et-ct-sony-hack-inside-job-not-north-korea-20141231-story.html
Vokorokos, L., Chovanec, M., Látka, O., Kleinova, A. (2008). Security of distributed intrusion detection system based on multisensor fusion. In: Applied Machine Intelligence and Informatics, 2008. SAMI 2008. 6th International Symposium on IEEE, (pp. 19–24).
Whyte, D., van Oorschot, P.C., Kranakis, E. (2006). Exposure maps: removing reliance on attribution during scan detection. In: Proceedings of the 1st USENIX Workshop on Hot Topics in Security (HOTSEC’06).
Whyte, D., Oorschot, P.C., Kranakis, E. (2007). Tracking darkports for network defense. In: 23rd Computer Security Applications Conference (pp. 161–171).
Yankov, D., Keogh, E., & Rebbapragada, U. (2008). Disk aware discord discovery: Finding unusual time series in terabyte sized datasets. Knowledge and Information Systems, 17(2), 241–262.
Ye, N., Xu, M., Emran, S. (2000). Probabilistic networks with undirected links for anomaly detection. In: IEEE Systems, Man, and Cybernetics Information Assurance and Security Workshop (pp. 175–179).
ZDNet (2015) Sony takes \({\$}15\text{ M }\) hit after North Korea cyberattack. http://www.zdnet.com/article/sony-hack-cost-it-15-million-so-far/
Acknowledgments
Both authors have carried out this work partially under a Grant (EP/L022656/1) received by the Engineering and Physical Sciences Research Council (EPSRC) of the UK.
Author information
Authors and Affiliations
Corresponding author
Rights and permissions
About this article
Cite this article
Shaikh, S.A., Kalutarage, H.K. Effective network security monitoring: from attribution to target-centric monitoring. Telecommun Syst 62, 167–178 (2016). https://doi.org/10.1007/s11235-015-0071-0
Published:
Issue Date:
DOI: https://doi.org/10.1007/s11235-015-0071-0