Skip to main content
SpringerLink
Log in

Effective network security monitoring: from attribution to target-centric monitoring

  • Published:
Telecommunication Systems Aims and scope Submit manuscript

Abstract

Network security monitoring remains a challenge. As global networks scale up, in terms of traffic, volume and speed, effective attribution of cyber attacks is increasingly difficult. The problem is compounded by a combination of other factors, including the architecture of the Internet, multi-stage attacks and increasing volumes of nonproductive traffic. This paper proposes to shift the focus of security monitoring from the source to the target. Simply put, resources devoted to detection and attribution should be redeployed to efficiently monitor for targeting and prevention of attacks. The effort of detection should aim to determine whether a node is under attack, and if so, effectively prevent the attack. This paper contributes by systematically reviewing the structural, operational and legal reasons underlying this argument, and presents empirical evidence to support a shift away from attribution to favour of a target-centric monitoring approach. A carefully deployed set of experiments are presented and a detailed analysis of the results is achieved.

This is a preview of subscription content, log in via an institution to check access.

Access this article

Log in via an institution

Price excludes VAT (USA)
Tax calculation will be finalised during checkout.

Instant access to the full article PDF.

Institutional subscriptions

Fig. 1
Fig. 2
Fig. 3
Fig. 4
Fig. 5
Fig. 6
Fig. 7
Fig. 8
Fig. 9

Similar content being viewed by others

References

  1. Axelrad, E.T., Sticha, P.J., Brdiczka, O., Shen, J. (2013). A bayesian network model for predicting insider threats. In: 2013 IEEE Security and Privacy Workshops, https://www.ieee-security.org/TC/SPW2013/papers/data/5017a082.pdf

  2. Basu, R., Cunningham, R.K., Webster, S.E., Lippmann, R.P. (2001). Detecting low-profile probes and novel denial-of-service attacks. Tech. rep., IEEE SMC IA&S Workshop 2001, West Point, New York, USA.

  3. BBC (2013) China IP address link to South Korea cyber-attack. http://www.bbc.co.uk/news/world-asia-21873017

  4. BBC (2014) Hack attack causes ’massive damage’ at steel works. http://www.bbc.co.uk/news/technology-30575104

  5. Berk, V.H., Cybenko, G., Souza, I.G.D., Murphy, J.P. (2012). Managing malicious insider risk through bandit. In: System Science (HICSS), 2012 45th Hawaii International Conference on IEEE (pp. 2422–2430).

  6. Bhuyan, M.H., Bhattacharyya, D.K., Kalita, J.K. (2011). Survey on incremental approaches for network anomaly detection. In: International Journal of Communication Networks and Information Security (IJCNIS).

  7. Bhuyan, M.H., Bhattacharyya, D., Kalita, J.K. (2012). Survey on incremental approaches for network anomaly detection. arXiv preprint arXiv:1211.4493.

  8. Bradford, P.G., Brown, M., Self, B., Perdue, J. (2004). Towards proactive computer system forensics. In: International Conference on Information Technology: Coding and Computing, IEEE Computer Society.

  9. Brown, C., Cowperthwaite, A., Hijazi, A., Somayaji, A. (2009). Analysis of the 1999 darpa/lincoln laboratory ids evaluation data with netadhict. In: Computational Intelligence for Security and Defense Applications, 2009. CISDA 2009. IEEE Symposium on IEEE (pp. 1–7).

  10. Brugger, S. T., & Chow, J. (2007). An assessment of the darpa ids evaluation dataset using snort. UCDAVIS Department of Computer Science, 1(2007), 22.

    Google Scholar 

  11. Brynielsson, J., Horndahl, A., Johansson, F., Kaati, L., Mårtenson, C., & Svenson, P. (2013). Harvesting and analysis of weak signals for detecting lone wolf terrorists. Security Informatics, 2(1), 11.

    Article  Google Scholar 

  12. Chandola, V., Banerjee, A., & Kumar, V. (2009a). Anomaly detection: A survey. ACM Computing Surveys, 41(3), 15:1–15:58. doi:10.1145/1541880.1541882.

    Article  Google Scholar 

  13. Chandola, V., Banerjee, A., Kumar, V. (2009b). Anomaly detection: A survey. In: ACM Computing Surveys 41.

  14. Chatfield, C. (2003). The analysis of time series: An introduction. Boca Raton: CRC Press.

    Google Scholar 

  15. Chatzigiannakis, V., Androulidakis, G., Pelechrinis, K., Papavassiliou, S., Maglaris, V. (2007). Data fusion algorithms for network anomaly detection: classification and evaluation. In: Networking and Services, 2007. ICNS. Third International Conference on IEEE (pp. 50–50).

  16. Chen, T., & Abu-Nimeh, S. (2011). Lessons from stuxnet. Computer, 44(4), 91–93. doi:10.1109/MC.2011.115.

    Article  Google Scholar 

  17. Chivers, H., Nobles, P., Shaikh, S.A., Clark, J.A., Chen, H. (2009). Accumulating Evidence of Insider Attacks. In: Proceedings of the 1st International Workshop on Managing Insider Security Threats (MIST-2009).

  18. Chivers, H., Clark, J. A., Nobles, P., Shaikh, S. A., & Chen, H. (2013). Knowing who to watch: Identifying attackers whose actions are hidden within false alarms and background noise. Information Systems Frontiers, 15(1), 17–34.

    Article  Google Scholar 

  19. Clark, D.D., Landau, S. (2010). The problem isn’t attribution: it’s multi-stage attacks. In: Proceedings of the Re-Architecting the Internet Workshop, ReARCH ’10 (pp. 11:1–11:6).

  20. Das, K., Schneider, J. (2007). Detecting anomalous records in categorical datasets. In: Proceedings of the 13th ACM SIGKDD International Conference on Knowledge Discovery and Data Mining ACM (pp. 220–229).

  21. Davidoff, S., & Ham, J. (2012). Network Forensics: Tracking Hackers Through Cyberspace. New Delhi: Prentice Hall.

    Google Scholar 

  22. Deeks, A. (2013). The geography of cyber conflict: Through a glass darkly. Journal of International Law Studies, 89, 1–20.

    Google Scholar 

  23. Eldardiry, H., Bart, E., Liu, J., Hanley, J., Price, B., Brdiczka, O. (2013). Multi-domain information fusion for insider threat detection. In: 2013 IEEE Security and Privacy Workshops, https://www.ieee-security.org/TC/SPW2013/papers/data/5017a045.pdf

  24. Gonzalez, J.M., Paxson, V., Weaver, N. (2007). Shunting: a hardware/software architecture for flexible, high-performance network intrusion prevention. In: Proceedings of the 14th ACM Conference on Computer and Communications Security (pp. 139–149).

  25. Grubbs, R. E. (1969). Procedures for Detecting Outlying Observations in Samples. Technometrics, 11(1), 1–21.

    Article  Google Scholar 

  26. Heberlein, T. (2002). Tactical operations and strategic intelligence: Sensor purpose and placement. Net Squared Inc, Tech Rep TR-2002-0402.

  27. Kalutarage, H. (2013). Effective monitoring of slow suspicious activites on computer networks. PhD thesis, Coventry: Coventry University, https://curve.coventry.ac.uk/open/file/afdbba5c-2c93-41a7-90c3-2f0f3261b794/1/Kalutarage2013.pdf

  28. Kalutarage, H.K., Shaikh, S.A., Zhou, Q., James, A.E. (2012). Sensing for suspicion at scale: A bayesian approach for cyber conflict attribution and reasoning. In: 4th International Conference on Cyber Conflict (CYCON) 2012, NATO CCDCOE (pp. 1–19).

  29. Kalutarage, H.K., Shaikh, S.A., Zhou, Q., James, A.E. (2013a). How do we effectively monitor for slow suspicious activities? In: Proceedings of the International Symposium on Engineering Secure Software and Systems (ESSoS-DS 2013) CEUR Workshop Proceedings.

  30. Kalutarage, H. K., Shaikh, S. A., Zhou, Q., & James, A. E. (2013b). Monitoring for slow suspicious activities using a target centric approach. In A. Bagchi & I. Ray (Eds.), Information Systems Security, Lecture Notes in Computer Science (Vol. 8303, pp. 163–168). Berlin, Heidelberg: Springer.

  31. Kalutarage, H. K., Shaikh, S. A., Zhou, Q., & James, A. E. (2013c). Tracing sources of anonymous slow suspicious activities. In J. Lopez, X. Huang, & R. Sandhu (Eds.), Network and System Security , Lecture Notes in Computer Science (Vol. 7873, pp. 122–134). Berlin, Heidelberg: Springer.

  32. Kandias, M., Mylonas, A., Virvilis, N., Theoharidou, M., Gritzalis, D. (2010). An insider threat prediction model. In: S. Katsikas, J. Lopez, & M. Soriano (Eds.), Trust, Privacy and Security in Digital Business, Lecture Notes in Computer Science (Vol. 6264, pp. 26–37). Berlin, Heidelberg: Springer.

  33. Kumar, S., Spafford, E.H. (1994). An application of pattern matching in intrusion detection. In: Technical Report CSDTR-94-013 The COAST Project, Department of Computer Sciences Purdue University, West Lafayette, IN.

  34. Lesk, M. (2007). The new front line: Estonia under cyberassault. IEEE Security & Privacy 5(4), 76–79, http://doi.ieeecomputersociety.org/10.1109/MSP.2007.98

  35. Lippmann, R.P., Fried, D.J., Graf, I., Haines, J.W., Kendall, K.R., McClung, D., Weber, D., Webster, S.E., Wyschogrod, D., Cunningham, R.K., et al. (2000). Evaluating intrusion detection systems: The 1998 darpa off-line intrusion detection evaluation. In: DARPA Information Survivability Conference and Exposition, 2000. DISCEX’00. Proceedings IEEE, vol 2, (pp. 12–26).

  36. Nakashima, E., Warrick, J. (2012). Stuxnet was work of U.S. and Israeli experts, officials say. http://www.washingtonpost.com/world/national-security/stuxnet-was-work-of-us-and-israeli-experts-officials-say/2012/06/01/gJQAlnEy6U_story.html

  37. Notknown (2006). Googlebot. http://www.lightbluetouchpaper.org/2006/02/15/complexities-in-criminalising-denial-of-service-attacks/

  38. Paget, F. (2013). Hacking Summit Names Nations With Cyberwarfare Capabilities. http://blogs.mcafee.com/mcafee-labs/hacking-summit-names-nations-with-cyberwarfare-capabilities

  39. Pang, R., Yegneswaran, V., Barford, P., Paxson, V., Peterson, L. (2004). Characteristics of internet background radiation. In: Proceedings of the 4th ACM SIGCOMM Conference on Internet Measurement (pp. 27–40).

  40. Parikh, D., & Chen, T. (2008). Data fusion and cost minimization for intrusion detection. Information Forensics and Security, IEEE Transactions on, 3(3), 381–389.

    Article  Google Scholar 

  41. Patcha, A., Park, J.M. (2007). An overview of anomaly detection techniques: Existing solutions and latest technological trends. In: Computer Networks (Elsevier).

  42. Peng, T., Leckie, C., Ramamohanarao, K. (2004). Proactively detecting distributed denial of service attacks using source ip address monitoring. In: NETWORKING 2004. Networking Technologies, Services, and Protocols; Performance of Computer and Communication Networks; Mobile and Wireless Communications Springer, (pp. 771–782).

  43. Shaikh, S. A., Chivers, H., Nobles, P., Clark, J. A., & Chen, H. (2008). Characterising intrusion detection sensors. Network Security, 2008(9), 10–12.

    Article  Google Scholar 

  44. Shaikh, S. A., Chivers, H., Nobles, P., Clark, J. A., & Chen, H. (2008). Characterising intrusion detection sensors, part 2. Network Security, 2008(10), 8–11.

    Article  Google Scholar 

  45. Siaterlis, C., Maglaris, B. (2004). Towards multisensor data fusion for dos detection. In: Proceedings of the 2004 ACM symposium on Applied computing ACM, (pp. 439–446).

  46. Streilein, W.W., Cunningham, R.K., Webster, S.E. (2002). Improved detection of low profile probe and novel denial of service attacks. In: Workshop on Statistical and Machine Learning Techniques in Computer Intrusion Detection.

  47. Time, L.A. (2014). Sony insider - not North Korea - likely involved in hack, experts say. http://www.latimes.com/entertainment/envelope/cotown/la-et-ct-sony-hack-inside-job-not-north-korea-20141231-story.html

  48. Vokorokos, L., Chovanec, M., Látka, O., Kleinova, A. (2008). Security of distributed intrusion detection system based on multisensor fusion. In: Applied Machine Intelligence and Informatics, 2008. SAMI 2008. 6th International Symposium on IEEE, (pp. 19–24).

  49. Whyte, D., van Oorschot, P.C., Kranakis, E. (2006). Exposure maps: removing reliance on attribution during scan detection. In: Proceedings of the 1st USENIX Workshop on Hot Topics in Security (HOTSEC’06).

  50. Whyte, D., Oorschot, P.C., Kranakis, E. (2007). Tracking darkports for network defense. In: 23rd Computer Security Applications Conference (pp. 161–171).

  51. Yankov, D., Keogh, E., & Rebbapragada, U. (2008). Disk aware discord discovery: Finding unusual time series in terabyte sized datasets. Knowledge and Information Systems, 17(2), 241–262.

    Article  Google Scholar 

  52. Ye, N., Xu, M., Emran, S. (2000). Probabilistic networks with undirected links for anomaly detection. In: IEEE Systems, Man, and Cybernetics Information Assurance and Security Workshop (pp. 175–179).

  53. ZDNet (2015) Sony takes \({\$}15\text{ M }\) hit after North Korea cyberattack. http://www.zdnet.com/article/sony-hack-cost-it-15-million-so-far/

Download references

Acknowledgments

Both authors have carried out this work partially under a Grant (EP/L022656/1) received by the Engineering and Physical Sciences Research Council (EPSRC) of the UK.

Author information

Authors and Affiliations

  1. Faculty of Engineering and Computing, Coventry University, Coventry, CV1 5FB, UK

    Siraj Ahmed Shaikh & Harsha Kumara Kalutarage

Authors
  1. Siraj Ahmed Shaikh
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Harsha Kumara Kalutarage
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Siraj Ahmed Shaikh.

Rights and permissions

Reprints and permissions

About this article

Check for updates. Verify currency and authenticity via CrossMark

Cite this article

Shaikh, S.A., Kalutarage, H.K. Effective network security monitoring: from attribution to target-centric monitoring. Telecommun Syst 62, 167–178 (2016). https://doi.org/10.1007/s11235-015-0071-0

Download citation

  • Published:

  • Issue Date:

  • DOI: https://doi.org/10.1007/s11235-015-0071-0

Keywords

Search

Navigation