Segmenting Large-Scale Cyber Attacks for Online Behavior Model Generation
Large-scale cyber attack traffic can present challenges to identify which packets are relevant and what attack behaviors are present. Existing works on Host or Flow Clustering attempt to group similar behaviors to expedite analysis, often phrasing the problem as offline unsupervised machine learning. This work proposes online processing to simultaneously segment traffic observables and generate attack behavior models that are relevant to a target. The goal is not just to aggregate similar attack behaviors, but to provide situational awareness by grouping relevant traffic that exhibits one or more behaviors around each asset. The seemingly clustering problem is recast as a supervised learning problem: classifying received traffic to the most likely attack model, and iteratively introducing new models to explain received traffic. A graph-based prior is defined to extract the macroscopic attack structure, which complements security-based features for classification. Malicious traffic captures from CAIDA are used to demonstrate the capability of the proposed attack segmentation and model generation (ASMG) process.
KeywordsSituational Awareness Closeness Centrality Attack Model Attack Behavior Destination Port
Unable to display preview. Download preview PDF.
- 2.Aben, E., et al.: The CAIDA UCSD Network Telescope Two Days in November 2008 Dataset. Technical report (access Date: May 2012-August 2013)Google Scholar
- 3.Fukuda, K., Hirotsu, T., Akashi, O., Sugawara, T.: A PCA Analysis of Daily Unwanted Traffic. In: Proceedings of 24th IEEE International Conference on Advanced Information Networking and Applications, pp. 377–384 (April 2010)Google Scholar
- 4.Gu, G., Perdisci, R., Zhang, J., Lee, W.: BotMiner: Clustering Analysis of Network Traffic for Protocol- and Structure-Independent Botnet Detection. In: Proceedings of the 17th USENIX Conference on Security Symposium, Berkeley, CA, USA, pp. 139–154 (2008)Google Scholar
- 7.Lee, D., Carpenter, B., Brownlee, N.: Observations of udp to tcp ratio and port numbers. In: Proceedings of Fifth International Conference on Internet Monitoring and Protection, pp. 99–104 (2010)Google Scholar
- 8.McGregor, A., Hall, M., Lorier, P., Brunskill, J.: Flow Clustering Using Machine Learning Techniques. In: Proceedings of Passive and Active Measurement Workshop, pp. 205–214 (2004)Google Scholar
- 9.Newman, M.E.J.: Scientific collaboration networks. ii. shortest paths, weighted networks, and centrality. Phys. Rev. E 64, 016132 (2001)Google Scholar
- 10.Ohta, M., Kanda, Y., Fukuda, K., Sugawara, T.: Analysis of Spoofed IP Traffic Using Time-to-Live and Identification Fields in IP Headers. In: Proceedings of IEEE International Conference on Advanced Information Networking and Applications, Washington, DC, USA, pp. 355–361 (2011)Google Scholar
- 11.Shannon, C., Moore, D.: Network Telescopes: Remote Monitoring of Internet Worms and Denial-of-Service Attacks Technical report (2013) (Technical Presentation-access Date: May 2012-August 2013)Google Scholar
- 13.Wei, S., Mirkovic, J., Kissel, E.: Profiling and Clustering Internet Hosts. In: Proceedings of International Conference on Data Mining (DMIN) (June 2006)Google Scholar
- 14.Xu, K., Wang, F., Gu, L.: Network-aware behavior clustering of Internet end hosts. In: Proceedings of IEEE INFOCOM, pp. 2078–2086 (April 2011)Google Scholar
- 15.Zseby, T.: Comparable Metrics for IP Darkspace Analysis. In: Proceedings of 1st International Workshop on Darkspace and UnSolicited Traffic Analysis (May 2012)Google Scholar