A Framework for Contextual Information Fusion to Detect Cyber-Attacks

  • Ahmed AlEroudEmail author
  • George Karabatis
Part of the Studies in Computational Intelligence book series (SCI, volume 691)


The focus of this research is a novel contextual approach that will be used in detecting zero-day cyber-attacks, generating possible zero-day attack signatures, and automatically measuring their risk on specific software components. In general, zero-day attacks exploit a software vulnerability that has not been discovered, and it is called zero-day vulnerability. This work proposes an approach to identify both zero-day attacks (in real time) and also zero-day vulnerabilities by examining known software vulnerabilities.

The proposed work is an innovative approach, which automatically and efficiently extracts, processes, and takes advantage of contextual information to identify zero-day attacks and vulnerabilities. Contextual information (time, location, etc.) identifies the context that can be used to infer relations between entities, such as cyber-attacks. These relations are called contextual relations. We propose methods to generate zero-day attack signatures using graph-based contextual relations between (1) known attacks and (2) vulnerable software components. These are certainly hard problems to solve, and we doubt that incremental improvements in IDSs will result in a significant solution that drastically improves their effectiveness. Consequently, we propose a substantially different and novel approach: contextual relations, if used intelligently, can reduce the search space in IDSs so that zero-day attacks can be identified in realistic and practical amount of time. There are several reasons that led us to investigate the use of contextual relations to detect zero-day attacks. First, the traditional data mining and pattern recognition techniques lack the desirable effectiveness since they focus on analyzing the data without the use of context. To better identify suspicious activities, direct and indirect contextual paths need to be identified among these activities. These are usually identified manually by domain experts (e.g., identifying relations between cyber-attacks). However, it is quite daunting and challenging to identify all possible relations via manual investigation. Second, there are several contextual relations that need to be identified among vulnerabilities to predict which ones can lead to zero-day attacks and the software modules they are located, thus, empowering us to generate possible signatures for these attacks.


Context Contextual information Cyber security Intrusion detection Semantics 


  1. 1.
    Noel, S., Jajodia, S.: Understanding complex network attack graphs through clustered adjacency matrices. In 21st Annual Computer Security Applications Conference AZ, USA, 5–9 December 2005, pp. 10 pp.–169. doi: 10.1109/CSAC.2005.58 (2005)
  2. 2.
    Noel, S., Robertson, E., Jajodia, S.: Correlating intrusion events and building attack scenarios through attack graph distances. In: 20th Annual Computer Security Applications Conference (CSAC'04), Tucson, AZ, USA, pp. 350–359. doi: 10.1109/CSAC.2004.11 (2004)
  3. 3.
    Noel, S., Sushil, J., O'Berry, B., Jacobs, M.: Efficient minimum-cost network hardening via exploit dependency graphs. In: Proceedings. 19th Annual Computer Security Applications Conference, Orlando, FL USA, 8–12 December 2003, pp. 86-95. doi: 10.1109/CSAC.2003.1254313 (2003)
  4. 4.
    Ritchey, R., O'Berry, B., Noel, S.: Representing TCP/IP connectivity for topological analysis of network security. In: Proceedings. 18th Annual Computer Security Applications Conference, Las Vegas, Nevada, pp. 25–31. doi: 10.1109/CSAC.2002.1176275 (2002)
  5. 5.
    Mathew, S., Upadhyaya, S., Sudit, M., Stotz, A.: Situation awareness of multistage cyber attacks by semantic event fusion. In: Military Communications Conference, 2010—milcom 2010, San Jose, CA, 31 October 2010–3 November 2010, pp. 1286–1291. doi: 10.1109/MILCOM.2010.5680121 (2010)
  6. 6.
    Leung, K., Leckie, C.: Unsupervised anomaly detection in network intrusion detection using clusters. In Proceedings of the Twenty-eighth Australasian conference on Computer Science, Newcastle, NSW, Australia. Australian Computer Society, Inc., pp. 333–342 (2005)Google Scholar
  7. 7.
    Portnoy, L.: Intrusion detection with unlabeled data using clustering. Data Mining Lab, Department of Computer Science, Columbia University (2001)Google Scholar
  8. 8.
    Song, J., Takakura, H., Kwon, Y. A generalized feature extraction scheme to detect 0-day attacks via IDS alerts. In: Proceedings of the 2008 International Symposium on Applications and the Internet, Turku, Finland, pp. 55–61. 1442004: IEEE Computer Society. doi: 10.1109/saint.2008.85 (2008)
  9. 9.
    Hendry, G.R., Yang, S.J.: Intrusion signature creation via clustering anomalies. In: Proc. of SPIE Bellingham, WA, vol. 6973, pp. 69730C–69731 (2008)Google Scholar
  10. 10.
    Kuchimanchi, G.K., Phoha, V.V., Balagani, K.S., Gaddam, S.R. Dimension reduction using feature extraction methods for Real-time misuse detection systems. In: Proceedings of the Fifth Annual IEEE SMC Information Assurance Workshop, West Point, New York. IEEE, pp. 195–202 (2004)Google Scholar
  11. 11.
    Liu, G., Yi, Z., Yang, S.: A hierarchical intrusion detection model based on the PCA neural networks. Neurocomputing 70(7–9), 1561–1568 (2007). doi: 10.1016/j.neucom.2006.10.146 CrossRefGoogle Scholar
  12. 12.
    Siraj, M.M., Maarof, M.A., Hashim, S.Z.M.: Intelligent clustering with PCA and unsupervised learning algorithm in intrusion alert correlation. In: Fifth International Conference on Information Assurance and Security (IAS '09). Xi'an, China, 18–20 August 2009, vol. 1, pp. 679–682. doi: 10.1109/IAS.2009.261 (2009)
  13. 13.
    Zheng, K., Qian, X., Wang, P.: Dimension reduction in intrusion detection using manifold learning. In: International Conference on Computational Intelligence and Security (CIS'09). Beijing, China, vol. 2, pp. 464–468. IEEE (2009)Google Scholar
  14. 14.
    Li, X.-B.: A scalable decision tree system and its application in pattern recognition and intrusion detection. Decis. Support Syst. 41(1), 112–130 (2005). doi: 10.1016/j.dss.2004.06.0l6 CrossRefGoogle Scholar
  15. 15.
    Tavallaee, M., Bagheri, E., Wei, L., Ghorbani, A.A. A detailed analysis of the KDD CUP 99 data set. In IEEE Symposium on Computational Intelligence for Security and Defense Applications (CISDA'09), Ottawa, ON, 8–10 July 2009, pp. 1–6. doi: 10.1109/CISDA.2009.5356528 (2009)
  16. 16.
    Tavallaee, M., Bagheri, E., Lu, W., Ghorbani, A.: NSL-KDD Dataset. (2009)
  17. 17.
    Hall, M.A.: Correlation-Based Feature Selection for Machine Learning. The University of Waikato (1999)Google Scholar
  18. 18.
    Sowa, J.F.: Principles of Semantic Networks. Morgan Kaufmann Pub., San Mateo, CA (1991)zbMATHGoogle Scholar
  19. 19.
    Sowa, J.F.: Semantic networks. Encyclopedia of Cognitive Science (2006)Google Scholar
  20. 20.
    Lewis, D.M., Janeja, V.P.: An empirical evaluation of similarity coefficients for binary valued data. Int. J. Data Warehous. Min. 7(2), 44–66 (2011)CrossRefGoogle Scholar
  21. 21.
    Pensa, R.G., Leschi, C., Besson, J., Boulicaut, J.F.: Assessment of discretization techniques for relevant pattern discovery from gene expression data. In: Proceedings ACM BIOKDD, vol. 4, pp. 24–30 (2004)Google Scholar
  22. 22.
    Karabatis, G., Chen, Z., Janeja, V.P., Lobo, T., Advani, M., Lindvall, M., et al.: Using semantic networks and context in search for relevant software engineering artifacts. J. Data Semant. 5880(1), 74–104 (2009). doi: 10.1007/978-3-642-10562-3_3 CrossRefGoogle Scholar
  23. 23.
    Lippmann, R. MIT Lincoln Laboratory KDD Attack Taxonomy. Accessed 05 June 2014 (2014)
  24. 24.
    Gupta, K.K., Nath, B., Kotagiri, R.: Layered approach using conditional random fields for intrusion detection. IEEE Trans. Dependable Secure Comput. 7(1), 35–49 (2010)CrossRefGoogle Scholar
  25. 25.
    Frank, E., Smith, T., Witten, I.: Weka A machine learning software. Machine Learning Group at the University of Waikato. (2014)
  26. 26.
    Wiswedel, B., Ohl, P., Gabriel, T.: KNIME: Kontaz Information Miner. (2014)
  27. 27.
    Granchelli, D.: DARPA intrusion detection datasets. Massachusetts Institute of Technology (MIT): MIT Lincoln Labratory (1999)Google Scholar
  28. 28.
    Tsai, C.F., Hsu, Y.F., Lin, C.Y., Lin, W.Y.: Intrusion detection by machine learning: a review. Expert Systems with Applications 36(10), 11994–12000 (2009)CrossRefGoogle Scholar
  29. 29.
    Lawler, S., Meunier, P. Common vulnerabilities and exposures. Accessed 07 October 2014 (2012)
  30. 30.
    Perona, I., Gurrutxaga, I., Arbelaitz, O., Martín, J.I., Muguerza, J., Pérez, J.M.: Service-independent payload analysis to improve intrusion detection in network traffic. In: Proceedings of the 7th Australasian Data Mining Conference, SA, Australia, pp. 171–178. Australian Computer Society, Inc. (2008)Google Scholar

Copyright information

© Springer International Publishing Switzerland 2017

Authors and Affiliations

  1. 1.Department of Computer Information SystemsYarmouk UniversityIrbidJordan
  2. 2.Department of Information SystemsUniversity of Maryland, Baltimore County (UMBC)BaltimoreUSA

Personalised recommendations