Temporal and Spatial Analyses for Large-Scale Cyber Attacks

  • Haitao DuEmail author
  • Shanchieh Jay Yang


Prevalent computing devices with networking capabilities have become critical cyber infrastructure for government, industry, academia and every-day life. As their value rises, the motivation driving cyber attacks on this infrastructure has shifted from the pursuit of notoriety to the pursuit of profit [1, 2] or political gains, leading to cyber terrorism on various scales. Cyber terrorism has had its share of case studies and definitions since late 1990s and early 2000s [3–5]. A common denominator of the definition of cyber terrorism is the threat posed through the use of cyber infrastructure, especially the Internet. Stuxnet, a malware discovered in June 2010, which was a directed attack against the Iranian nuclear program [6], represented a milestone on cyber warfare and posed a new challenge to analyze and understand cyber attacks due to its complexity in attack strategy. While cyber terrorism can have many elements beyond exploiting cyber vulnerabilities, this chapter focuses on analyzing techniques that process observables of malicious activities in the cyberspace.


Bayesian Network Intrusion Detection Intrusion Detection System Suffix Tree Attack Strategy 
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.


  1. 1.
    Fossl M et al (2010) Symantec internet security threat report for 2010. Technical ReportGoogle Scholar
  2. 2.
    Zhou C, Leckie C, Karunasekera S (2010) A survey of coordinated attacks and collaborative intrusion detection. Comput Secur 29(1):124–140Google Scholar
  3. 3.
    Denning DE (2000) Cyberterrorism: testimony before the special oversight panel on terrorism committee on armed services US house of representatives. Nova Science Pub. Inc, New YorkGoogle Scholar
  4. 4.
    Flemming P, Stohl M (2001) Myths and realities of cyberterrorism. In: Proceedings of the international conference on countering terrorism through enhanced international cooperation. ISPAC, pp 70–108Google Scholar
  5. 5.
    Gordon S, Ford R (2002) Cyberterrorism? Comput Secur 21(7):636–647Google Scholar
  6. 6.
    Langner R (2011) Stuxnet: dissecting a cyberwarfare weapon. IEEE Secur Priv 9(3):49–51Google Scholar
  7. 7.
    Roesch M et al (1999) Snort-lightweight intrusion detection for networks. In: Proceedings of the 13th USENIX conference on system administration. USENIX, Berkeley, CA pp 229–238Google Scholar
  8. 8.
    Fuchsberger A (2005) Intrusion detection systems and intrusion prevention systems. Inf Secur Tech Rep 10(3):134–139Google Scholar
  9. 9.
    Valdes A, Skinner K (2001) Probabilistic alert correlation. In: Proceedings of the international symposium of the recent advances in intrusion detection (RAID’01). Springer, Berlin, pp 54–68Google Scholar
  10. 10.
    Dain O, Cunningham RK (2001) Fusing a heterogeneous alert stream into scenarios. In: Proceedings of ACM workshop on data mining and security ACM, New YorkGoogle Scholar
  11. 11.
    Debar H, Wespi A (2001) Aggregation and correlation of intrusion-detection alerts. In: Proceedings of the international symposium of the recent advances in intrusion detection (RAID’01). Springer, Berlin, pp 85–103Google Scholar
  12. 12.
    Cuppens F, Miège A (2002) Alert correlation in a cooperative intrusion detection framework. In: Proceedings of IEEE symposium on security and privacy: IEEE, New York, pp 202–215Google Scholar
  13. 13.
    Cheung S, Lindqvist U, Fong MW (2003) Modeling multistep cyber attacks for scenario recognition. In: Proceedings of DARPA information survivability conference and exposition, IEEE, New York, vol 1. pp 284–292Google Scholar
  14. 14.
    Valeur F, Vigna G, Kruegel C, Kemmerer R (2004) A comprehensive approach to intrusion detection alert correlation. IEEE Trans Dependable Secur Comput 1(3):46–169Google Scholar
  15. 15.
    Ning P, Xu D, Healey CG, Amant RS (2004) Building attack scenarios through integration of complementary alert correlation methods. In: Proceedings of the 11th annual network and distributed system security symposium (NDSS’04). pp 97–111Google Scholar
  16. 16.
    Arnes A, Valeur F, Kemmerer R (2006) Using hidden markov models to evaluate the risk of intrusions. In: Proceedings of the international symposium of the recent advances in intrusion detection (RAID’06), Hamburg, Germany, Springer, BerlinGoogle Scholar
  17. 17.
    Stotz A, Sudit M (2007) INformation fusion engine for real-time decision-making (INFERD): a perceptual system for cyber attack tracking. In: Proceedings of 10th IEEE international conference on information fusion, IEEE, New YorkGoogle Scholar
  18. 18.
    Qin X, Lee W (2004) Attack plan recognition and prediction using causal networks. In: Proceedings of the 20th ACM annual computer security applications conference. ACM, New York, pp 370–379Google Scholar
  19. 19.
    Wang L, Liu A, Jajodia S (2006) Using attack graphs for correlating, hypothesizing, and predicting intrusion alerts. Comput Commun 29(15):2917–2933Google Scholar
  20. 20.
    Holsopple J, Yang SJ (2008) FuSIA: future situation and impact awareness. In: Proceedings of the 11th ISIF/IEEE international conference on information fusion, IEEE, New YorkGoogle Scholar
  21. 21.
    Fava D, Byers S, Yang S (2008) Projecting cyberattacks through variable-length markov models. IEEE Trans Inf Forensics Secur 3(3):359–369Google Scholar
  22. 22.
    Du H, Liu D, Holsopple J, Yang S (2010) Toward ensemble characterization and projection of multistage cyber attacks. In: Proceedings of the 19th IEEE international conference on computer communications and networks (ICCCN’10). EEE, New York pp 1–8Google Scholar
  23. 23.
    Soldo F, Le A, Markopoulou A (2011) Blacklisting recommendation system: using spatio-temporal patterns to predict future attacks. IEEE J Sel Areas Commun 29(7):1423–1437Google Scholar
  24. 24.
    Wei S, Mirkovic J, Kissel E (2006) Profiling and clustering internet hosts. In: Proceedings of the 6th IEEE international conference on data mining (ICDM’06). IEEE, New York, pp 269–275Google Scholar
  25. 25.
    Xu K, Zhang Z, Bhattacharyya S (2005) Profiling internet backbone traffic: behavior models and applications. ACM SIGCOMM Comput Commun Rev. USENIX, Berkeley, CA 35(4): 69–180Google Scholar
  26. 26.
    Gu G, Perdisci R, Zhang J, Lee W (2008) BotMiner: clustering analysis of network traffic for protocol-and structure-independent botnet detection. In: Proceedings of the 17th conference on security symposium. USENIX Association. USENIX, Berkeley, CA pp 139–154Google Scholar
  27. 27.
    Soldo F, Le A, Markopoulou A (2010) Predictive blacklisting as an implicit recommendation system. In: Proceedings of IEEE INFOCOM’10. IEEE, New York, pp 1–9Google Scholar
  28. 28.
    Xu K, Wang F, Gu L (2011) Network-aware behavior clustering of Internet end hosts. In: Proceedings of IEEE INFOCOM’11. IEEE, New York, pp 2078–2086Google Scholar
  29. 29.
    Debar H, Dacier M (1999) Towards a taxonomy of intrusion-detection systems. Comput Netw 31(8):805–822Google Scholar
  30. 30.
    Tsai C, Hsu Y, Lin C, Lin W (2009) Intrusion detection by machine learning: a review. Expert Syst Appl 36(10):11994–12000Google Scholar
  31. 31.
    Wu S, Banzhaf W (2010) The use of computational intelligence in intrusion detection systems: a review. Appl Soft Comput 10(1):1–35Google Scholar
  32. 32.
    Bass T (2000) Intrusion detection systems and multisensor data fusion. Commun ACM 43(4):99–105Google Scholar
  33. 33.
    Sadoddin R, Ghorbani A (2006) Alert correlation survey: framework and techniques. In: Proceedings of the ACM international conference on privacy, security and trust. ACM, New York, pp 1–10Google Scholar
  34. 34.
    Haines J, Ryder D, Tinnel L, Taylor S, Kewley Ryder D (2003) Validation of sensor alert correlators. IEEE Secur Priv 1(1):46–56Google Scholar
  35. 35.
    Cuppens F (2001) Managing alerts in a multi-intrusion detection environment. In: Proceedings of the 17th ACM annual computer security applications conference. ACM, New York, 32Google Scholar
  36. 36.
    Ning P, Cui Y (2002) Constructing attack scenarios through correlation of intrusion alerts. In: Proceedings of the 9th ACM conference on computer and communications security. pp 245–254Google Scholar
  37. 37.
    Iyer P, Reeves D et al (2004) Reasoning about complementary intrusion evidence. In: Proceedings of the 20th ACM annual computer security applications conference. ACM, New York, pp 39–48Google Scholar
  38. 38.
    Qin X (2005) A probabilistic-based framework for INFOSEC alert correlation. Ph.D. dissertationGoogle Scholar
  39. 39.
    Sadoddin R, Ghorbani AA (2009) An incremental frequent structure mining framework for real-time alert correlation. Comput Secur 28(3–4):153–173Google Scholar
  40. 40.
    Li JH, Levy R (2010) Using Bayesian networks for cyber security analysis. In: Proceedings of the 40th IEEE/IFIP international conference on dependable systems & networks (DSN’10). pp 211–220Google Scholar
  41. 41.
    Li J, Ou X (2010) Uncertainty and risk management in cyber situational awareness. Adv Inf Secur 46:51–68Google Scholar
  42. 42.
    Adomavicius G, Tuzhilin A (2005) Toward the next generation of recommender systems: a survey of the state-of-the-art and possible extensions. IEEE Trans Knowl Data Eng 17(6): 734–749Google Scholar
  43. 43.
    Hastie T, Tibshirani R et al (2001) The elements of statistical learning: data mining, inference and prediction. Springer, Berlin/New YorkGoogle Scholar
  44. 44.
    Bell T, Cleary J, Witten I (1990) Text compression. Prentice-Hall, EnglewoodGoogle Scholar
  45. 45.
    Du H, Yang S (2011) Discovering collaborative cyber attack patterns using social network analysis. In: Proceedings of social computing, behavioral-cultural modeling and prediction (SBP’10). Springer, Berlin/Heidelberg, pp 129–136Google Scholar
  46. 46.
    Childers N, Vigna G et al (2010) Organizing large scale hacking competitions. In: Proceedings of detection of intrusions and malware, and vulnerability assessment (DIMVA’10), vol 6201. Springer, Berlin/Heidelberg, pp 132–152Google Scholar
  47. 47.
    ICTF Data set [Online]. Available: Accessed Jan 2012
  48. 48.
    Moore D, Shannon C, Voelker G, Savage S (2004) Network telescopes: technical report. Technical ReportGoogle Scholar
  49. 49.
    Aben E et al The CAIDA UCSD network telescope two days in November 2008 dataset [Online]. Available:\_dataset.xml. Accessed Jan 2012
  50. 50.
    Bonacich P (1987) Power and centrality: a family of measures. Am J Sociol 92:1170–1182Google Scholar

Copyright information

© Springer Science+Business Media New York 2013

Authors and Affiliations

  1. 1.Rochester Institute of TechnologyRochesterUSA

Personalised recommendations