Recognizing Unexplained Behavior in Network Traffic
Intrusion detection and alert correlation are valuable and complementary techniques for identifying security threats in complex networks. Intrusion detection systems monitor network traffic for suspicious behavior, and trigger security alerts. Alert correlation methods can aggregate such alerts into multi-step attacks scenarios. However, both methods rely on models encoding a priori knowledge of either normal or malicious behavior. As a result, these methods are incapable of quantifying how well the underlying models explain what is observed on the network. To overcome this limitation, we present a framework for evaluating the probability that a sequence of events is not explained by a given a set of models. We leverage important properties of this framework to estimate such probabilities efficiently, and design fast algorithms for identifying sequences of events that are unexplained with a probability above a given threshold. Our framework can operate both at the intrusion detection level and at the alert correlation level. Experiments on a prototype implementation of the framework show that our approach scales well and provides accurate results.
The work presented in this chapter is supported in part by the Army Research Office under MURI award number W911NF-09-1-05250525, and by the Office of Naval Research under award number N00014-12-1-0461. Part of the work was performed while Sushil Jajodia was a Visiting Researcher at the US Army Research Laboratory.
- 1.P. García-Teodoro, J. Díaz-Verdejo, G. Maciá-Fernández, E. Vázquez, Anomaly-based network intrusion detection: techniques, systems and challenges. Comput. Secur. 28(1–2), 18–28 (2009)Google Scholar
- 2.A. Jones, S. Li, Temporal signatures for intrusion detection, in Proceedings of the 17th Annual Computer Security Applications Conference (ACSAC 2001) (IEEE Computer Society, 2001), New Orleans, pp. 252–261Google Scholar
- 3.B. Mukherjee, L.T. Heberlein, K.N. Levitt, Network intrusion detection. IEEE Netw. 8(3), 26–41 (1994)Google Scholar
- 5.H. Debar, A. Wespi, Aggregation and correlation of intrusion-detection alerts, in Proceedings of the 4th International Symposium on Recent Advances in Intrusion Detection (RAID 2001), eds. W. Lee, L. Mé, A. Wespi. Lecture Notes in Computer Science, vol. 2212 (Springer, 2001), Davis, pp. 85–103Google Scholar
- 6.P. Ning, Y. Cui, D.S. Reeves, Constructing attack scenarios through correlation of in- trusion alerts, in Proceedings of the 9th ACM Conference on Computer and Communications Security(CCS 2002) (ACM, 2002), Washington, pp. 245–254Google Scholar
- 7.S. Noel, E. Robertson, S. Jajodia, Correlating intrusion events and building attack scenarios through attack graph distances, in Proceedings of the 20th Annual Computer Security Applications Conference (ACSAC 2004) (2004), Tucson, pp. 350–359Google Scholar
- 9.J.P. Anderson, Computer security threat monitoring and surveillance. Technical report, James Anderson Co., Fort Washington, Apr 1980Google Scholar
- 10.O. Sheyner, J. Haines, S. Jha, R. Lippmann, J.M. Wing, Automated generation and analysis of attack graphs, in Proceedings of the 2002 IEEE Symposium on Security and Privacy (S&P 2002), Berkeley, 2002, pp. 273–284Google Scholar
- 11.X. Qin, A probabilistic-based framework for INFOSEC alert correlation. Ph.D. thesis, Georgia Institute of Technology, 2005Google Scholar
- 12.X. Qin, W. Lee, Statistical causality analysis of INFOSEC alert data, in Proceedings of the 6th International Symposium on Re- cent Advances in Intrusion Detection (RAID 2003), eds. G. Vigna, C. Kruegel, E. Jonsson. Lecture Notes in Computer Science, vol. 2820 (Springer, 2003), Pittsburgh pp. 73–93Google Scholar
- 13.A.J. Oliner, A.V. Kulkarni, A. Aiken, Community epidemic detection using time- correlated anomalies, in Proceedings of the 13th International Symposium on Recent Advances in Intrusion Detection (RAID 2010), eds. S. Jha, R. Sommer, C. Kreibich. Lecture Notes in Computer Science, vol. 6307 (Springer, 2010), Ottawa, pp. 360–381Google Scholar
- 14.M. Albanese, C. Molinaro, F. Persia, A. Picariello, V.S. Subrahmanian, Finding “un- explained” activities in video, in Proceedings of the 22nd International Joint Conference on Artificial Intelligence (IJCAI 2011), Barcelona, 2011, pp. 1628–1634Google Scholar
- 15.M. Albanese, S. Jajodia, A. Pugliese, V.S. Subrahmanian, Scalable analysis of attack scenarios, in Proceedings of the 16th European Symposium on Research in Computer Security (ESORICS 2011) (Springer, 2011), Leuven, pp. 416–433Google Scholar