Advertisement

Adjustable Fusion to Support Cyber Security Operators

  • François-Xavier AguessyEmail author
  • Olivier Bettan
  • Romuald Dobigny
  • Claire Laudy
  • Gaëlle Lortal
  • David Faure
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 9190)

Abstract

Cyber security operators use Security Information and Event Management systems to process and summarize the huge amount of heterogeneous logs and alerts. However, these systems do not give to the operator a concise view of the attack status or context, a mandatory feature to understand and remediate properly a threat. Moreover, the number of alerts to analyze for a single information system is high, and thus requires to be split into several levels of responsibility distributed among several operators. This layered security monitoring implies a decision problem as well as an automation problem tackled in this paper with the support of an attack graph-based feature. An attack graph is a risk assessment model that accurately describes, in a concise way, the threats on an information system. In this article, we describe how an attack graph can be used for pattern searching and fusion algorithms, in order to add context to the alerts. We also present recommendations for designing future interactive application based on adjustable fusion and a risk assessment model, for cyber security monitoring.

Keywords

Intrusion Detection System Information Fusion Fusion Algorithm Graph Match Risk Assessment Model 
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.

References

  1. 1.
    Salah, S., Maciá-Fernández, G., Díaz-Verdejo, J.E.: A model-based survey of alert correlation techniques. Comput. Netw. 57(5), 1289–1317 (2013)CrossRefGoogle Scholar
  2. 2.
    Zhuang, X., Xiao, D., Liu, X., Zhang, Y.: Applying data fusion in collaborative alerts correlation. In: International Symposium on Computer Science and Computational Technology, ISCSCT 2008, vol. 2, pp. 124–127, IEEE (2008)Google Scholar
  3. 3.
    Ahmadinejad, S.H., Jalili, S.: Alert correlation using correlation probability estimation and time windows. In: International Conference on Computer Technology and Development, ICCTD 2009, vol. 2, pp. 170–175. IEEE, November 2009Google Scholar
  4. 4.
    Zhaowen, L., Shan, L., Yan, M.: Real-time intrusion alert correlation system based on prerequisites and consequence. In: 2010 6th International Conference on Wireless Communications Networking and Mobile Computing (WiCOM), pp. 1–5. IEEE, September 2010Google Scholar
  5. 5.
    Roschke, S., Cheng, F., Meinel, C.: A new alert correlation algorithm based on attack graph. In: Herrero, Á., Corchado, E. (eds.) CISIS 2011. LNCS, vol. 6694, pp. 58–67. Springer, Heidelberg (2011)CrossRefGoogle Scholar
  6. 6.
    Cuppens, F., Ortalo, R.: LAMBDA: a language to model a database for detection of attacks. In: Debar, H., Mé, L., Wu, S.F. (eds.) RAID 2000. LNCS, vol. 1907, pp. 197–216. Springer, Heidelberg (2000)CrossRefGoogle Scholar
  7. 7.
    Katipally, R., Gasior, W., Cui, X., Yang, L.: Multistage attack detection system for network administrators using data mining. In: Proceedings of the Sixth Annual Workshop on Cyber Security and Information Intelligence Research, p. 51. ACM, April 2010Google Scholar
  8. 8.
  9. 9.
    OSSEC, Trend Micro. http://www.ossec.net/
  10. 10.
  11. 11.
    ArcSight ETRM Platform, HP. http://www.hpenterprisesecurity.com
  12. 12.
  13. 13.
  14. 14.
    Kelley, D., Moritz, R.: Best practices for building a security operations center. In: Information Systems Security, pp. 27–32, January-February 2006Google Scholar
  15. 15.
    Schneier, B.: Attack trees. Dr. Dobb’s J. 24(12), 21–29 (1999)Google Scholar
  16. 16.
    Mauw, S., Oostdijk, M.: Foundations of attack trees. In: Won, D.H., Kim, S. (eds.) ICISC 2005. LNCS, vol. 3935, pp. 186–198. Springer, Heidelberg (2006)CrossRefGoogle Scholar
  17. 17.
    Phillips, C., Swiler, L.P.: A graph-based system for network-vulnerability analysis. In: Proceedings of the 1998 Workshop on New Security Paradigms, pp. 71–79. ACM, January 1998Google Scholar
  18. 18.
    Lippmann, R.P., Ingols, K.W.: An annotated review of past papers on attack graphs. Project report, no. PR-IA-1, Massachusetts Inst Of Tech, Lexington Lincoln Lab (2005)Google Scholar
  19. 19.
    Kordy, B., Piètre-Cambacédès, L., Schweitzer, P.: DAG-based attack and defense modeling: don’t miss the forest for the attack trees. Comput. Sci. Rev. 13, 1–38 (2014)CrossRefGoogle Scholar
  20. 20.
    Ou, X., Govindavajhala, S., Appel, A.W.: MulVAL: a logic-based network security analyzer. In: USENIX Security, August 2005Google Scholar
  21. 21.
    Artz, M.L.: Netspa: a network security planning architecture. Doctoral dissertation, Massachusetts Institute of Technology (2002)Google Scholar
  22. 22.
    Llinas, J., Nagi, R., Hall, D., Lavery, J.: A multi-disciplinary university research initiative in hard and soft information fusion: overview, research strategies and initial results. In: 2010 13th Conference on Information Fusion (FUSION), pp. 1–7. IEEE, July 2010Google Scholar
  23. 23.
    Gross, G.A., Nagi, R., Sambhoos, K., Schlegel, D.R., Shapiro, S.C., Tauer, G.: Towards hard soft data fusion: processing architecture and implementation for the joint fusion and analysis of hard and soft intelligence data. In: 2012 15th International Conference on Information Fusion (FUSION), pp. 955–962. IEEE, July 2012Google Scholar
  24. 24.
    Gross, G.A., Khopkar, S., Nagi, R., Sambhoos, K.: Data association and graph analytical processing of hard and soft intelligence data. In: 2013 16th International Conference on Information Fusion (FUSION), pp. 404–411. IEEE, July 2013Google Scholar
  25. 25.
    Laudy, C.: Semantic knowledge representations for soft data fusion. INTECH Open Access Publisher (2011)Google Scholar
  26. 26.
    Fossier, S., Laudy, C., Pichon, F.: Managing uncertainty in conceptual graph-based soft information fusion. In: 2013 16th International Conference on Information Fusion (FUSION), pp. 930–937. IEEE, July 2013Google Scholar
  27. 27.
    Laudy, C., Deparis, E., Lortal, G., Mattioli, J.: Multi-granular fusion for social data analysis for a decision and intelligence application. In: 2013 16th International Conference on Information Fusion (FUSION), pp. 1849–1855. IEEE, July 2013Google Scholar
  28. 28.
    McKay, B.D.: Practical graph isomorphism. Congressus Numerantium, Department of Computer Science, Vanderbilt University (1981)Google Scholar
  29. 29.
    Plantenga, T.: Inexact subgraph isomorphism in MapReduce. J. Parallel Distrib. Comput. 73(2), 164–175 (2013)CrossRefGoogle Scholar
  30. 30.
    Zhao, Z., Wang, G., Butt, A.R., Khan, M., Kumar, V.A., Marathe, M.V.: Sahad: subgraph analysis in massive networks using hadoop. In: 2012 IEEE 26th International Parallel & Distributed Processing Symposium (IPDPS), pp. 390–401. IEEE, May 2012Google Scholar
  31. 31.
    Chein, M., Mugnier, M.L.: Graph-based Knowledge Representation: Computational Foundations of Conceptual Graphs. Springer Science & Business Media, London (2008)Google Scholar
  32. 32.
    McKenna, S., Mazur, D., Agutter, J., Meyer, M.: Design activity framework for visualization design. In: Proceedings of the IEEE VIS Conference, Paris (2014)Google Scholar
  33. 33.
    Montferrat, P., Lortal, G., Faure, D., Coppin, G.: Intention de transfert de responsabilité pour le travail coopératif. In: Association pour la Recherche Cognitive (ARCo 2009), Rouen, France, Décembre (2009)Google Scholar
  34. 34.
    Montferrat, P., Faure, D., Lortal, G.: The 'Responsibility Cube' in maritime surveillance domain. In: Proceedings of COGIS – Cognitive Systems with Interactive Sensors- (SEE, IET eds.), 6 pages (2009). ISBN: 2-912328-55-1Google Scholar
  35. 35.
    Sheridan, T.B., Verplank, W.: Human and Computer Control of Undersea Teleoperators. Man-Machine Systems Laboratory, Department of Mechanical Engineering, MIT, Cambridge, MA (1978)Google Scholar

Copyright information

© Springer International Publishing Switzerland 2015

Authors and Affiliations

  • François-Xavier Aguessy
    • 1
    Email author
  • Olivier Bettan
    • 1
  • Romuald Dobigny
    • 2
  • Claire Laudy
    • 2
  • Gaëlle Lortal
    • 2
  • David Faure
    • 2
  1. 1.Cyber Security Lab, SiX/TheresisThales Solutions de Securité and ServicesPalaiseau CedexFrance
  2. 2.Analysis and Reasoning in Complex Systems Lab.Thales Research and TechnologyPalaiseau CedexFrance

Personalised recommendations