Human Perception of the Measurement of a Network Attack Taxonomy in Near Real-Time

  • Renier van Heerden
  • Mercia M. Malan
  • Francois Mouton
  • Barry Irwin
Part of the IFIP Advances in Information and Communication Technology book series (IFIPAICT, volume 431)


This paper investigates how the measurement of a network attack taxonomy can be related to human perception. Network attacks do not have a time limitation, but the earlier its detected, the more damage can be prevented and the more preventative actions can be taken. This paper evaluate how elements of network attacks can be measured in near real-time(60 seconds). The taxonomy we use was developed by van Heerden et al (2012) with over 100 classes. These classes present the attack and defenders point of view. The degree to which each class can be quantified or measured is determined by investigating the accuracy of various assessment methods. We classify each class as either defined, high, low or not quantifiable. For example, it may not be possible to determine the instigator of an attack (Aggressor), but only that the attack has been launched by a Hacker (Actor). Some classes can only be quantified with a low confidence or not at all in a sort (near real-time) time. The IP address of an attack can easily be faked thus reducing the confidence in the information obtained from it, and thus determining the origin of an attack with a low confidence. This determination itself is subjective. All the evaluations of the classes in this paper is subjective, but due to the very basic grouping (High, Low or Not Quantifiable) a subjective value can be used. The complexity of the taxonomy can be significantly reduced if classes with only a high perceptive accuracy is used.


Network Attack near real-time Network Attack Taxonomy 


Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.


  1. 1.
    van Heerden, R., Pieterse, H., Irwin, B.: Mapping the most significant computer hacking events to a temporal computer attack model. In: Hercheui, M.D., Whitehouse, D., McIver Jr., W., Phahlamohlaka, J. (eds.) ICT Critical Infrastructures and Society. IFIP AICT, vol. 386, pp. 226–236. Springer, Heidelberg (2012)CrossRefGoogle Scholar
  2. 2.
    van Heerden, R.P., Burke, I., Irwin, B.: Classifying network attack scenarios using an ontology. In: Proceedings of the 7th International Conference on Information-Warfare & Security (ICIW 2012), pp. 311–324. ACI (2012)Google Scholar
  3. 3.
    Joyal, P.: Industrial espionage today and information wars of tomorrow. In: 19th National Information Systems Security Conference, pp. 139–151 (1996)Google Scholar
  4. 4.
    Burstein, A.: Trade secrecy as an instrument of national security–rethinking the foundations of economic espionage. Arizona State Law Journal 41, 933–1167 (2009)Google Scholar
  5. 5.
    Grant, T., Venter, H., Eloff, J.: Simulating adversarial interactions between intruders and system administrators using ooda-rr. In: Proceedings of the 2007 Annual Research Conference of the South African Institute of Computer Scientists and Information Technologists on IT Research in Developing Countries, pp. 46–55. ACM (2007)Google Scholar
  6. 6.
    van Heerden, R., Leenen, L., Irwin, B., Burke, I.: A computer network attack taxonomy and ontology. International Journal of Cyber Warfare and Terrorism 3, 12–25 (2012)CrossRefGoogle Scholar
  7. 7.
    Fenz, S., Neubauer, T.: How to determine threat probabilities using ontologies and bayesian networks. In: Proceedings of the 5th Annual Workshop on Cyber Security and Information Intelligence Research: Cyber Security and Information Intelligence Challenges and Strategies, p. 69. ACM (2009)Google Scholar
  8. 8.
    Shavitt, Y., Zilberman, N.: A geolocation databases study. IEEE Journal on Selected Areas in Communications 29(10), 2044–2056 (2011)CrossRefGoogle Scholar
  9. 9.
    Stoll, C.: Tracking a spy through a maze of computer espionage, vol. 1. Doubleday (1989)Google Scholar
  10. 10.
    Ezzeldin, H.: Nmap detection and countermeasures. Online (March 2008) (accesed September 5, 2012)Google Scholar
  11. 11.
    Kibret, W.E.: Analyzing network security from a defense in depth perspective. Master’s thesis, Department of Informatics University of Oslo (2011)Google Scholar
  12. 12.
    Yung, K.H.: Detecting long connection chains of interactive terminal sessions. In: Wespi, A., Vigna, G., Deri, L. (eds.) RAID 2002. LNCS, vol. 2516, pp. 1–16. Springer, Heidelberg (2002)CrossRefGoogle Scholar
  13. 13.
    Spitzner, L.: Honeypots: Catching the insider threat. In: Proceedings of the 19th Annual Computer Security Applications Conference, pp. 170–179. IEEE (2003)Google Scholar
  14. 14.
    Myers, J., Grimaila, M., Mills, R.: Towards insider threat detection using web server logs. In: Proceedings of the 5th Annual Workshop on Cyber Security and Information Intelligence Research: Cyber Security and Information Intelligence Challenges and Strategies, pp. 54–58. ACM (2009)Google Scholar
  15. 15.
    Poese, I., Uhlig, S., Kaafar, M.A., Donnet, B., Gueye, B.: IP geolocation databases: unreliable? ACM SIGCOMM Computer Communication Review 41(2), 53–56 (2011)CrossRefGoogle Scholar
  16. 16.
    Katz-Bassett, E., John, J.P., Krishnamurthy, A., Wetherall, D., Anderson, T., Chawathe, Y.: Towards ip geolocation using delay and topology measurements. In: Proceedings of the 6th ACM SIGCOMM Conference on Internet Measurement, pp. 71–84. ACM (2006)Google Scholar
  17. 17.
    Sanger, D.: Obama order sped up wave of cyberattacks against iran. Online (June 2012) (accessed August 24, 2012)Google Scholar
  18. 18.
    Shiffman, G., Gupta, R.: Crowdsourcing cyber security: a property rights view of exclusion and theft on the information commons. International Journal of the Commons 7(1), 93–112 (2013)Google Scholar
  19. 19.
    Stout, G.: Testing a website: Best practices. Technical report, Reveregroup (2001) (accessed January 2, 2013)Google Scholar
  20. 20.
    Lunt, T.F.: A survey of intrusion detection techniques. Computers & Security 12(4), 405–418 (1993)CrossRefGoogle Scholar
  21. 21.
    Tjhai, G., Papadaki, M., Furnell, S., Clarke, N.: Investigating the problem of ids false alarms: An experimental study using snort. In: Jajodia, S., Samarati, P., Cimato, S. (eds.) Proceedings of the IFIP TC 11 23rd International Information Security Conference. IFIP, vol. 278, pp. 253–267. Springer, Boston (2008)CrossRefGoogle Scholar
  22. 22.
    Hariri, S., Qu, G., Dharmagadda, T., Ramkishore, M., Raghavendra, C.S.: Impact analysis of faults and attacks in large-scale networks. IEEE Security & Privacy 1(5), 49–54 (2003)CrossRefGoogle Scholar
  23. 23.
    Kuwatly, I., Sraj, M., Al Masri, Z., Artail, H.: A dynamic honeypot design for intrusion detection. In: IEEE International Conference on Pervasive Services (ICPS), pp. 95–104 (2004)Google Scholar
  24. 24.
    Bhuyan, M.H., Bhattacharyya, D., Kalita, J.: Surveying port scans and their detection methodologies. The Computer Journal 54(10), 1565–1581 (2011)CrossRefGoogle Scholar
  25. 25.
    Merritt, D.: Spear phishing attack detection. Master’s thesis, Air Force Institute of Technology (March 2011) (accessed January 1, 2013)Google Scholar
  26. 26.
    Mouton, F., Malan, M.M., Venter, H.S.: Social engineering from a normative ethics perspective. In: Information Security for South Africa, pp. 1–8 (2013)Google Scholar
  27. 27.
    Bezuidenhout, M., Mouton, F., Venter, H.: Social engineering attack detection model: Seadm. In: Information Security for South Africa, pp. 1–8 (2010)Google Scholar
  28. 28.
    Mouton, F., Malan, M., Venter, H.: Development of cognitive functioning psychological measures for the seadm. In: Human Aspects of Information Security & Assurance (2012)Google Scholar
  29. 29.
    Mouton, F., Leenen, L., Malan, M.M., Venter, H.S.: Towards an ontological model defining the social engineering domain. In: 11th Human Choice and Computers International Conference, Turku, Finland (July 2014)Google Scholar
  30. 30.
    Heberlein, L.T., Dias, G.V., Levitt, K.N., Mukherjee, B., Wood, J., Wolber, D.: A network security monitor. In: Proceedings of Computer Society Symposium on Research in Security and Privacy, pp. 296–304. IEEE (1990)Google Scholar
  31. 31.
    Christodorescu, M., Jha, S.: Testing malware detectors. ACM SIGSOFT Software Engineering Notes 29(4), 34–44 (2004)CrossRefGoogle Scholar
  32. 32.
    Owen, D.: What is a false positive and why are false positives a problem? Online (May 2010) (accessed November 21, 2012)Google Scholar
  33. 33.
    Manmadhan, S., Manesh, T.: A method of detecting sql injection attack to secure web applications. International Journal of Distributed and Parallel Systems 3, 1–8 (2012)CrossRefGoogle Scholar
  34. 34.
    Ciampa, A., Visaggio, C.A., Di Penta, M.: A heuristic-based approach for detecting sql-injection vulnerabilities in web applications. In: Proceedings of the 2010 ICSE Workshop on Software Engineering for Secure Systems, pp. 43–49. ACM (2010)Google Scholar
  35. 35.
    Win, W., Htun, H.H.: A simple and efficient framework for detection of sql injection attack. International Journal of Computer & Communication Engineering Research 1(2), 26–30 (2013)Google Scholar
  36. 36.
    Jim, T., Swamy, N., Hicks, M.: Defeating script injection attacks with browser-enforced embedded policies. In: Proceedings of the 16th International Conference on World Wide Web, pp. 601–610. ACM (2007)Google Scholar
  37. 37.
    Scholte, T., Robertson, W., Balzarotti, D., Kirda, E.: An empirical analysis of input validation mechanisms in web applications and languages. In: Proceedings of the 27th Annual ACM Symposium on Applied Computing, pp. 1419–1426. ACM (2012)Google Scholar
  38. 38.
    Rao, T.: Defending against web vulnerabilities and cross-site scripting. Journal of Global Research in Computer Science 3(5), 61–64 (2012)Google Scholar
  39. 39.
    Karig, D., Lee, R.: Remote denial of service attacks and countermeasures. Technical Report CE-L2001-002, Princeton University Department of Electrical Engineering (October 2001) (accessed January 1, 2013)Google Scholar
  40. 40.
    Mirkovic, J., Reiher, P.: A taxonomy of ddos attack and ddos defense mechanisms. ACM SIGCOMM Computer Communication Review 34(2), 39–53 (2004)CrossRefGoogle Scholar
  41. 41.
    Bhide, A., Elnozahy, E.N., Morgan, S.P.: A highly available network file server. In: Proceedings of the 1991 USENIX Winter Conference, pp. 199–205. Citeseer (1991)Google Scholar
  42. 42.
    Yang, D., Usynin, A., Hines, J.W.: Anomaly-based intrusion detection for scada systems. In: 5th International Topical Meeting on Nuclear Plant Instrumentation, Control and Human Machine Interface Technologies (NPIC & HMIT 2005), pp. 12–16 (2006)Google Scholar
  43. 43.
    Gula, R.: Correlating ids alerts with vulnerability information. Technical Report Revision 4, Tenable Network Security (May 2011)Google Scholar

Copyright information

© IFIP International Federation for Information Processing 2014

Authors and Affiliations

  • Renier van Heerden
    • 1
  • Mercia M. Malan
    • 2
  • Francois Mouton
    • 1
  • Barry Irwin
    • 3
  1. 1.Defence Peace Safety & SecurityCouncil for Industrial and Scientific ResearchPretoriaSouth Africa
  2. 2.Information and Computer Security Architecture Research GroupUniversity of PretoriaPretoriaSouth Africa
  3. 3.Computer Science DepartmentUniversity of RhodesGrahamstownSouth Africa

Personalised recommendations