Semantics-aware detection of targeted attacks: a survey

In today’s interconnected digital world, targeted attacks have become a serious threat to conventional computer systems and critical infrastructure alike. Many researchers contribute to the fight against network intrusions or malicious software by proposing novel detection systems or analysis methods. However, few of these solutions have a particular focus on Advanced Persistent Threats or similarly sophisticated multi-stage attacks. This turns finding domain-appropriate methodologies or developing new approaches into a major research challenge. To overcome these obstacles, we present a structured review of semantics-aware works that have a high potential for contributing to the analysis or detection of targeted attacks. We introduce a detailed literature evaluation schema in addition to a highly granular model for article categorization. Out of 123 identified papers, 60 were found to be relevant in the context of this study. The selected articles are comprehensively reviewed and assessed in accordance to Kitchenham’s guidelines for systematic literature reviews. In conclusion, we combine new insights and the status quo of current research into the concept of an ideal systemic approach capable of semantically processing and evaluating information from different observation points.

[1]  S. A. Asghari,et al.  Ontology-based modeling of DDoS attacks for attack plan detection , 2012, 6th International Symposium on Telecommunications (IST).

[2]  Christopher Krügel,et al.  JACKSTRAWS: Picking Command and Control Connections from Bot Traffic , 2011, USENIX Security Symposium.

[3]  Hervé Debar,et al.  The Intrusion Detection Message Exchange Format (IDMEF) , 2007, RFC.

[4]  Sandeep Bhatkar,et al.  Improving Attack Detection in Host-Based IDS by Learning Properties of System Call Arguments , 2005 .

[5]  Kouichi Sakurai,et al.  A behavior based malware detection scheme for avoiding false positive , 2010, 2010 6th IEEE Workshop on Secure Network Protocols.

[6]  Olivier Danvy,et al.  Static and dynamic semantics processing , 1991, POPL '91.

[7]  Ludovic Mé,et al.  A Language Driven Intrusion Detection System for Event and Alert Correlation , 2004 .

[8]  Jean Jacques Moreau,et al.  SOAP Version 1. 2 Part 1: Messaging Framework , 2003 .

[9]  Bart Kosko,et al.  Fuzzy Cognitive Maps , 1986, Int. J. Man Mach. Stud..

[10]  Richard J. Enbody,et al.  Targeted Cyberattacks: A Superset of Advanced Persistent Threats , 2013, IEEE Security & Privacy.

[11]  Vinod Yegneswaran,et al.  Eureka: A Framework for Enabling Static Malware Analysis , 2008, ESORICS.

[12]  Hajime Shimada,et al.  Development of a Secure Traffic Analysis System to Trace Malicious Activities on Internal Networks , 2014, 2014 IEEE 38th Annual Computer Software and Applications Conference.

[13]  Gianluca Stringhini,et al.  Targeted Attacks against Industrial Control Systems: Is the Power Industry Prepared? , 2014, SEGS@CCS.

[14]  Roland Gabriel,et al.  Analyzing Malware Log Data to Support Security Information and Event Management: Some Research Results , 2009, 2009 First International Confernce on Advances in Databases, Knowledge, and Data Applications.

[15]  Eric Filiol,et al.  Behavioral detection of malware: from a survey towards an established taxonomy , 2008, Journal in Computer Virology.

[16]  Abdul Razzaq,et al.  Ontology based application level intrusion detection system by using Bayesian filter , 2009, 2009 2nd International Conference on Computer, Control and Communication.

[17]  Kenneth W. Bauer,et al.  Malware Target Recognition of Unknown Threats , 2013, IEEE Systems Journal.

[18]  Nicola Guarino,et al.  An Overview of OntoClean , 2004, Handbook on Ontologies.

[19]  Charles F. Hockett,et al.  A mathematical theory of communication , 1948, MOCO.

[20]  Woei-Jiunn Tsaur,et al.  Ontology-based Mobile Malware Behavioral Analysis , 2009 .

[21]  Gorka Irazoqui Apecechea,et al.  Fine Grain Cross-VM Attacks on Xen and VMware , 2014, 2014 IEEE Fourth International Conference on Big Data and Cloud Computing.

[22]  Ruby B. Lee,et al.  Characterizing hypervisor vulnerabilities in cloud computing servers , 2013, Cloud Computing '13.

[23]  Hovav Shacham,et al.  Hey, you, get off of my cloud: exploring information leakage in third-party compute clouds , 2009, CCS.

[24]  J. M. Duarte,et al.  Comparison of similarity coefficients based on RAPD markers in the common bean , 1999 .

[25]  George M. Mohay,et al.  A framework for detecting network-based code injection attacks targeting Windows and UNIX , 2005, 21st Annual Computer Security Applications Conference (ACSAC'05).

[26]  Mario Jino,et al.  Behavioral analysis of malicious code through network traffic and system call monitoring , 2011, Defense + Commercial Sensing.

[27]  Piotr Indyk,et al.  Approximate nearest neighbors: towards removing the curse of dimensionality , 1998, STOC '98.

[28]  V. Vaidehi,et al.  Fuzzy Aided Application Layer Semantic Intrusion Detection System - FASIDS , 2010, ArXiv.

[29]  Wei Yan,et al.  Extracting attack knowledge using principal-subordinate consequence tagging case grammar and alerts semantic networks , 2004, 29th Annual IEEE International Conference on Local Computer Networks.

[30]  Zahid Anwar,et al.  Ontology for attack detection: An intelligent approach to web application security , 2014, Comput. Secur..

[31]  Michael Grüninger,et al.  An organisation ontology for enterprise modelling: preliminary concepts for linking structure and behaviour , 1995, Proceedings 4th IEEE Workshop on Enabling Technologies: Infrastructure for Collaborative Enterprises (WET ICE '95).

[32]  Somesh Jha,et al.  Semantics-aware malware detection , 2005, 2005 IEEE Symposium on Security and Privacy (S&P'05).

[33]  Ricardo J. Rodríguez,et al.  Detection of Intrusions and Malware, and Vulnerability Assessment , 2016, Lecture Notes in Computer Science.

[34]  Cheng-Seen Ho,et al.  Attack Subplan-Based Attack Scenario Correlation , 2007, 2007 International Conference on Machine Learning and Cybernetics.

[35]  Mooi Choo Chuah,et al.  Syntax vs. semantics: competing approaches to dynamic network intrusion detection , 2008, Int. J. Secur. Networks.

[36]  David R. Kaeli,et al.  Dione: A Flexible Disk Monitoring and Analysis Framework , 2012, RAID.

[37]  U. Bayer,et al.  TTAnalyze: A Tool for Analyzing Malware , 2006 .

[38]  Adam Stotz,et al.  Understanding multistage attacks by attack-track based visualization of heterogeneous event streams , 2006, VizSEC '06.

[39]  Amey Karkare,et al.  Heap reference analysis using access graphs , 2006, ACM Trans. Program. Lang. Syst..

[40]  José M. Fernandez,et al.  Semantic-based context-aware alert fusion for distributed Intrusion Detection Systems , 2013, 2013 International Conference on Risks and Security of Internet and Systems (CRiSIS).

[41]  Alberto Apostolico,et al.  The longest common subsequence problem revisited , 1987, Algorithmica.

[42]  Lars Michael Kristensen,et al.  Coloured Petri Nets - Modelling and Validation of Concurrent Systems , 2009 .

[43]  Balachander Krishnamurthy,et al.  Sketch-based change detection: methods, evaluation, and applications , 2003, IMC '03.

[44]  David A. Wagner,et al.  Mimicry attacks on host-based intrusion detection systems , 2002, CCS '02.

[45]  Xiapu Luo,et al.  Vanguard: A New Detection Scheme for a Class of TCP-targeted Denial-of-Service Attacks , 2006, 2006 IEEE/IFIP Network Operations and Management Symposium NOMS 2006.

[46]  Jiawei Han,et al.  gSpan: graph-based substructure pattern mining , 2002, 2002 IEEE International Conference on Data Mining, 2002. Proceedings..

[47]  Xinming Ou,et al.  An Empirical Approach to Modeling Uncertainty in Intrusion Analysis , 2009, 2009 Annual Computer Security Applications Conference.

[48]  Somesh Jha,et al.  Mining specifications of malicious behavior , 2008, ISEC '08.

[49]  Christopher Krügel,et al.  Scalable, Behavior-Based Malware Clustering , 2009, NDSS.

[50]  Arun Lakhotia,et al.  VirusBattle: State-of-the-art malware analysis for better cyber threat intelligence , 2014, 2014 7th International Symposium on Resilient Control Systems (ISRCS).

[51]  Dan S. Wallach,et al.  Hack-a-vote: Security issues with electronic voting systems , 2004, IEEE Security & Privacy Magazine.

[52]  Jan van den Berg,et al.  Systems for Detecting Advanced Persistent Threats: A Development Roadmap Using Intelligent Data Analysis , 2012, 2012 International Conference on Cyber Security.

[53]  Eugene H. Spafford,et al.  A PATTERN MATCHING MODEL FOR MISUSE INTRUSION DETECTION , 1994 .

[54]  Arun Lakhotia,et al.  Fast location of similar code fragments using semantic 'juice' , 2013, PPREW '13.

[55]  Marco Balduzzi,et al.  Targeted attacks detection with SPuNge , 2013, 2013 Eleventh Annual Conference on Privacy, Security and Trust.

[56]  Michael Atighetchi,et al.  Federated Access to Cyber Observables for Detection of Targeted Attacks , 2014, 2014 IEEE Military Communications Conference.

[57]  Aiko Pras,et al.  An Overview of IP Flow-Based Intrusion Detection , 2010, IEEE Communications Surveys & Tutorials.

[58]  Daniel A. Keim,et al.  A Survey of Visualization Systems for Malware Analysis , 2015, EuroVis.

[59]  Aditya P. Mathur,et al.  A Survey of Malware Detection Techniques , 2007 .

[60]  Sang Joon Kim,et al.  A Mathematical Theory of Communication , 2006 .

[61]  George Karabatis,et al.  A System for Cyber Attack Detection Using Contextual Semantics , 2012, KMO.

[62]  George Karabatis,et al.  Using semantic networks to counter cyber threats , 2012, 2012 IEEE International Conference on Intelligence and Security Informatics.

[63]  Stathes Hadjiefthymiades,et al.  Enabling attack behavior prediction in ubiquitous environments , 2005, ICPS '05. Proceedings. International Conference on Pervasive Services, 2005..

[64]  Tsung-Yen Chuang,et al.  Ontology-based intelligent system for malware behavioral analysis , 2010, International Conference on Fuzzy Systems.

[65]  Urjita Thakar,et al.  Pattern Analysis and Signature Extraction for Intrusion Attacks on Web Services , 2010 .

[66]  Eric S. K. Yu,et al.  Social Modeling and i* , 2009, Conceptual Modeling: Foundations and Applications.

[67]  Apostolis Zarras,et al.  Automated generation of models for fast and precise detection of HTTP-based malware , 2014, 2014 Twelfth Annual International Conference on Privacy, Security and Trust.

[68]  Eric Michael Hutchins,et al.  Intelligence-Driven Computer Network Defense Informed by Analysis of Adversary Campaigns and Intrusion Kill Chains , 2010 .

[69]  Christopher Krügel,et al.  A survey on automated dynamic malware-analysis techniques and tools , 2012, CSUR.

[70]  Alexander Pretschner,et al.  DAVAST: data-centric system level activity visualization , 2014, VizSec '14.

[71]  Andrew Vance Flow based analysis of Advanced Persistent Threats detecting targeted attacks in cloud computing , 2014, 2014 First International Scientific-Practical Conference Problems of Infocommunications Science and Technology.

[72]  Felix C. Freiling,et al.  Toward Automated Dynamic Malware Analysis Using CWSandbox , 2007, IEEE Secur. Priv..

[73]  Glynn Winskel,et al.  The formal semantics of programming languages - an introduction , 1993, Foundation of computing series.

[74]  George Karabatis,et al.  Context Infusion in Semantic Link Networks to Detect Cyber-attacks: A Flow-Based Detection Approach , 2014, 2014 IEEE International Conference on Semantic Computing.

[75]  Wei Yan,et al.  A description logic based approach for IDS security information management , 2005, IEEE/Sarnoff Symposium on Advances in Wired and Wireless Communication, 2005..

[76]  M. Kahani,et al.  Ontology-based distributed intrusion detection system , 2009, 2009 14th International CSI Computer Conference.

[77]  Georg Carle,et al.  Real-time Analysis of Flow Data for Network Attack Detection , 2007, 2007 10th IFIP/IEEE International Symposium on Integrated Network Management.

[78]  Deborah L. McGuinness,et al.  OWL Web ontology language overview , 2004 .

[79]  Benoit Claise,et al.  Specification of the IP Flow Information Export (IPFIX) Protocol for the Exchange of IP Traffic Flow Information , 2008, RFC.

[80]  Xinming Ou,et al.  A Practical Approach to Modeling Uncertainty in Intrusion Analysis , 2008 .

[81]  Heejo Lee,et al.  BinGraph: Discovering mutant malware using hierarchical semantic signatures , 2012, 2012 7th International Conference on Malicious and Unwanted Software.

[82]  Carsten Willems,et al.  A Malware Instruction Set for Behavior-Based Analysis , 2010, Sicherheit.

[83]  Ali A. Ghorbani,et al.  Research on Intrusion Detection and Response: A Survey , 2005, Int. J. Netw. Secur..

[84]  Sergei Nirenburg,et al.  Ontology in information security: a useful theoretical foundation and methodological tool , 2001, NSPW '01.

[85]  Wenke Lee,et al.  Lares: An Architecture for Secure Active Monitoring Using Virtualization , 2008, 2008 IEEE Symposium on Security and Privacy (sp 2008).

[86]  Leonid Peshkin,et al.  Structure induction by lossless graph compression , 2007, 2007 Data Compression Conference (DCC'07).

[87]  Magnus Almgren,et al.  Recent Advances in Intrusion Detection , 2004, Lecture Notes in Computer Science.

[88]  Robert Luh,et al.  Malicious Behavior Patterns , 2014, 2014 IEEE 8th International Symposium on Service Oriented System Engineering.

[89]  Thomas J. Mowbray,et al.  Cybersecurity: Managing Systems, Conducting Testing, and Investigating Intrusions , 2013 .

[90]  Steven J. Greenwald,et al.  Proceedings of the 2001 workshop on New security paradigms , 2001 .

[91]  Eric Chien,et al.  W32.Duqu: The Precursor to the Next Stuxnet , 2012, LEET.

[92]  Asunción Gómez-Pérez,et al.  METHONTOLOGY: From Ontological Art Towards Ontological Engineering , 1997, AAAI 1997.

[93]  Zahid Anwar,et al.  Semantic security against web application attacks , 2014, Inf. Sci..

[94]  Konrad Rieck,et al.  Malheur: A Tool for Automatic Analysis of Malware Behavior (0.5.4) , 2013 .

[95]  Johnny S. Wong,et al.  S-MAIDS: A Semantic Model for Automated Tuning, Correlation, and Response Selection in Intrusion Detection Systems , 2013, 2013 IEEE 37th Annual Computer Software and Applications Conference.

[96]  Marcus Schöller,et al.  A Granularity-adaptive System for in-Network Attack Detection , 2006 .

[97]  R. Sekar,et al.  Dataflow anomaly detection , 2006, 2006 IEEE Symposium on Security and Privacy (S&P'06).

[98]  Michael Meier,et al.  A Model for the Semantics of Attack Signatures in Misuse Detection Systems , 2004, ISC.

[99]  Victor A. Skormin,et al.  Using Behavioral Modeling and Customized Normalcy Profiles as Protection against Targeted Cyber-Attacks , 2012, MMM-ACNS.

[100]  Somesh Jha,et al.  A semantics-based approach to malware detection , 2007, POPL '07.

[101]  Vitaly Shmatikov,et al.  Efficient, context-sensitive detection of real-world semantic attacks , 2010, PLAS '10.

[102]  Leyla Bilge,et al.  Before we knew it: an empirical study of zero-day attacks in the real world , 2012, CCS.

[103]  Carl E. Landwehr,et al.  A taxonomy of computer program security flaws , 1993, CSUR.

[104]  Jiankun Hu,et al.  A Semantic Approach to Host-Based Intrusion Detection Systems Using Contiguousand Discontiguous System Call Patterns , 2014, IEEE Transactions on Computers.

[105]  Corinna Cortes,et al.  Support-Vector Networks , 1995, Machine Learning.

[106]  Dimitris Gritzalis,et al.  Practical Malware Analysis: The Hands-On Guide to Dissecting Malicious Software , 2012, Comput. Secur..

[107]  G. G. Stokes "J." , 1890, The New Yale Book of Quotations.

[108]  Hervé Debar,et al.  Aggregation and Correlation of Intrusion-Detection Alerts , 2001, Recent Advances in Intrusion Detection.

[109]  Wei Wang,et al.  A Context-Based Detection Framework for Advanced Persistent Threats , 2012, 2012 International Conference on Cyber Security.

[110]  Philippe Roussel,et al.  The birth of Prolog , 1993, HOPL-II.

[111]  Xuxian Jiang,et al.  Stealthy malware detection through vmm-based "out-of-the-box" semantic view reconstruction , 2007, CCS '07.

[112]  Kris Kendall,et al.  Practical Malware Analysis , 2012, Netw. Secur..

[113]  Xiaoqi Jia,et al.  A Behavior Feature Generation Method for Obfuscated Malware Detection , 2012, 2012 International Conference on Computer Science and Service System.

[114]  Igor V. Kotenko,et al.  Multi-agent technologies for computer network security: attack simulation, intrusion detection and intrusion detection learning , 2003, Comput. Syst. Sci. Eng..

[115]  Somesh Jha,et al.  A semantics-based approach to malware detection , 2008, TOPL.

[116]  Sven Dietrich,et al.  Detection of Intrusions and Malware, and Vulnerability Assessment , 2014, Lecture Notes in Computer Science.

[117]  Edgar Toshiro Yano,et al.  Towards a Framework to Detect Multi-stage Advanced Persistent Threats Attacks , 2014, 2014 IEEE 8th International Symposium on Service Oriented System Engineering.

[118]  Rainer Unland,et al.  On the semantics of complex events in active database management systems , 1999, Proceedings 15th International Conference on Data Engineering (Cat. No.99CB36337).

[119]  Adam Stotz,et al.  INformation fusion engine for real-time decision-making (INFERD): A perceptual system for cyber attack tracking , 2007, 2007 10th International Conference on Information Fusion.

[120]  Carsten Willems,et al.  Automatic analysis of malware behavior using machine learning , 2011, J. Comput. Secur..

[121]  Somesh Jha,et al.  Synthesizing Near-Optimal Malware Specifications from Suspicious Behaviors , 2010, 2010 IEEE Symposium on Security and Privacy.

[122]  Donald Loritz,et al.  The analysis of noun sequences using semantic information extracted from on-line dictionaries , 1996 .

[123]  Adam Stotz,et al.  Situation Awareness of multistage cyber attacks by semantic event fusion , 2010, 2010 - MILCOM 2010 MILITARY COMMUNICATIONS CONFERENCE.

[124]  Benoit Claise,et al.  Specification of the IP Flow Information Export (IPFIX) Protocol for the Exchange of Flow Information , 2013, RFC.

[125]  Ali A. Ghorbani,et al.  Alert Correlation for Extracting Attack Strategies , 2006, Int. J. Netw. Secur..

[126]  Richard P. Lippmann,et al.  Recent advances in intrusion detection : 10th International Symposium, RAID 2007 Gold Coast, Australia, September 5-7, 2007 : proceedings , 2007 .

[127]  Wenliang Du,et al.  Context Sensitive Anomaly Monitoring of Process Control Flow to Detect Mimicry Attacks and Impossible Paths , 2004, RAID.

[128]  Peng Ning,et al.  Analyzing network traffic to detect self-decrypting exploit code , 2007, ASIACCS '07.

[129]  Michael D. Bond,et al.  Probabilistic calling context , 2007, OOPSLA.

[130]  Anthony Lai,et al.  Evidence of Advanced Persistent Threat: A case study of malware for political espionage , 2011, 2011 6th International Conference on Malicious and Unwanted Software.

[131]  Vladimir I. Levenshtein,et al.  Binary codes capable of correcting deletions, insertions, and reversals , 1965 .