Using Behavioral Modeling and Customized Normalcy Profiles as Protection against Targeted Cyber-Attacks

Targeted cyber-attacks present significant threat to modern computing systems. Modern industrial control systems (SCADA) or military networks are example of high value targets with potentially severe implications in case of successful attack. Anomaly detection can provide solution to targeted attacks as attack is likely to introduce some distortion to observable system activity. Most of the anomaly detection has been done on the level of sequences of system calls and is known to have problems with high false alarm rates. In this paper, we show that better results can be obtained by performing behavioral analysis on higher semantic level. We observe that many critical computer systems serve a specific purpose and are expected to run strictly limited sets of software. We model this behavior by creating customized normalcy profile of this system and evaluate how well does anomaly based detection work in this scenario.

[1]  Takashi Washio,et al.  An Apriori-Based Algorithm for Mining Frequent Substructures from Graph Data , 2000, PKDD.

[2]  Leonid Peshkin,et al.  Structure induction by lossless graph compression , 2007, 2007 Data Compression Conference (DCC'07).

[3]  Jiawei Han,et al.  Mining Graph Patterns Efficiently via Randomized Summaries , 2009, Proc. VLDB Endow..

[4]  Hiroshi Sakamoto,et al.  An Online Algorithm for Lightweight Grammar-Based Compression , 2011, 2011 First International Conference on Data Compression, Communications and Processing.

[5]  Lawrence B. Holder,et al.  Graph-Based Data Mining , 2000, IEEE Intell. Syst..

[6]  Wojciech Szpankowski,et al.  Compression of Graphical Structures: Fundamental Limits, Algorithms, and Experiments , 2012, IEEE Transactions on Information Theory.

[7]  Victor A. Skormin,et al.  Colored Petri nets as the enabling technology in intrusion detection systems , 2011, 2011 - MILCOM 2011 Military Communications Conference.

[8]  Tatsuya Akutsu,et al.  Comparing biological networks via graph compression , 2010, BMC Systems Biology.