Forensic Analysis of Network Attacks: Restructuring Security Events as Graphs and Identifying Strongly Connected Sub-graphs

When analyzing the security of activities in a highly distributed system, an analyst faces a huge number of events, mainly coming from network supervision mechanisms. To analyze this huge amount of information, the analyst often starts from an indicator of compromise (IoC), an observable that suggests that a compromise may have occurred, and looks for the information related to this IoC as it could help to explain the related security incident. This approach is referred to as forensic analysis.In this paper, we propose an approach to treat automatically network events to provide the analyst with a new way to determine the subset of information related to a given IoC. This approach relies firstly on the generation of graphs between so-called "Security Objects" that are built from the logged network events, and secondly on the automatic processing of these graphs based on graphs communities analysis.

[1]  Hiroshi Esaki,et al.  Mining causes of network events in log data with causal inference , 2017, 2017 IFIP/IEEE Symposium on Integrated Network and Service Management (IM).

[2]  Matthieu Latapy,et al.  Computing Communities in Large Networks Using Random Walks , 2004, J. Graph Algorithms Appl..

[3]  Jean-Loup Guillaume,et al.  Fast unfolding of communities in large networks , 2008, 0803.0476.

[4]  Fengyuan Xu,et al.  High Fidelity Data Reduction for Big Data Security Dependency Analyses , 2016, CCS.

[5]  Ali A. Ghorbani,et al.  An Evaluation Framework for Intrusion Detection Dataset , 2016, 2016 International Conference on Information Science and Security (ICISS).

[6]  Eric Totel,et al.  Sec2graph: Network Attack Detection Based on Novelty Detection on Graph Structured Data , 2020, DIMVA.

[7]  Peter H. Golde,et al.  C# Language Specification , 2003 .

[8]  V. N. Venkatakrishnan,et al.  SLEUTH: Real-time Attack Scenario Reconstruction from COTS Audit Data , 2018, USENIX Security Symposium.

[9]  Eric Totel,et al.  Discovering Correlations: A Formal Definition of Causal Dependency Among Heterogeneous Events , 2019, 2019 IEEE European Symposium on Security and Privacy (EuroS&P).

[10]  Radu State,et al.  BotTrack: Tracking Botnets Using NetFlow and PageRank , 2011, Networking.

[11]  Marko A. Rodriguez,et al.  The Gremlin graph traversal machine and language (invited talk) , 2015, DBPL.

[12]  Chao Liu,et al.  A Visualization Scheme for Network Forensics Based on Attribute Oriented Induction Based Frequent Item Mining and Hyper Graph , 2017, ICDF2C.

[13]  Cyril Onwubiko,et al.  CoCoa: An Ontology for Cybersecurity Operations Centre Analysis Process , 2018, 2018 International Conference On Cyber Situational Awareness, Data Analytics And Assessment (Cyber SA).

[14]  Prateek Mittal,et al.  BotGrep: Finding P2P Bots with Structured Graph Analysis , 2010, USENIX Security Symposium.

[15]  Réka Albert,et al.  Near linear time algorithm to detect community structures in large-scale networks. , 2007, Physical review. E, Statistical, nonlinear, and soft matter physics.

[16]  V. Traag,et al.  Community detection in networks with positive and negative links. , 2008, Physical review. E, Statistical, nonlinear, and soft matter physics.

[17]  Samuel T. King,et al.  Backtracking intrusions , 2003, SOSP '03.

[18]  Josiane Mothe,et al.  Community detection: Comparison of state of the art algorithms , 2017, 2017 Computer Science and Information Technologies (CSIT).

[19]  Martin Rosvall,et al.  Maps of random walks on complex networks reveal community structure , 2007, Proceedings of the National Academy of Sciences.

[20]  Fei Wang,et al.  HERCULE: attack story reconstruction via community discovery on correlated log graph , 2016, ACSAC.

[21]  Radu State,et al.  BotGM: Unsupervised graph mining to detect botnets in traffic flows , 2017, 2017 1st Cyber Security in Networking Conference (CSNet).

[22]  Ali A. Ghorbani,et al.  Toward Generating a New Intrusion Detection Dataset and Intrusion Traffic Characterization , 2018, ICISSP.

[23]  M E J Newman,et al.  Fast algorithm for detecting community structure in networks. , 2003, Physical review. E, Statistical, nonlinear, and soft matter physics.

[24]  David Waltermire,et al.  Guide to Cyber Threat Information Sharing , 2016 .

[25]  Eyal de Lara,et al.  The taser intrusion recovery system , 2005, SOSP '05.

[26]  M. Newman,et al.  Finding community structure in very large networks. , 2004, Physical review. E, Statistical, nonlinear, and soft matter physics.

[27]  Bernhard Ager,et al.  Visualizing big network traffic data using frequent pattern mining and hypergraphs , 2013, Computing.

[28]  Marko A. Rodriguez,et al.  The Gremlin Graph Traversal Machine and Language , 2015, ArXiv.

[29]  V. N. Venkatakrishnan,et al.  HOLMES: Real-Time APT Detection through Correlation of Suspicious Information Flows , 2018, 2019 IEEE Symposium on Security and Privacy (SP).

[30]  Daniel A. Keim,et al.  Visualization of Host Behavior for Network Security , 2007, VizSEC.

[31]  Vern Paxson,et al.  Bro: a system for detecting network intruders in real-time , 1998, Comput. Networks.