Interdependent Security Risk Analysis of Hosts and Flows

Detection of high risk hosts and flows continues to be a significant problem in security monitoring of high throughput networks. A comprehensive risk assessment method should consider the risk propagation among risky hosts and flows. In this paper, this is achieved by introducing two novel concepts. First, an interdependency relationship among the risk scores of a network flow and its source and destination hosts. On the one hand, the risk score of a host depends on risky flows initiated by or terminated at the host. On the other hand, the risk score of a flow depends on the risk scores of its source and destination hosts. Second, which we call flow provenance, represents risk propagation among network flows which considers the likelihood that a particular flow is caused by the other flows. Based on these two concepts, we develop an iterative algorithm for computing the risk score of hosts and network flows. We give a rigorous proof that our algorithm rapidly converges to unique risk estimates, and provide its extensive empirical evaluation using two real-world data sets. Our evaluation shows that our method is effective in detecting high risk hosts and flows and is sufficiently efficient to be deployed in the high throughput networks.

[1]  Philip K. Chan,et al.  An Analysis of the 1999 DARPA/Lincoln Laboratory Evaluation Data for Network Anomaly Detection , 2003, RAID.

[2]  Sanjeev Khanna,et al.  Why and Where: A Characterization of Data Provenance , 2001, ICDT.

[3]  Amy Nicole Langville,et al.  Google's PageRank and beyond - the science of search engine rankings , 2006 .

[4]  Christopher Krügel,et al.  Rippler: Delay injection for service dependency detection , 2014, IEEE INFOCOM 2014 - IEEE Conference on Computer Communications.

[5]  Kevin M. Carter,et al.  Probabilistic Threat Propagation for Network Security , 2014, IEEE Transactions on Information Forensics and Security.

[6]  Larry Wasserman,et al.  All of Statistics: A Concise Course in Statistical Inference , 2004 .

[7]  Elisa Bertino,et al.  An Approach to Evaluate Data Trustworthiness Based on Data Provenance , 2008, Secure Data Management.

[8]  Nikita Borisov,et al.  The Need for Flow Fingerprints to Link Correlated Network Flows , 2013, Privacy Enhancing Technologies.

[9]  Xu Chen,et al.  Automating Network Application Dependency Discovery: Experiences, Limitations, and New Solutions , 2008, OSDI.

[10]  Pavel Berkhin,et al.  A Survey on PageRank Computing , 2005, Internet Math..

[11]  Behnam Malakooti,et al.  Predictive Multiple Metrics in Proactive Mobile Ad Hoc Network Routing , 2007 .

[12]  Martin Roesch,et al.  Snort - Lightweight Intrusion Detection for Networks , 1999 .

[13]  Lawrence B. Holder,et al.  Towards a network-of-networks framework for cyber security , 2013, 2013 IEEE International Conference on Intelligence and Security Informatics.

[14]  Ronald L. Rivest,et al.  Introduction to Algorithms, third edition , 2009 .

[15]  John McHugh,et al.  The 1998 Lincoln Laboratory IDS Evaluation , 2000, Recent Advances in Intrusion Detection.

[16]  Radu State,et al.  FlowRank: ranking NetFlow records , 2010, IWCMC.

[17]  Mohamed Slim Ben Mahmoud,et al.  Quantitative risk assessment to enhance aeromacs security in SESAR , 2012, 2012 Integrated Communications, Navigation and Surveillance Conference.

[18]  Yogesh L. Simmhan,et al.  A survey of data provenance in e-science , 2005, SGMD.

[19]  Radu State,et al.  Mining NetFlow Records for Critical Network Activities , 2010, AIMS.

[20]  Naren Ramakrishnan,et al.  Detection of stealthy malware activities with traffic causality and scalable triggering relation discovery , 2014, AsiaCCS.

[21]  Xinming Ou,et al.  Identifying Critical Attack Assets in Dependency Attack Graphs , 2008, ESORICS.

[22]  Elisa Bertino,et al.  Provenance-aware security risk analysis for hosts and network flows , 2014, 2014 IEEE Network Operations and Management Symposium (NOMS).

[23]  Arnab Bhattacharya,et al.  Finding the bias and prestige of nodes in networks based on trust scores , 2011, WWW.

[24]  George Varghese,et al.  Network monitoring using traffic dispersion graphs (tdgs) , 2007, IMC '07.

[25]  Allan Borodin,et al.  Link analysis ranking: algorithms, theory, and experiments , 2005, TOIT.

[26]  Nasir D. Memon,et al.  Friends of an enemy: identifying local members of peer-to-peer botnets using mutual contacts , 2010, ACSAC '10.

[27]  Minqiang Li,et al.  An information systems security risk assessment model under uncertain environment , 2011, Appl. Soft Comput..

[28]  Mudhakar Srivatsa,et al.  TAF: A trust assessment framework for inferencing with uncertain streaming information , 2013, 2013 IEEE International Conference on Pervasive Computing and Communications Workshops (PERCOM Workshops).

[29]  Jürgen Quittek,et al.  Architecture for IP Flow Information Export , 2009, RFC.

[30]  Indrajit Ray,et al.  Dynamic Security Risk Management Using Bayesian Attack Graphs , 2012, IEEE Transactions on Dependable and Secure Computing.

[31]  Radu State,et al.  RiskRank: Security risk ranking for IP flow records , 2010, 2010 International Conference on Network and Service Management.

[32]  I. Traore,et al.  A Survey of Connection-Chains Detection Techniques , 2007, 2007 IEEE Pacific Rim Conference on Communications, Computers and Signal Processing.

[33]  Nick McKeown,et al.  OpenFlow: enabling innovation in campus networks , 2008, CCRV.

[34]  Ranveer Chandra,et al.  What's going on?: learning communication rules in edge networks , 2008, SIGCOMM '08.

[35]  Ehab Al-Shaer,et al.  A formal approach for network security management based on qualitative risk analysis , 2013, 2013 IFIP/IEEE International Symposium on Integrated Network Management (IM 2013).

[36]  W. Timothy Strayer,et al.  Efficient Multi-Dimensional Flow Correlation , 2007, 32nd IEEE Conference on Local Computer Networks (LCN 2007).

[37]  Elisa Bertino,et al.  Provenance-based trustworthiness assessment in sensor networks , 2010, DMSN '10.