A comprehensive approach for network attack forecasting

We modify the attack graph to handle the uncertainty of attack probabilities.We analyze the IDS alerts and intrusion responses to update the attack probabilities.We define a forecasting attack graph to predict future attacks.The forecasting attack graph provides a high-level insight into the network security. Forecasting future attacks is a big challenge for network administrators because future is generally unknown. Nevertheless, some information about the future can help us make better decisions in present time. Attack graph is the most well-known tool for risk assessment and attack prediction. However, it only provides static information about probability of vulnerability exploitation, which is not reliable for predicting the future. Moreover, attack graph does not consider the uncertainty of probabilities. Therefore, the primary goal of this paper is to present an attack forecasting approach that can predict future network attacks with more precision and dynamically adapts to changes in the environment. Our proposed approach handles the uncertainty of attack probabilities and uses additional information, such as intrusion alerts, active responses, and dependency graph in the forecasting process. Experiments show that size and complexity of the proposed forecasting attack graph makes it suitable for predicting future attacks even in large-scale networks.

[1]  Sureswaran Ramadass,et al.  Collection Mechanism and Reduction of IDS Alert , 2012 .

[2]  Keith R. Hayes,et al.  Uncertainty and uncertainty analysis methods , 2011 .

[3]  Nora Cuppens-Boulahia,et al.  A Service Dependency Modeling Framework for Policy-Based Response Enforcement , 2009, DIMVA.

[4]  F. Autrel,et al.  Using an Intrusion Detection Alert Similarity Operator to Aggregate and Fuse Alerts , 2005 .

[5]  Peng Ning,et al.  Analyzing Intensive Intrusion Alerts via Correlation , 2002, RAID.

[6]  Ali A. Ghorbani,et al.  AN AIS-INSPIRED ARCHITECTURE FOR ALERT CORRELATION , 2013 .

[7]  Dijiang Huang,et al.  NICE: Network Intrusion Detection and Countermeasure Selection in Virtual Network Systems , 2013, IEEE Transactions on Dependable and Secure Computing.

[8]  Edward Roback,et al.  SP 800-12. An Introduction to Computer Security: the NIST Handbook , 1995 .

[9]  Jie Ma,et al.  A Fusion Model for Network Threat Identification and Risk Assessment , 2009, 2009 International Conference on Artificial Intelligence and Computational Intelligence.

[10]  Peng Ning,et al.  Techniques and tools for analyzing intrusion alerts , 2004, TSEC.

[11]  Mohamed Cheriet,et al.  Taxonomy of intrusion risk assessment and response system , 2014, Comput. Secur..

[12]  Dan Gorton,et al.  Extending Intrusion Detection with Alert Correlation and Intrusion Tolerance , 2003 .

[13]  Christopher Krügel,et al.  Evaluating the impact of automated intrusion response mechanisms , 2002, 18th Annual Computer Security Applications Conference, 2002. Proceedings..

[14]  Jianhua Li,et al.  Building network attack graph for alert causal correlation , 2008, Comput. Secur..

[15]  Wei Wang,et al.  An Alert Aggregation Algorithm Based on Iterative Self-Organization , 2012 .

[16]  Sushil Jajodia,et al.  Using attack graphs for correlating, hypothesizing, and predicting intrusion alerts , 2006, Comput. Commun..

[17]  Hervé Debar,et al.  The Intrusion Detection Message Exchange Format (IDMEF) , 2007, RFC.

[18]  Ashish Gehani,et al.  RheoStat: Real-Time Risk Management , 2004, RAID.

[19]  Peng Ning,et al.  An Intrusion Alert Correlator Based on Prerequisites of Intrusions , 2002 .

[20]  Stefan Axelsson,et al.  Social simulation of commercial and financial behaviour for fraud detection research , 2014 .

[21]  Ge Yu,et al.  Correlating alerts with a data mining based approach , 2005, 2005 IEEE International Conference on e-Technology, e-Commerce and e-Service.

[22]  Sushil Jajodia,et al.  Time-efficient and cost-effective network hardening using attack graphs , 2012, IEEE/IFIP International Conference on Dependable Systems and Networks (DSN 2012).

[23]  K. Subramani,et al.  Analytical models for risk-based intrusion response , 2013, Comput. Networks.

[24]  Andrew W. Appel,et al.  MulVAL: A Logic-based Network Security Analyzer , 2005, USENIX Security Symposium.

[25]  Humphrey Waita Njogu,et al.  A comprehensive vulnerability based alert management approach for large networks , 2013, Future Gener. Comput. Syst..

[26]  Kent Eriksson,et al.  Modeling firm specific internationalization risk: An application to banks’ risk assessment in lending to firms that do international business , 2014 .

[27]  Giovanni Vigna,et al.  STATL: An Attack Language for State-Based Intrusion Detection , 2002, J. Comput. Secur..

[28]  Peter Martini,et al.  Graph based Metrics for Intrusion Response Measures in Computer Networks , 2007, 32nd IEEE Conference on Local Computer Networks (LCN 2007).

[29]  Safaa O. Al-Mamory,et al.  A survey on IDS alerts processing techniques , 2007 .

[30]  Zhicai Shi A novel model for assessing network risks , 2012, FSKD.

[31]  Guo-Tan Liao,et al.  A Novel Probabilistic Matching Algorithm for Multi-Stage Attack Forecasts , 2011, IEEE Journal on Selected Areas in Communications.

[32]  Svein J. Knapskog,et al.  Real-Time Risk Assessment with Network Sensors and Intrusion Detection Systems , 2005, CIS.

[33]  K. Subramani,et al.  Algorithmic Aspects of Risk Management , 2011, Formal Modeling: Actors, Open Systems, Biological Systems.

[34]  Nora Cuppens-Boulahia,et al.  Ex-SDF: An Extended Service Dependency Framework for Intrusion Impact Assessment , 2010, SEC.

[35]  Nora Cuppens-Boulahia,et al.  Automated reaction based on risk analysis and attackers skills in intrusion detection systems , 2008, 2008 Third International Conference on Risks and Security of Internet and Systems.

[36]  Nora Cuppens-Boulahia,et al.  A Service Dependency Model for Cost-Sensitive Intrusion Response , 2010, ESORICS.

[37]  Ji-Yeon Kim,et al.  Defining Security Primitives for Eliciting Flexible Attack Scenarios Through CAPEC Analysis , 2014, WISA.

[38]  Lars Grunske,et al.  Quantitative risk-based security prediction for component-based systems with explicitly modeled attack profiles , 2008, J. Syst. Softw..

[39]  Lars Olav Gigstad Reducing false positives in intrusion detection by means of frequent episodes , 2008 .

[40]  Sushil Jajodia,et al.  An Attack Graph-Based Probabilistic Security Metric , 2008, DBSec.

[41]  Nora Cuppens-Boulahia,et al.  Risk-Aware Framework for Activating and Deactivating Policy-Based Response , 2010, 2010 Fourth International Conference on Network and System Security.

[42]  Frédéric Cuppens,et al.  Alert correlation in a cooperative intrusion detection framework , 2002, Proceedings 2002 IEEE Symposium on Security and Privacy.

[43]  Sushil Jajodia,et al.  k-Zero Day Safety: A Network Security Metric for Measuring the Risk of Unknown Vulnerabilities , 2014, IEEE Transactions on Dependable and Secure Computing.

[44]  Dan Gorton Using incident response trees as a tool for risk management of online financial services. , 2014, Risk analysis : an official publication of the Society for Risk Analysis.

[45]  Ali A. Ghorbani,et al.  Alert Correlation for Extracting Attack Strategies , 2006, Int. J. Netw. Secur..

[46]  Lingyu Wang,et al.  Measuring Network Security Using Bayesian Network-Based Attack Graphs , 2008, 2008 32nd Annual IEEE International Computer Software and Applications Conference.

[47]  Ali A. Ghorbani,et al.  An Online Adaptive Approach to Alert Correlation , 2010, DIMVA.

[48]  Lisa Young,et al.  A Taxonomy of Operational Cyber Security Risks , 2010 .

[49]  Hervé Debar,et al.  A logic-based model to support alert correlation in intrusion detection , 2009, Inf. Fusion.

[50]  Fredrik Sandström A test of attack graph-based evaluation of IT-security , 2014 .

[51]  M. Hanock,et al.  Online Intrusion Alert Aggregation with Generative Data Stream Modeling , 2013 .

[52]  Alireza Shameli Sendi SYSTEM HEALTH MONITORING AND PROACTIVE RESPONSE ACTIVATION , 2013 .

[53]  Michele Colajanni,et al.  Multistep Attack Detection and Alert Correlation in Intrusion Detection Systems , 2011, ISA.

[54]  Michael J. Todd,et al.  Polynomial Algorithms for Linear Programming , 1988 .

[55]  P. Ning,et al.  Towards Automating Intrusion Alert Analysis ∗ , 2003 .

[56]  Peng Ning,et al.  Learning attack strategies from intrusion alerts , 2003, CCS '03.

[57]  Yue Chen,et al.  Adaptive Intrusion Response to Minimize Risk over Multiple Network Attacks , 2002 .

[58]  Erland Jonsson,et al.  A Cause and Effect Approach towards Risk Analysis , 2011, 2011 Third International Workshop on Security Measurements and Metrics.

[59]  Nora Cuppens-Boulahia,et al.  Cost Evaluation for Intrusion Response Using Dependency Graphs , 2009, 2009 International Conference on Network and Service Security.

[60]  Johnny S. Wong,et al.  Towards cost-sensitive assessment of intrusion response selection , 2012, J. Comput. Secur..

[61]  Julio Berrocal,et al.  Definition of response metrics for an ontology-based Automated Intrusion Response Systems , 2012, Comput. Electr. Eng..

[62]  Indrajit Ray,et al.  Dynamic Security Risk Management Using Bayesian Attack Graphs , 2012, IEEE Transactions on Dependable and Secure Computing.

[63]  Svein J. Knapskog,et al.  Fuzzy Online Risk Assessment for Distributed Intrusion Prediction and Prevention Systems , 2008, Tenth International Conference on Computer Modeling and Simulation (uksim 2008).

[64]  Yun Cui,et al.  A Toolkit for Intrusion Alerts Correlation based on Prerequisites and Consequences of Attacks , 2002 .

[65]  Xinming Ou,et al.  A comprehensive approach to enterprise network security management , 2009 .

[66]  Dan Andersson,et al.  Heterogeneous Sensor Correlation: A Case Study of Live Traffic Analysis , 2001 .

[67]  Anoop Singhal,et al.  Security Risk Analysis of Enterprise Networks Using Probabilistic Attack Graphs , 2011 .

[68]  Mathias Ekstedt,et al.  A probabilistic relational model for security risk analysis , 2010, Comput. Secur..

[69]  Frédéric Cuppens,et al.  LAMBDA: A Language to Model a Database for Detection of Attacks , 2000, Recent Advances in Intrusion Detection.

[70]  Alexander Hofmann,et al.  Online Intrusion Alert Aggregation with Generative Data Stream Modeling , 2011, IEEE Transactions on Dependable and Secure Computing.

[71]  Abbas Ghaemi Bafghi,et al.  E-correlator: an entropy-based alert correlation system , 2015, Secur. Commun. Networks.

[72]  Svein J. Knapskog,et al.  DIPS: A Framework for Distributed Intrusion Prediction and Prevention Using Hidden Markov Models and Online Fuzzy Risk Assessment , 2007, Third International Symposium on Information Assurance and Security.

[73]  Ali A. Ghorbani,et al.  An incremental frequent structure mining framework for real-time alert correlation , 2009, Comput. Secur..

[74]  Saeed Jalili,et al.  A hybrid model for correlating alerts of known and unknown attack scenarios and updating attack graphs , 2011, Comput. Networks.

[75]  Sushil Jajodia,et al.  Measuring Security Risk of Networks Using Attack Graphs , 2010, Int. J. Next Gener. Comput..

[76]  Peter A. Beling,et al.  Quantitative assessment of cyber security risk using bayesian network-based model , 2009, 2009 Systems and Information Engineering Design Symposium.

[77]  Ali A. Ghorbani,et al.  Network Intrusion Detection and Prevention - Concepts and Techniques , 2010, Advances in Information Security.

[78]  Nimrod Megiddo,et al.  Linear Programming in Linear Time When the Dimension Is Fixed , 1984, JACM.

[79]  Ali A. Ghorbani,et al.  Multi-layer episode filtering for the multi-step attack detection , 2012, Comput. Commun..

[80]  Peng Ning,et al.  Correlating Alerts Using Prerequisites of Intrusions , 2001 .