Analysis of security data from a large computing organization

This paper presents an in-depth study of the forensic data on security incidents that have occurred over a period of 5 years at the National Center for Supercomputing Applications at the University of Illinois. The proposed methodology combines automated analysis of data from security monitors and system logs with human expertise to extract and process relevant data in order to: (i) determine the progression of an attack, (ii) establish incident categories and characterize their severity, (iii) associate alerts with incidents, and (iv) identify incidents missed by the monitoring tools and examine the reasons for the escapes. The analysis conducted provides the basis for incident modeling and design of new techniques for security monitoring.

[1]  John D. Howard,et al.  An analysis of security incidents on the Internet 1989-1995 , 1998 .

[2]  Carl E. Landwehr,et al.  A taxonomy of computer program security flaws , 1993, CSUR.

[3]  Vincent H. Berk,et al.  Detection of complex cyber attacks , 2006, SPIE Defense + Commercial Sensing.

[4]  Kristopher Kendall,et al.  A Database of Computer Attacks for the Evaluation of Intrusion Detection Systems , 1999 .

[5]  Ravishankar K. Iyer,et al.  Analysis of Credential Stealing Attacks in an Open Networked Environment , 2010, 2010 Fourth International Conference on Network and System Security.

[6]  Abe Singer Life Without Firewalls , 2003, login Usenix Mag..

[7]  Risto Vaarandi,et al.  SEC - a lightweight event correlation tool , 2002, IEEE Workshop on IP Operations and Management.

[8]  Giovanni Vigna,et al.  STATL: An Attack Language for State-Based Intrusion Detection , 2002, J. Comput. Secur..

[9]  Robin Berthier,et al.  A Statistical Analysis of Attack Data to Separate Attacks , 2006, International Conference on Dependable Systems and Networks (DSN'06).

[10]  Brant C. White,et al.  United States patent , 1985 .

[11]  Eugene H. Spafford,et al.  An Application of Pattern Matching in Intrusion Detection , 1994 .

[12]  Frederick B. Cohen,et al.  Protection and Security on the Information Superhighway , 1995 .

[13]  Peng Ning,et al.  Learning attack strategies from intrusion alerts , 2003, CCS '03.

[14]  Ramakrishna Thurimella,et al.  A Framework for the Application of Association Rule Mining in Large Intrusion Detection Infrastructures , 2006, RAID.

[15]  Bill Cheswick,et al.  Firewalls and internet security - repelling the wily hacker , 2003, Addison-Wesley professional computing series.

[16]  Vern Paxson,et al.  Principles for Developing Comprehensive Network Visibility , 2008, HotSec.

[17]  Adam Carlson,et al.  Modeling network intrusion detection alerts for correlation , 2007, ACM Trans. Inf. Syst. Secur..

[18]  T. Tidwell,et al.  Modeling Internet Attacks , 2022 .

[19]  Steven J. Templeton,et al.  A requires/provides model for computer attacks , 2001, NSPW '00.

[20]  Christopher J. Novak,et al.  2009 Data Breach Investigations Report , 2009 .

[21]  Ravishankar K. Iyer,et al.  A data-driven finite state machine model for analyzing security vulnerabilities , 2003, 2003 International Conference on Dependable Systems and Networks, 2003. Proceedings..

[22]  Vern Paxson,et al.  Bro: a system for detecting network intruders in real-time , 1998, Comput. Networks.