Deriving behavior primitives from aggregate network features using support vector machines

Establishing long-view situation awareness of threat agents requires an operational capability that scales to large volumes of network data, leveraging the past to make-sense of the present and to anticipate the future. Yet, today we are dominated by short-view capabilities driven by misuse based strategies; triggered by the structural qualities of attack vectors. The structural aspects of cyber threats are in a constant flux, rendering most defensive technologies reactive to previously unknown attack vectors. Unlike structural signature based approaches, both the real-time and aggregate behaviors exhibited by cyber threats over a network provide insight into making-sense of anomalies found on our networks. In this work, we explore the challenges posed in identifying and developing a set of behavior primitives that facilitate the creation of threat narratives use to describe cyber threats anomalies. Thus, we investigate the use aggregate behaviors derived from network flow data establishing initial behavior models used to detect complex cyber threats such as Advanced Persistent Threats (APTs). Our cyber data fusion prototype employs a unique layered methodology that extracts features from network flow data aggregating it by time. This approach is more scalable and flexible in its application in large network data volumes. The preliminary evaluation of the proposed methodology and supporting models shows some promising results.

[1]  Stephen Brooks,et al.  The need to consider both object identity and behavior in establishing the trustworthiness of network devices within a Smart Grid , 2010, CSIIRW '10.

[2]  Karl N. Levitt,et al.  Execution monitoring of security-critical programs in distributed systems: a specification-based approach , 1997, Proceedings. 1997 IEEE Symposium on Security and Privacy (Cat. No.97CB36097).

[3]  John McHugh Sets, Bags, and Rock and Roll: Analyzing Large Data Sets of Network Data , 2004, ESORICS.

[4]  Salvatore J. Stolfo,et al.  Combining Knowledge Discovery and Knowledge Engineering to Build IDSs , 1999, Recent Advances in Intrusion Detection.

[5]  Xiaohong Guan,et al.  Accurate Classification of the Internet Traffic Based on the SVM Method , 2007, 2007 IEEE International Conference on Communications.

[6]  Georg Carle,et al.  Real-time Analysis of Flow Data for Network Attack Detection , 2007, 2007 10th IFIP/IEEE International Symposium on Integrated Network Management.

[7]  John McHugh,et al.  The Contact Surface: A Technique for Exploring Internet Scale Emergent Behaviors , 2008, DIMVA.

[8]  Michal Pechoucek,et al.  Dynamic information source selection for intrusion detection systems , 2009, AAMAS.

[9]  Michael Schatz,et al.  Learning Program Behavior Profiles for Intrusion Detection , 1999, Workshop on Intrusion Detection and Network Monitoring.

[10]  Walter L. Heimerdinger Scyllarus intrusion detection report correlator and analyzer , 2003, Proceedings DARPA Information Survivability Conference and Exposition.

[11]  Vern Paxson,et al.  Bro: a system for detecting network intruders in real-time , 1998, Comput. Networks.

[12]  Harold S. Javitz,et al.  The SRI IDES statistical anomaly detector , 1991, Proceedings. 1991 IEEE Computer Society Symposium on Research in Security and Privacy.

[13]  John R. Goodall,et al.  Network Intrusion Detection and Visualization Using Aggregations in a Cyber Security Data Warehouse , 2012 .

[14]  Dorothy E. Denning,et al.  An Intrusion-Detection Model , 1986, 1986 IEEE Symposium on Security and Privacy.

[15]  S.Y. Lim,et al.  Network Anomaly Detection System: The State of Art of Network Behaviour Analysis , 2008, 2008 International Conference on Convergence and Hybrid Information Technology.

[16]  J. Meigs,et al.  WHO Technical Report , 1954, The Yale Journal of Biology and Medicine.

[17]  Wei Li,et al.  Using Genetic Algorithm for Network Intrusion Detection , 2004 .

[18]  Salvatore J. Stolfo,et al.  Collaborative Distributed Intrusion Detection , 2004 .

[19]  Vinod Yegneswaran,et al.  BotHunter: Detecting Malware Infection Through IDS-Driven Dialog Correlation , 2007, USENIX Security Symposium.

[20]  John McHugh,et al.  Combining Trust and Behavioral Analysis to Detect Security Threats in Open Environments , 2010 .

[21]  Robert P. Goldman,et al.  An architecture for scalable network defense , 2009, 2009 IEEE 34th Conference on Local Computer Networks.

[22]  Martin Roesch,et al.  Snort - Lightweight Intrusion Detection for Networks , 1999 .