Big Data Analytics for Sophisticated Attack Detection

The number and complexity of cyberattacks has been increasing steadily in recent years. The major players in today’s cyberconflicts are well organized and heavily funded teams with specific goals and objectives, some of which are working under a state umbrella. Adversaries are targeting the communication and information systems of government, military and industrial organizations and are willing to use large amounts of money, time and expertise to reach their goals. It is important to understand the problems and limitations that current technologies face against advanced persistent threats (APTs)1 and the benefits that big data analytics could provide. Since 2006, there have been a large number of advanced, well-orchestrated attacks against industry, military and state infrastructures. In 2007, Estonia suffered a large-scale cyberattack that significantly affected the government’s online services and financial institutions.2 In 2008, at least three US oil companies were targets of cyberattacks; none of these companies realized the extent of the attacks until they were alerted by the US Federal Bureau of Investigation (FBI).3 Millions of pounds sterling were stolen from British shoppers as multiple chip and pin machines were tampered with via a supply chain attack.4 In 2010, Google announced that it had suffered a sophisticated attack, named Operation Aurora. This attack affected more than 20 US companies. In the same year, Stuxnet5, 6 was detected and classified as the “world’s most advanced malware.” It was created to target industrial control systems including oil, gas and power industries. In 2011, RSA7 was attacked and sensitive information for the company’s SecurID solution was stolen. This has resulted in further attacks against third-party companies, including Lockheed Martin and other US defense contractors that were also using RSA security solutions. Comodo and DigiNotar certification authorities were also subject to attacks, resulting in the generation of several fraudulent certificates for major companies and organizations.8 In 2012, another state-of-theart malware named Flame was discovered, which malware researchers noted as the most complex malware ever created,9, 10 followed by Red October and, in early 2013, Mini Duke.11 While it is believed that these attacks were perpetrated by different threat actors, they share certain common aspects and some of them have been categorized as APTs.

[1]  Neal Leavitt,et al.  Internet Security under Attack: The Undermining of Digital Certificates , 2011, Computer.

[2]  Fred Cohen,et al.  Computer viruses—theory and experiments , 1990 .

[3]  M.E. Locasto,et al.  Towards collaborative security and P2P intrusion detection , 2005, Proceedings from the Sixth Annual IEEE SMC Information Assurance Workshop.

[4]  Biswanath Mukherjee,et al.  A Methodology for Testing Intrusion Detection Systems , 1996, IEEE Trans. Software Eng..

[5]  Dorothy E. Denning Stuxnet: What Has Changed? , 2012, Future Internet.

[6]  Dorothy E. Denning,et al.  An Intrusion-Detection Model , 1987, IEEE Transactions on Software Engineering.

[7]  Wei-Yang Lin,et al.  Intrusion detection by machine learning: A review , 2009, Expert Syst. Appl..

[8]  Butler W. Lampson,et al.  A note on the confinement problem , 1973, CACM.

[9]  Biswanath Mukherjee,et al.  DIDS (distributed intrusion detection system)—motivation, architecture, and an early prototype , 1997 .

[10]  Sandro Etalle,et al.  N-Gram against the Machine: On the Feasibility of the N-Gram Network Analysis for Binary Protocols , 2012, RAID.

[11]  Teresa F. Lunt Foundations for Intrusion Detection? , 2000, CSFW.

[12]  Dimitris Gritzalis,et al.  Trusted Computing vs. Advanced Persistent Threats: Can a Defender Win This Game? , 2013, 2013 IEEE 10th International Conference on Ubiquitous Intelligence and Computing and 2013 IEEE 10th International Conference on Autonomic and Trusted Computing.

[13]  M. Chung,et al.  Simulating Concurrent Intrusionsfor Testing Intrusion Detection Systems : Parallelizing Intrusions , 1995 .

[14]  P. Watters,et al.  Obfuscation of Stuxnet and Flame Malware , 2012 .

[15]  Jaideep Chandrashekar,et al.  When Gossip is Good: Distributed Probabilistic Inference for Detection of Slow Network Intrusions , 2006, AAAI.

[16]  Susan Young,et al.  Anatomy of an Attack , 2003 .

[17]  Dimitris Gritzalis,et al.  The Big Four - What We Did Wrong in Advanced Persistent Threat Detection? , 2013, 2013 International Conference on Availability, Reliability and Security.

[18]  ARAKIS – AN EARLY WARNING AND ATTACK IDENTIFICATION SYSTEM , 2004 .

[19]  Vern Paxson,et al.  Outside the Closed World: On Using Machine Learning for Network Intrusion Detection , 2010, 2010 IEEE Symposium on Security and Privacy.