Predictive Cyber Situational Awareness and Personalized Blacklisting

Cybersecurity adopts data mining for its ability to extract concealed and indistinct patterns in the data, such as for the needs of alert correlation. Inferring common attack patterns and rules from the alerts helps in understanding the threat landscape for the defenders and allows for the realization of cyber situational awareness, including the projection of ongoing attacks. In this article, we explore the use of data mining, namely sequential rule mining, in the analysis of intrusion detection alerts. We employed a dataset of 12 million alerts from 34 intrusion detection systems in 3 organizations gathered in an alert sharing platform, and processed it using our analytical framework. We execute the mining of sequential rules that we use to predict security events, which we utilize to create a predictive blacklist. Thus, the recipients of the data from the sharing platform will receive only a small number of alerts of events that are likely to occur instead of a large number of alerts of past events. The predictive blacklist has the size of only 3% of the raw data, and more than 60% of its entries are shown to be successful in performing accurate predictions in operational, real-world settings.

[1]  Abbas Ghaemi Bafghi,et al.  Real time alert correlation and prediction using Bayesian networks , 2015, 2015 12th International Iranian Society of Cryptology Conference on Information Security and Cryptology (ISCISC).

[2]  Hervé Debar,et al.  Aggregation and Correlation of Intrusion-Detection Alerts , 2001, Recent Advances in Intrusion Detection.

[3]  Phillip A. Porras,et al.  Highly Predictive Blacklisting , 2008, USENIX Security Symposium.

[4]  Alexander Kott,et al.  Cyber Defense and Situational Awareness , 2015, Advances in Information Security.

[5]  Hervé Debar,et al.  The Intrusion Detection Message Exchange Format (IDMEF) , 2007, RFC.

[6]  Elias Bou-Harb,et al.  Survey of Attack Projection, Prediction, and Forecasting in Cyber Security , 2019, IEEE Communications Surveys & Tutorials.

[7]  EMMANOUIL VASILOMANOLAKIS,et al.  Taxonomy and Survey of Collaborative Intrusion Detection , 2015, ACM Comput. Surv..

[8]  Emiliano De Cristofaro,et al.  On collaborative predictive blacklisting , 2018, CCRV.

[9]  Yun Sing Koh,et al.  A Survey of Sequential Pattern Mining , 2017 .

[10]  Morteza Amini,et al.  RTECA: Real time episode correlation algorithm for multi-step attack scenarios detection , 2015, Comput. Secur..

[11]  Jan Vykopal,et al.  Exchanging security events: Which and how many alerts can we aggregate? , 2017, 2017 IFIP/IEEE Symposium on Integrated Network and Service Management (IM).

[12]  Won Hyung Park,et al.  A study on cyber threat prediction based on intrusion detection event for APT attack detection , 2012, Multimedia Tools and Applications.

[13]  Florian Skopik,et al.  Collaborative Cyber Threat Intelligence : Detecting and Responding to Advanced Cyber Attacks at the National Level , 2017 .

[14]  Christopher Krügel,et al.  Comprehensive approach to intrusion detection alert correlation , 2004, IEEE Transactions on Dependable and Secure Computing.

[15]  Dong Li,et al.  A Data Mining Approach to Generating Network Attack Graph for Intrusion Prediction , 2007, Fourth International Conference on Fuzzy Systems and Knowledge Discovery (FSKD 2007).

[16]  Elias Bou-Harb,et al.  On the Sequential Pattern and Rule Mining in the Analysis of Cyber Security Alerts , 2017, ARES.

[17]  Kalyan Veeramachaneni,et al.  AI^2: Training a Big Data Machine to Defend , 2016, 2016 IEEE 2nd International Conference on Big Data Security on Cloud (BigDataSecurity), IEEE International Conference on High Performance and Smart Computing (HPSC), and IEEE International Conference on Intelligent Data and Security (IDS).

[18]  Jie Lei,et al.  Using Network Attack Graph to Predict the Future Attacks , 2007, 2007 Second International Conference on Communications and Networking in China.

[19]  Emiliano De Cristofaro,et al.  Controlled Data Sharing for Collaborative Predictive Blacklisting , 2015, DIMVA.

[20]  Martin Husák,et al.  AIDA Framework: Real-Time Correlation and Prediction of Intrusion Detection Alerts , 2019, ARES.

[21]  Nicolas Christin,et al.  Automatically Detecting Vulnerable Websites Before They Turn Malicious , 2014, USENIX Security Symposium.

[22]  Qinghua Zheng,et al.  Honeynet-based collaborative defense using improved highly predictive blacklisting algorithm , 2010, 2010 8th World Congress on Intelligent Control and Automation.

[23]  Pavol Sokol,et al.  Dataset of intrusion detection alerts from a sharing platform , 2020, Data in brief.

[24]  Antonio Gomariz,et al.  The SPMF Open-Source Data Mining Library Version 2 , 2016, ECML/PKDD.

[25]  Vincent S. Tseng,et al.  Mining Top-K Sequential Rules , 2011, ADMA.

[26]  Georgios Kambourakis,et al.  Optimal Countermeasures Selection Against Cyber Attacks: A Comprehensive Survey on Reaction Frameworks , 2018, IEEE Communications Surveys & Tutorials.

[27]  Jung-Shian Li,et al.  Novel intrusion prediction mechanism based on honeypot log similarity , 2016, Int. J. Netw. Manag..

[28]  Huwaida Tagelsir Elshoush,et al.  Alert correlation in collaborative intelligent intrusion detection systems - A survey , 2011, Appl. Soft Comput..

[29]  Heikki Mannila,et al.  Discovery of Frequent Episodes in Event Sequences , 1997, Data Mining and Knowledge Discovery.

[30]  Athina Markopoulou,et al.  Predictive Blacklisting as an Implicit Recommendation System , 2009, 2010 Proceedings IEEE INFOCOM.

[31]  Frédéric Cuppens,et al.  Alert correlation in a cooperative intrusion detection framework , 2002, Proceedings 2002 IEEE Symposium on Security and Privacy.

[32]  Reza Ebrahimi Atani,et al.  A survey of IT early warning systems: architectures, challenges, and solutions , 2016, Secur. Commun. Networks.

[33]  Hamid Farhadi,et al.  Alert correlation and prediction using data mining and HMM , 2011, ISC Int. J. Inf. Secur..

[34]  Martin Husák,et al.  Towards Predicting Cyber Attacks Using Information Exchange and Data Mining , 2018, 2018 14th International Wireless Communications & Mobile Computing Conference (IWCMC).

[35]  Tomasz Imielinski,et al.  Mining association rules between sets of items in large databases , 1993, SIGMOD Conference.

[36]  Lalu Banoth,et al.  A Survey of Data Mining and Machine Learning Methods for Cyber Security Intrusion Detection , 2017 .

[37]  Mica R. Endsley,et al.  Toward a Theory of Situation Awareness in Dynamic Systems , 1995, Hum. Factors.

[38]  Sheikh Mahbub Habib,et al.  Network entity characterization and attack prediction , 2019, Future Gener. Comput. Syst..