Classifying network attack scenarios using an ontology

This paper presents a methodology using network attack ontology to classify computer-based attacks. Computer network attacks differ in motivation, execution and end result. Because attacks are diverse, no standard classification exists. If an attack could be classified, it could be mitigated accordingly. A taxonomy of computer network attacks forms the basis of the ontology. Most published taxonomies present an attack from either the attacker's or defender's point of view. This taxonomy presents both views. The main taxonomy classes are: Actor, Actor Location, Aggressor, Attack Goal, Attack Mechanism, Attack Scenario, Automation Level, Effects, Motivation, Phase, Scope and Target. The "Actor" class is the entity executing the attack. The "Actor Location" class is the Actor‟s country of origin. The "Aggressor" class is the group instigating an attack. The "Attack Goal" class specifies the attacker‟s goal. The "Attack Mechanism" class defines the attack methodology. The "Automation Level" class indicates the level of human interaction. The "Effects" class describes the consequences of an attack. The "Motivation" class specifies incentives for an attack. The "Scope" class describes the size and utility of the target. The "Target" class is the physical device or entity targeted by an attack. The "Vulnerability" class describes a target vulnerability used by the attacker. The "Phase" class represents an attack model that subdivides an attack into different phases. The ontology was developed using an "Attack Scenario" class, which draws from other classes and can be used to characterize and classify computer network attacks. An "Attack Scenario" consists of phases, has a scope and is attributed to an actor and aggressor which have a goal. The "Attack Scenario" thus represents different classes of attacks. High profile computer network attacks such as Stuxnet and the Estonia attacks can now be been classified through the “Attack Scenario” class

Algorithm Selection Framework for Cyber Attack Detection

The number of cyber threats against both wired and wireless computer systems and other components of the Internet of Things continues to increase annually. In this work, an algorithm selection framework is employed on the NSL-KDD data set and a novel paradigm of machine learning taxonomy is presented. The framework uses a combination of user input and meta-features to select the best algorithm to detect cyber attacks on a network. Performance is compared between a rule-of-thumb strategy and a meta-learning strategy. The framework removes the conjecture of the common trial-and-error algorithm selection method. The framework recommends five algorithms from the taxonomy. Both strategies recommend a high-performing algorithm, though not the best performing. The work demonstrates the close connectedness between algorithm selection and the taxonomy for which it is premised.Comment: 6 pages, 7 figures, 1 table, accepted to WiseML '2

Adversarial Evasion Attacks Practicality in Networks: Testing the Impact of Dynamic Learning

Machine Learning (ML) has become ubiquitous, and its deployment in Network Intrusion Detection Systems (NIDS) is inevitable due to its automated nature and high accuracy in processing and classifying large volumes of data. However, ML has been found to have several flaws, on top of them are adversarial attacks, which aim to trick ML models into producing faulty predictions. While most adversarial attack research focuses on computer vision datasets, recent studies have explored the practicality of such attacks against ML-based network security entities, especially NIDS. This paper presents two distinct contributions: a taxonomy of practicality issues associated with adversarial attacks against ML-based NIDS and an investigation of the impact of continuous training on adversarial attacks against NIDS. Our experiments indicate that continuous re-training, even without adversarial training, can reduce the effect of adversarial attacks. While adversarial attacks can harm ML-based NIDSs, our aim is to highlight that there is a significant gap between research and real-world practicality in this domain which requires attention

An Analysis of the Computer and Network Attack Taxonomy

The Air Force\u27s dependence on the Internet continues to increase daily. However, this increased dependence comes with risks. The popularity and potential of the Internet attracts users with illegal as well as legal intentions. Since the Air Force considers the Internet an integral component of its information Operations strategy, the Air Force must be confident that it can trust the security of this component. Therefore, reliable methods and information that helps the Air Force classify the risks associated with the Internet can help the Air Force determine the best processes to assure the security of its use of this resource. This thesis examines the computer and network attack taxonomy developed by John Howard. The taxonomy is a possible method that the Air Force can use to help it classify Internet security attacks and incidents. This researcher concluded that the computer and network attack taxonomies were satisfactory. The questionnaire respondents appeared to prefer the 1998 version more. This researcher also concluded that organizations responsible for the collection and distribution of Internet Security information, do explicitly collect some, not all, information useful as input into the taxonomy

A taxonomy of malicious traffic for intrusion detection systems

With the increasing number of network threats it is essential to have a knowledge of existing and new network threats to design better intrusion detection systems. In this paper we propose a taxonomy for classifying network attacks in a consistent way, allowing security researchers to focus their efforts on creating accurate intrusion detection systems and targeted datasets

Predicting Network Attacks Using Ontology-Driven Inference

Graph knowledge models and ontologies are very powerful modeling and re asoning tools. We propose an effective approach to model network attacks and attack prediction which plays important roles in security management. The goals of this study are: First we model network attacks, their prerequisites and consequences using knowledge representation methods in order to provide description logic reasoning and inference over attack domain concepts. And secondly, we propose an ontology-based system which predicts potential attacks using inference and observing information which provided by sensory inputs. We generate our ontology and evaluate corresponding methods using CAPEC, CWE, and CVE hierarchical datasets. Results from experiments show significant capability improvements comparing to traditional hierarchical and relational models. Proposed method also reduces false alarms and improves intrusion detection effectiveness.Comment: 9 page

Network Intrusion Detection and Mitigation Against Denial of Service Attack

The growing use of Internet service in the past few years have facilitated an increase in the denial of service (DoS) attacks. Despite the best preventative measures, DoS attacks have been successfully carried out against high-prole organizations and enterprises, including those that took down Chase, BOA, PNC and other major US banks in September 2009, which reveal the vulnerability of even well equipped networks. These widespread attacks have resulted in significant loss of service, money, and reputation for organizations, calling for a practical and ecient solution to DoS attack detection and mitigation. DoS attack detection and mitigation strengthens the robustness and security of network or computer system, by monitoring system activities for suspicious behaviors or policy violations, providing forensic information about the attack, and taking defensive measures to reduce the impact on the system. In general, attacks can be detected by (1) matching observed network trac with patterns of known attacks; (2) looking for deviation of trac behavior from the established prole; and (3) training a classier from labeled dataset of attacks to classify incoming trac. Once an attack is identied, the suspicious trac can be blocked or rate limited. In this presentation, we present a taxonomy of DoS attack detection and mitigation techniques, followed by a description of four representative systems (Snort, PHAD, MADAM, and MULTOPS). We conclude with a discussion of their pros/cons as well as challenges for future work