On the Sequential Pattern and Rule Mining in the Analysis of Cyber Security Alerts

Data mining is well-known for its ability to extract concealed and indistinct patterns in the data, which is a common task in the field of cyber security. However, data mining is not always used to its full potential among cyber security community. In this paper, we discuss usability of sequential pattern and rule mining, a subset of data mining methods, in an analysis of cyber security alerts. First, we survey the use case of data mining, namely alert correlation and attack prediction. Subsequently, we evaluate sequential pattern and rule mining methods to find the one that is both fast and provides valuable results while dealing with the peculiarities of security alerts. An experiment was performed using the dataset of real alerts from an alert sharing platform. Finally, we present lessons learned from the experiment and a comparison of the selected methods based on their performance and soundness of the results

Collaborative IDS Framework for Cloud

Cloud computing is used extensively to deliver utility computing over the Internet. Defending network acces- sible Cloud resources and services from various threats and attacks is of great concern. Intrusion Detection Sys- tem (IDS) has become popular as an important network security technology to detect cyber-attacks. In this paper, we propose a novel Collaborative IDS (CIDS) Framework for cloud. We use Snort to detect the known stealthy attacks using signature matching. To detect unknown at- tacks, anomaly detection system (ADS) is built using De- cision Tree Classi�er and Support Vector Machine (SVM). Alert Correlation and automatic signature generation re- duce the impact of Denial of Service (DoS) /Distributed DoS (DDoS) attacks and increase the performance and accuracy of IDS

Darknet as a Source of Cyber Threat Intelligence: Investigating Distributed and Reflection Denial of Service Attacks

Cyberspace has become a massive battlefield between computer criminals and computer security experts. In addition, large-scale cyber attacks have enormously matured and became capable to generate, in a prompt manner, significant interruptions and damage to Internet resources and infrastructure. Denial of Service (DoS) attacks are perhaps the most prominent and severe types of such large-scale cyber attacks. Furthermore, the existence of widely available encryption and anonymity techniques greatly increases the difficulty of the surveillance and investigation of cyber attacks. In this context, the availability of relevant cyber monitoring is of paramount importance. An effective approach to gather DoS cyber intelligence is to collect and analyze traffic destined to allocated, routable, yet unused Internet address space known as darknet. In this thesis, we leverage big darknet data to generate insights on various DoS events, namely, Distributed DoS (DDoS) and Distributed Reflection DoS (DRDoS) activities. First, we present a comprehensive survey of darknet. We primarily define and characterize darknet and indicate its alternative names. We further list other trap-based monitoring systems and compare them to darknet. In addition, we provide a taxonomy in relation to darknet technologies and identify research gaps that are related to three main darknet categories: deployment, traffic analysis, and visualization. Second, we characterize darknet data. Such information could generate indicators of cyber threat activity as well as provide in-depth understanding of the nature of its traffic. Particularly, we analyze darknet packets distribution, its used transport, network and application layer protocols and pinpoint its resolved domain names. Furthermore, we identify its IP classes and destination ports as well as geo-locate its source countries. We further investigate darknet-triggered threats. The aim is to explore darknet inferred threats and categorize their severities. Finally, we contribute by exploring the inter-correlation of such threats, by applying association rule mining techniques, to build threat association rules. Specifically, we generate clusters of threats that co-occur targeting a specific victim. Third, we propose a DDoS inference and forecasting model that aims at providing insights to organizations, security operators and emergency response teams during and after a DDoS attack. Specifically, this work strives to predict, within minutes, the attacks’ features, namely, intensity/rate (packets/sec) and size (estimated number of compromised machines/bots). The goal is to understand the future short-term trend of the ongoing DDoS attacks in terms of those features and thus provide the capability to recognize the current as well as future similar situations and hence appropriately respond to the threat. Further, our work aims at investigating DDoS campaigns by proposing a clustering approach to infer various victims targeted by the same campaign and predicting related features. To achieve our goal, our proposed approach leverages a number of time series and fluctuation analysis techniques, statistical methods and forecasting approaches. Fourth, we propose a novel approach to infer and characterize Internet-scale DRDoS attacks by leveraging the darknet space. Complementary to the pioneer work on inferring DDoS activities using darknet, this work shows that we can extract DoS activities without relying on backscattered analysis. The aim of this work is to extract cyber security intelligence related to DRDoS activities such as intensity, rate and geographic location in addition to various network-layer and flow-based insights. To achieve this task, the proposed approach exploits certain DDoS parameters to detect the attacks and the expectation maximization and k-means clustering techniques in an attempt to identify campaigns of DRDoS attacks. Finally, we conclude this work by providing some discussions and pinpointing some future work

Predictive Cyber Situational Awareness and Personalized Blacklisting: A Sequential Rule Mining Approach

Cybersecurity adopts data mining for its ability to extract concealed and indistinct patterns in the data, such as for the needs of alert correlation. Inferring common attack patterns and rules from the alerts helps in understanding the threat landscape for the defenders and allows for the realization of cyber situational awareness, including the projection of ongoing attacks. In this paper, we explore the use of data mining, namely sequential rule mining, in the analysis of intrusion detection alerts. We employed a dataset of 12 million alerts from 34 intrusion detection systems in 3 organizations gathered in an alert sharing platform, and processed it using our analytical framework. We execute the mining of sequential rules that we use to predict security events, which we utilize to create a predictive blacklist. Thus, the recipients of the data from the sharing platform will receive only a small number of alerts of events that are likely to occur instead of a large number of alerts of past events. The predictive blacklist has the size of only 3 % of the raw data, and more than 60 % of its entries are shown to be successful in performing accurate predictions in operational, real-world settings

R-CAD: Rare Cyber Alert Signature Relationship Extraction Through Temporal Based Learning

The large number of streaming intrusion alerts make it challenging for security analysts to quickly identify attack patterns. This is especially difficult since critical alerts often occur too rarely for traditional pattern mining algorithms to be effective. Recognizing the attack speed as an inherent indicator of differing cyber attacks, this work aggregates alerts into attack episodes that have distinct attack speeds, and finds attack actions regularly co-occurring within the same episode. This enables a novel use of the constrained SPADE temporal pattern mining algorithm to extract consistent co-occurrences of alert signatures that are indicative of attack actions that follow each other. The proposed Rare yet Co-occurring Attack action Discovery (R-CAD) system extracts not only the co-occurring patterns but also the temporal characteristics of the co-occurrences, giving the `strong rules\u27 indicative of critical and repeated attack behaviors. Through the use of a real-world dataset, we demonstrate that R-CAD helps reduce the overwhelming volume and variety of intrusion alerts to a manageable set of co-occurring strong rules. We show specific rules that reveal how critical attack actions follow one another and in what attack speed

Network Intrusion Detection and Mitigation Against Denial of Service Attack

The growing use of Internet service in the past few years have facilitated an increase in the denial of service (DoS) attacks. Despite the best preventative measures, DoS attacks have been successfully carried out against high-prole organizations and enterprises, including those that took down Chase, BOA, PNC and other major US banks in September 2009, which reveal the vulnerability of even well equipped networks. These widespread attacks have resulted in significant loss of service, money, and reputation for organizations, calling for a practical and ecient solution to DoS attack detection and mitigation. DoS attack detection and mitigation strengthens the robustness and security of network or computer system, by monitoring system activities for suspicious behaviors or policy violations, providing forensic information about the attack, and taking defensive measures to reduce the impact on the system. In general, attacks can be detected by (1) matching observed network trac with patterns of known attacks; (2) looking for deviation of trac behavior from the established prole; and (3) training a classier from labeled dataset of attacks to classify incoming trac. Once an attack is identied, the suspicious trac can be blocked or rate limited. In this presentation, we present a taxonomy of DoS attack detection and mitigation techniques, followed by a description of four representative systems (Snort, PHAD, MADAM, and MULTOPS). We conclude with a discussion of their pros/cons as well as challenges for future work

Strengthening Privacy and Cybersecurity through Anonymization and Big Data

L'abstract è presente nell'allegato / the abstract is in the attachmen

Cyber-Attack Penetration Test and Vulnerability Analysis

Hacking attempts or cyber-attacks to information systems have recently evolved to be sophisticated and deadly, resulting in such incidents as leakage of personal information and system destruction. While various security solutions to cope with these risks are being developed and deployed, it is still necessary to systematically consider the methods to enhance the existing security system and build more effective defense systems. Under this circumstance, it is necessary to identify the latest types of attacks attempted to the primary security system. This paper analyzes cyber attack techniques as well as the anatomy of penetration test in order to assist security officers to perform appropriate self security assesment on their network systems

Collaborative IDS Framework for Cloud

Abstract Cloud computing is used extensively to deliver utility computing over the Internet. Defending network accessible Cloud resources and services from various threats and attacks is of great concern. Intrusion Detection System (IDS) has become popular as an important network security technology to detect cyber-attacks. In this paper, we propose a novel Collaborative IDS (CIDS) Framework for cloud. We use Snort to detect the known stealthy attacks using signature matching. To detect unknown attacks, anomaly detection system (ADS) is built using Decision Tree Classifier and Support Vector Machine (SVM). Alert Correlation and automatic signature generation reduce the impact of Denial of Service (DoS) /Distributed DoS (DDoS) attacks and increase the performance and accuracy of IDS

Descoberta de conhecimento em Logs de tentativas de intrusão. Um estudo de caso em Instituições de Ensino Superior

Perante a evolução constante da Internet, a sua utilização é quase obrigatória. Através da web, é possível conferir extractos bancários, fazer compras em países longínquos, pagar serviços sem sair de casa, entre muitos outros. Há inúmeras alternativas de utilização desta rede. Ao se tornar tão útil e próxima das pessoas, estas começaram também a ganhar mais conhecimentos informáticos. Na Internet, estão também publicados vários guias para intrusão ilícita em sistemas, assim como manuais para outras práticas criminosas. Este tipo de informação, aliado à crescente capacidade informática do utilizador, teve como resultado uma alteração nos paradigmas de segurança informática actual. Actualmente, em segurança informática a preocupação com o hardware é menor, sendo o principal objectivo a salvaguarda dos dados e continuidade dos serviços. Isto deve-se fundamentalmente à dependência das organizações nos seus dados digitais e, cada vez mais, dos serviços que disponibilizam online. Dada a mudança dos perigos e do que se pretende proteger, também os mecanismos de segurança devem ser alterados. Torna-se necessário conhecer o atacante, podendo prever o que o motiva e o que pretende atacar. Neste contexto, propôs-se a implementação de sistemas de registo de tentativas de acesso ilícitas em cinco instituições de ensino superior e posterior análise da informação recolhida com auxílio de técnicas de data mining (mineração de dados). Esta solução é pouco utilizada com este intuito em investigação, pelo que foi necessário procurar analogias com outras áreas de aplicação para recolher documentação relevante para a sua implementação. A solução resultante revelou-se eficaz, tendo levado ao desenvolvimento de uma aplicação de fusão de logs das aplicações Honeyd e Snort (responsável também pelo seu tratamento, preparação e disponibilização num ficheiro Comma Separated Values (CSV), acrescentando conhecimento sobre o que se pode obter estatisticamente e revelando características úteis e previamente desconhecidas dos atacantes. Este conhecimento pode ser utilizado por um administrador de sistemas para melhorar o desempenho dos seus mecanismos de segurança, tais como firewalls e Intrusion Detection Systems (IDS).Internet’s utilization is becoming more and more common. It’s almost mandatory. Through the web it’s possible to check bank statements, buy products from different countries, pay service bills, just to name a few. In spite of this usability and closeness to people, Internet users started to have more computer science knowlegde. There are also manuals and guides giving detailed instructions about how to break in systems, among other criminal activities. All these facts, together with the growing user knowlege, changed today’s systems and network security paradigms. Nowadays, computer security in a company is closely related to the protection of data and service availability other than computer integrity like in the old days. This is fundamentally due to the growing dependency of organizations on their digital data and online services. In order to follow the changing needs of security we must also change the security mecanisms. It’s becoming imperative to know the intruder’s motivation and goal. With this in mind, the implementation of an intrusion logging system in five colleges was proposed, as well as its data analysis and interpretation using data mining techniques, although the combination of these concepts isn´t a common goal. In spite of this singularity, it was necessary to find analogue objectives in order to enable the gathering of relevant information to the implementation of the solution. The achieved solution was considered to be effective as it was able to increase the previous knowledge obtained through statistical observation, revealing some of the attackers’ useful characteristics. This new knowledge can be implemented by system administrators in their security mechanisms, like firewalls and Intrusion Detection Systems (IDS). An application that combines the logs of the software Honeyd and Snort was also developed. This new application is capable of cleaning and preparing information as well as making it available in a standard Comma Separated Values (CSV) format so it can be used by other applications. Este conhecimento pode ser utilizado por um administrador de sistemas para melhorar o desempenho dos seus mecanismos de segurança, tais como firewalls e Intrusion Detection Systems (IDS)