23,815 research outputs found
TapTree: Process-Tree Based Host Behavior Modeling and Threat Detection Framework via Sequential Pattern Mining
Audit logs containing system level events are frequently used for behavior
modeling as they can provide detailed insight into cyber-threat occurrences.
However, mapping low-level system events in audit logs to highlevel behaviors
has been a major challenge in identifying host contextual behavior for the
purpose of detecting potential cyber threats. Relying on domain expert
knowledge may limit its practical implementation. This paper presents TapTree,
an automated process-tree based technique to extract host behavior by compiling
system events' semantic information. After extracting behaviors as system
generated process trees, TapTree integrates event semantics as a representation
of behaviors. To further reduce pattern matching workloads for the analyst,
TapTree aggregates semantically equivalent patterns and optimizes
representative behaviors. In our evaluation against a recent benchmark audit
log dataset (DARPA OpTC), TapTree employs tree pattern queries and sequential
pattern mining techniques to deduce the semantics of connected system events,
achieving high accuracy for behavior abstraction and then Advanced Persistent
Threat (APT) attack detection. Moreover, we illustrate how to update the
baseline model gradually online, allowing it to adapt to new log patterns over
time.Comment: 20page
Preventing Advanced Persistent Threats in Complex Control Networks
An Advanced Persistent Threat (APT) is an emerging attack against Industrial Control and Automation Systems, that is executed over a long period of time and is difficult to detect. In this context, graph theory can be applied to model the interaction among nodes and the complex attacks affecting them, as well as to design recovery techniques that ensure the survivability of the network. Accordingly, we leverage a decision model to study how a set of hierarchically selected nodes can collaborate to detect an APT within the network, concerning the presence of changes in its topology. Moreover, we implement a response service based on redundant links that dynamically uses a secret sharing scheme and applies a flexible routing protocol depending on the severity of the attack. The ultimate goal is twofold: ensuring the reachability between nodes despite the changes and preventing the path followed by messages from being discovered.Universidad de Málaga. Campus de Excelencia Internacional AndalucĂa Tech
Run-time risk management in adaptive ICT systems
We will present results of the SERSCIS project related to risk management and mitigation strategies in adaptive multi-stakeholder ICT systems. The SERSCIS approach involves using semantic threat models to support automated design-time threat identification and mitigation analysis. The focus of this paper is the use of these models at run-time for automated threat detection and diagnosis. This is based on a combination of semantic reasoning and Bayesian inference applied to run-time system monitoring data. The resulting dynamic risk management approach is compared to a conventional ISO 27000 type approach, and validation test results presented from an Airport Collaborative Decision Making (A-CDM) scenario involving data exchange between multiple airport service providers
- …