extracting attack scenarios using intrusion semantics
play

EXTRACTING ATTACK SCENARIOS USING INTRUSION SEMANTICS Sherif Saad, - PowerPoint PPT Presentation

Nov 10, 2023 •718 likes •946 views

EXTRACTING ATTACK SCENARIOS USING INTRUSION SEMANTICS Sherif Saad, Issa Traore Information Security and Object Technology Lab University of Victoria ECE Department 5 th FPS 2012 Overview 2 Introduction Related Work Approach

  1. EXTRACTING ATTACK SCENARIOS USING INTRUSION SEMANTICS Sherif Saad, Issa Traore Information Security and Object Technology Lab University of Victoria ECE Department 5 th FPS 2012

  2. Overview 2  Introduction  Related Work  Approach  Experiment  Conclusion UVic, 12-12-18

  3. Introduction: Definition 3  Attack Scenario:  Elicits the steps and actions taken by the intruder to breach/compromise the system.  Also known as attack plan.  Attack Pattern:  A collection of malicious actions that together represent a pattern. UVic, 12-12-18

  4. Introduction: Motivation 4  Extracting attack scenario is needed to:  Elicit the attack and extract useful attack intelligence,  Identify the compromised resources,  Spot the system vulnerabilities,  Determine the intruder objectives and the attack severity. UVic, 12-12-18

  5. Introduction: Research problem 5  IDSs generate low level intrusion alerts that describe individual attack event.  IDS are not designed to recognize attack plans or discover multistage attack scenarios.  IDSs tend to generate massive amount of alerts with high rate of redundant alerts and false positives.  False negatives, which correspond to the attacks missed by the IDS. UVic, 12-12-18

  6. Related Works 6  Statistical and Clustering Approaches  Use alerts similarity and statistical characteristics.  Can handle large amount of IDS alerts.  Can reconstruct novel and unknown attack scenarios.  Cannot detect causality between individual attacks  Limited to simple attack scenarios and attack patterns.  Reconstruct false attack scenarios. UVic, 12-12-18

  7. Related Works (ctd.) 7  Knowledge Based Approaches  Use hard coded knowledge and rely on explicit knowledge.  Hard to maintain and update the knowledge-base  Can reconstruct complex and multistage attack scenarios, but not novel attacks scenarios.  Cannot handle false negatives and missing attack steps.  Cannot detect hidden and implicit relations between attacks. UVic, 12-12-18

  8. Research Objectives 8  Develop a new approach that:  Handle large amount of IDS alerts.  Handle complex multistage attack scenarios.  Automatically reconstruct novel and unknown attack scenarios with high accuracy.  Minimize the affect of missing attack steps. UVic, 12-12-18

  9. Approach: Semantic Correlation 9  IDS sensors use different formats and vocabularies to describe the alerts.  IDMEF provides common alert message structure (syntax) not semantic.  IDS alerts message attributes are symbolic data. It is hard to measure similarity or distance between symbolic data. UVic, 12-12-18

  10. Approach: Intrusion Ontology 10 UVic, 12-12-18

  11. Approach: Semantic Relevance 11 UVic, 12-12-18

  12. Approach: Semantic Clustering 12  Use the ontology to measure the semantic relevance between different alert messages.  Using the semantic relevance we build the alert correlation graph (ACG).  Analyze the ACG to extract all maximum cliques in ACG. We consider every maximum clique in the ACG as a candidate attack scenario/pattern. UVic, 12-12-18

  13. Semantic Clustering Example 13 UVic, 12-12-18

  14. Semantic Clustering Example 14 Alerts Correlation Graph All Maximum Cliques in ACG UVic, 12-12-18

  15. Attack Causality Analysis 15  The Impact class in the ontology contains the set of attack prerequisites and consequences.  The causality relation between two attack instances a and b is a value between 0 and 1 given by  The sequence of attacks in the attack scenario is based on the causality between attack instance in the scenario UVic, 12-12-18

  16. Experiments 16  Datasets  DARPA 2000 dataset from MIT Lincoln Laboratory.  The Treasure Hunt dataset. UVic, 12-12-18

  17. Evaluation Metrics 17  Two performance metrics:  Completeness: the ratio between the number of correctly correlated alerts by the number of related alerts (i.e. that belong to the same attack scenario).  Soundness: the ratio between the number of correctly correlated alerts by the number of correlated alerts. UVic, 12-12-18

  18. Experiments Results 18 UVic, 12-12-18

  19. Conclusion & Future Work 19  The use of semantic correlation and ontology:  Allow us to develop a better alert correlation and attack scenario reconstruction technique.  Enable interoperability between heterogeneous IDS sensors.  Improve the knowledge-base maintenance.  Eliminate the need of hard-coded rules. UVic, 12-12-18

  20. Conclusion & Future Work 20  Our future work will focus on:  False negative: improve the attack causality analysis to predict missing attack steps  False positive: develop an ontology-based rule induction to reduce the false positive alerts. UVic, 12-12-18

  21. Thanks Questions?? UVic, 12-12-18

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Online Template Attack on ECDSA: Extracting Keys Via The Other Side By: Niels Roelofs, Niels

Online Template Attack on ECDSA: Extracting Keys Via The Other Side By: Niels Roelofs, Niels

Online Template Attack on ECDSA: Extracting Keys Via The Other Side By: Niels Roelofs, Niels Samwel, Lejla Batina and Joan Daemen Africacrypt Conference 2020 July 2020 Side Channel Attack Introduction A side-channel is any unintentional

375 views • 36 slides
A DEPTS : Adaptive Intrusion Response using Attack Graphs in an e-Commerce Environment Bingrui

A DEPTS : Adaptive Intrusion Response using Attack Graphs in an e-Commerce Environment Bingrui

A DEPTS : Adaptive Intrusion Response using Attack Graphs in an e-Commerce Environment Bingrui Foo, Yu-Sung Wu, Yu-Chun Mao, Saurabh Bagchi, Eugene Spafford Purdue University Dependable Computing Systems Lab (http://shay.ecn.purdue.edu/~dcsl)

608 views • 23 slides
Cyber Intrusion Detection by Using Deep Neural Networks with Attack-sharing Loss IEEE DataCom

Cyber Intrusion Detection by Using Deep Neural Networks with Attack-sharing Loss IEEE DataCom

Cyber Intrusion Detection by Using Deep Neural Networks with Attack-sharing Loss IEEE DataCom 19 Boxiang Dong 1 Hui (Wendy) Wang 2 Aparna S. Varde 1 Dawei Li 1 Bharath K. Samanthula 1 Weifeng Sun 3 Liang Zhao 3 1 Montclair State University

476 views • 24 slides
PANACEA: AUTOMATING ATTACK CLASSIFICATION FOR ANOMALY-BASED NETWORK INTRUSION DETECTION SYSTEMS

PANACEA: AUTOMATING ATTACK CLASSIFICATION FOR ANOMALY-BASED NETWORK INTRUSION DETECTION SYSTEMS

PANACEA: AUTOMATING ATTACK CLASSIFICATION FOR ANOMALY-BASED NETWORK INTRUSION DETECTION SYSTEMS DAMIANO BOLZONI, SANDRO ETALLE AND PIETER HARTEL DISTRIBUTED AND EMBEDDED SECURITY GROUP TWENTE SECURITY LAB 10+ YEARS OF RESEARCH OVER ANOMALY

160 views • 14 slides
ATTACK-AWARENESS FOR SPIRE (INTRUSION-TOLERANT SCADA) Tiger Gao, Dan Qian, Elaine Wong, &

ATTACK-AWARENESS FOR SPIRE (INTRUSION-TOLERANT SCADA) Tiger Gao, Dan Qian, Elaine Wong, &

ATTACK-AWARENESS FOR SPIRE (INTRUSION-TOLERANT SCADA) Tiger Gao, Dan Qian, Elaine Wong, & Jason Wong 1. BACKGROUND What is Spire? What is SCADA? What is SCADA? Supervisory Control and Data Acquisition Allows for centralized

530 views • 18 slides
OrchIDS: on the value of rigor in intrusion detection Jean Goubault-Larrecq CPS, Grenoble, July

OrchIDS: on the value of rigor in intrusion detection Jean Goubault-Larrecq CPS, Grenoble, July

OrchIDS: on the value of rigor in intrusion detection Jean Goubault-Larrecq CPS, Grenoble, July 08 2014 vendredi 11 juillet 14 Outline 1.A few scary stories about computer security 2. ORCHIDS : an intrusion prevention system 3. Semantics and

1.93k views • 177 slides
Automated Translation Automated Translation Between Attack Languages Between Attack Languages

Automated Translation Automated Translation Between Attack Languages Between Attack Languages

Automated Translation Automated Translation Between Attack Languages Between Attack Languages (Translating Snort rules to STATL scenarios) (Translating Snort rules to STATL scenarios) Steven T. Eckmann Eckmann Steven T. Reliable Software

296 views • 27 slides
Automatically Extracting, Analyzing, and Visualizing Information on Music Artists from the Web

Automatically Extracting, Analyzing, and Visualizing Information on Music Artists from the Web

Automatically Extracting, Analyzing, and Visualizing Information on Music Artists from the Web Workshop on Learning the Semantics of Audio Signals (LSAS) 21 st June 2008, Paris, France Markus Schedl, Peter Knees Department of Computational

691 views • 26 slides
Semantics 1 / 21 Outline What is semantics? Denotational semantics Semantics of naming What

Semantics 1 / 21 Outline What is semantics? Denotational semantics Semantics of naming What

Semantics 1 / 21 Outline What is semantics? Denotational semantics Semantics of naming What is semantics? 2 / 21 What is the meaning of a program? Recall: aspects of a language syntax : the structure of its programs semantics : the

551 views • 21 slides
Extracting Gait Parameters Extracting Gait Parameters from Raw Data from Raw Data

Extracting Gait Parameters Extracting Gait Parameters from Raw Data from Raw Data

Extracting Gait Parameters Extracting Gait Parameters from Raw Data from Raw Data Accelerometers Accelerometers Andr DIAS a,b,c , Lukas GORZELNIAK b , Angela DRING c , Gunnar HARTVIGSEN a,d , Alexander HORSCH b,d a Norwegian Centre for

582 views • 15 slides
Press intrusion. Identifying similar words with different connotations What is press intrusion?

Press intrusion. Identifying similar words with different connotations What is press intrusion?

Topic 12: Press intrusion. Identifying similar words with different connotations What is press intrusion? Press intrusion is an issue which has many stances, often depending on whether you are a member of the press or have been on the receiving

602 views • 9 slides
Styles of Intrusion Detection Misuse intrusion detection Try to detect things known to be

Styles of Intrusion Detection Misuse intrusion detection Try to detect things known to be

Styles of Intrusion Detection Misuse intrusion detection Try to detect things known to be bad Anomaly intrusion detection Try to detect deviations from normal behavior Specification intrusion detection Try to detect

627 views • 15 slides
Intrusion Detection Principles Basics Models of Intrusion Detection

Intrusion Detection Principles Basics Models of Intrusion Detection

Intrusion Detection Principles Basics Models of Intrusion Detection Architecture of an IDS Architecture of an IDS Organization Incident Response Slide #22-1 FEARLESS engineering Principles of Intrusion Detection

744 views • 40 slides
Intrusion Detection System Amir Hossein Payberah payberah@yahoo.com 1 Contents Intrusion

Intrusion Detection System Amir Hossein Payberah payberah@yahoo.com 1 Contents Intrusion

Intrusion Detection System Amir Hossein Payberah payberah@yahoo.com 1 Contents Intrusion Detection Systems Tripwire Snort 2 IDS (Definition) Intrusion Detection is the process of monitoring the events occurring in a computer

571 views • 30 slides
NFC Payments: The Art of Relay & Replay Attacks Who are we? Troopers 2018? NFC

NFC Payments: The Art of Relay & Replay Attacks Who are we? Troopers 2018? NFC

NFC Payments: The Art of Relay & Replay Attacks Who are we? Troopers 2018? NFC Replay/Relay @Netxing @L_AGalloway Content Terminology Replay Attack Intro to NFC Relay Attack EMV Flow Process Extracting

1.09k views • 65 slides
1 Methods of Extracting or Obtaining Essential Oils The most common method for extracting

1 Methods of Extracting or Obtaining Essential Oils The most common method for extracting

1 Methods of Extracting or Obtaining Essential Oils The most common method for extracting essential oils is using steam distillation. Solvents are often used in extracting oils that are waxy The most expensive method is using CO2 which does not

358 views • 16 slides
AIS Data Quality at a Global Level by Ulrich Kaage Visit us at stand #1137 0 2 | 2013 AIDA-NG

AIS Data Quality at a Global Level by Ulrich Kaage Visit us at stand #1137 0 2 | 2013 AIDA-NG

AIS Data Quality at a Global Level by Ulrich Kaage Visit us at stand #1137 0 2 | 2013 AIDA-NG Roadmap COMSOFT GmbH | AIS Data Quality at a Global Level | World ATM Congress 2013, Feb 13 | Page 2 Overview Su mm Worldwide ary

549 views • 29 slides
Science(IAAS) Assessment Process Webcast #8 Welcome to Iowas AYP Alternate Assessments for the

Science(IAAS) Assessment Process Webcast #8 Welcome to Iowas AYP Alternate Assessments for the

Slide 1 Iowa Alternate Assessment Science(IAAS) Assessment Process Webcast #8 Welcome to Iowas AYP Alternate Assessments for the 2014 -2015 school year. This is the eight presentation in a series of eight that address Iowas AYP Alternate

565 views • 21 slides
Generalizing G odels Constructible Universe: The Ultimate- L Conjecture W. Hugh Woodin

Generalizing G odels Constructible Universe: The Ultimate- L Conjecture W. Hugh Woodin

Generalizing G odels Constructible Universe: The Ultimate- L Conjecture W. Hugh Woodin Harvard University IMS Graduate Summer School in Logic June 2018 Generalizing L Relativizing L to an arbitrary predicate P Suppose P is a set. Define L

799 views • 43 slides
The S-matrix Bootstrap for the 2d O(N) bosonic model M. Kruczenski Purdue University Work in

The S-matrix Bootstrap for the 2d O(N) bosonic model M. Kruczenski Purdue University Work in

The S-matrix Bootstrap for the 2d O(N) bosonic model M. Kruczenski Purdue University Work in collaboration w/ Yifei He and A. Irrgang. Gr Great t La Lakes s 2018, Chicago, IL Summary Introduction and Motivation Define a field theory

412 views • 22 slides
Market Perspectives Robert Martin Managing Director & Chief Executive Officer Growth

Market Perspectives Robert Martin Managing Director & Chief Executive Officer Growth

Market Perspectives Robert Martin Managing Director & Chief Executive Officer Growth Frontiers Asia Pacific Conference 31 st October 2017 Disclaimer This presentation contains general background information about the activities of BOC

829 views • 36 slides
OVERVIEW Understanding of Grief & Loss Understanding the Uniqueness of Suicide Grief

OVERVIEW Understanding of Grief & Loss Understanding the Uniqueness of Suicide Grief

Healing Hearts' Approach to Building Resiliency in Children and Families in the Face of Loss & Aversity Presented by: Morgan Griffin & Melissa Minkley 1 OVERVIEW Understanding of Grief & Loss Understanding the Uniqueness of

110 views • 7 slides
Migrating to Microservices Adrian Cockcroft @adrianco Technology Fellow - Battery Ventures GOTO

Migrating to Microservices Adrian Cockcroft @adrianco Technology Fellow - Battery Ventures GOTO

Migrating to Microservices Adrian Cockcroft @adrianco Technology Fellow - Battery Ventures GOTO Berlin - November 2014 Typical reactions to my Netflix talks Typical reactions to my Netflix talks You guys are crazy! Cant believe

1.23k views • 89 slides
MAKEBELIEVE: Using Commonsense Knowledge to Generate Stories Hugo Liu, Push Singh MIT Media

MAKEBELIEVE: Using Commonsense Knowledge to Generate Stories Hugo Liu, Push Singh MIT Media

MAKEBELIEVE: Using Commonsense Knowledge to Generate Stories Hugo Liu, Push Singh MIT Media Laboratory AAAI 2002 Student Short Paper 2002.07.31 Edmonton, Alberta, Canada 1 Agenda Whats in a story? Previous Approaches in

902 views • 30 slides

More recommend