Burstiness of Intrusion Detection Process: Empirical Evidence and a Modeling Approach

Harang, Richard; Kott, Alexander

doi:10.1109/tifs.2017.2705629

Cited by 18 publications

(17 citation statements)

References 36 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…Bursts in cyber attacks, however, are not a universal pattern. Using analyst verified reports, bursts of cyber attacks were found in only three out of five customer computers/networks protected by a CSSP [12]. Similarly, bursts were not reported for distributed denial-of-service (DDoS) attacks, but these data were limited to one-minute intervals over less than an hour [24].…”

Section: Forecasting and Burstsmentioning

confidence: 97%

“…Other potential applications for cyber event forecasting include proactive allocation of resources and capabilities for cyber defense (e.g., analyst staffing and sensor configuration) in CSSPs. Enhanced threat awareness may improve cybersecurity by helping to optimize human and technical capabilities for cyber defense.In contrast, nearly all prior research on modeling cyber attacks [4-10] lacked analyst detection and verification of computer security incidents with the exceptions of [11,12]. In these two exceptions, security incidents were verified by system administrators at a large university [11] or verified by analysts at a CSSP [12].…”

mentioning

confidence: 99%

See 1 more Smart Citation

Malware in the future? Forecasting of analyst detection of cyber events

Bakdash

Hutchinson

Zaroukian

et al. 2018

Journal of Cybersecurity

View full text Add to dashboard Cite

Cyber attacks endanger physical, economic, social, and political security. There have been extensive efforts in government, academia, and industry to anticipate, forecast, and mitigate such cyber attacks. A common approach is time-series forecasting of cyber attacks based on data from network telescopes, honeypots, and automated intrusion detection/prevention systems. This research has uncovered key insights such as systematicity in cyber attacks. Here, we propose an alternate perspective of this problem by performing forecasting of attacks that are analyst-detected and -verified occurrences of malware. We call these instances of malware cyber event data. Specifically, our dataset was analyst-detected incidents from a large operational Computer Security Service Provider (CSSP) for the U.S. Department of Defense, which rarely relies only on automated systems. Our data set consists of weekly counts of cyber events over approximately seven years. This curated dataset has characteristics that distinguish it from most datasets used in prior research on cyber attacks. Since all cyber events were validated by analysts, our dataset is unlikely to have false positives which are often endemic in other sources of data. Further, the higher-quality data could be used for a number of important tasks for CSSPs such as resource allocation, estimation of security resources, and the development of effective risk-management strategies. To quantify bursts, we used a Markov model of state transitions. For forecasting, we used a Bayesian State Space Model and found that events one week ahead could be predicted with reasonable accuracy, with the exception of bursts. Our findings of systematicity in analyst-detected cyber attacks are consistent with previous work using cyber attack data from other sources. The advanced information provided by a forecast may help with threat awareness by providing a probable value and range for future cyber events one week ahead, similar to a weather forecast. Other potential applications for cyber event forecasting include proactive allocation of resources and capabilities for cyber defense (e.g., analyst staffing and sensor configuration) in CSSPs. Enhanced threat awareness may improve cybersecurity by helping to optimize human and technical capabilities for cyber defense.In contrast, nearly all prior research on modeling cyber attacks [4-10] lacked analyst detection and verification of computer security incidents with the exceptions of [11,12]. In these two exceptions, security incidents were verified by system administrators at a large university [11] or verified by analysts at a CSSP [12]. Thus in most earlier research, the sources for cyber attacks were processed data from network telescopes and honeypots [4,6,[8][9][10] and alerts from automated systems on real networks [5,7,13]. Compared to real networks, the majority of traffic to network telescopes (passive monitoring of unrequested network traffic to unused IP addresses) and honeypots (monitored and isolated systems that are designed to appear...

show abstract

Section: Forecasting and Burstsmentioning

confidence: 97%

mentioning

confidence: 99%

Malware in the future? Forecasting of analyst detection of cyber events

Bakdash

Hutchinson

Zaroukian

et al. 2018

Journal of Cybersecurity

View full text Add to dashboard Cite

show abstract

“…Even if the TDS identifies an anomalous event related to the attack, cyber analysts are barraged with alerts on a daily basis and face the problem of finding a "needle in a haystack". Existing automated TDS are notorious for generating a high amount of false alarms [59], [2], [6], [34], [21]. Cyber analysts are in short supply, so organizations face a key challenge in managing the enormous volume of alerts they receive using the limited time of analysts [4].…”

Section: B Existing Tools Limitationsmentioning

confidence: 99%

“…Researchers have also proposed to automatically detect attacks using machine learning [38], [64]. However, these methods also have significant detection error and suffer from generating too many false alerts [58], [34].…”

Section: Related Workmentioning

confidence: 99%

NoDoze: Combatting Threat Alert Fatigue with Automated Provenance Triage

Hassan

Guo

et al. 2019

Proceedings 2019 Network and Distributed System Security Symposium

177

120

View full text Add to dashboard Cite

Large enterprises are increasingly relying on threat detection softwares (e.g., Intrusion Detection Systems) to allow them to spot suspicious activities. These softwares generate alerts which must be investigated by cyber analysts to figure out if they are true attacks. Unfortunately, in practice, there are more alerts than cyber analysts can properly investigate. This leads to a "threat alert fatigue" or information overload problem where cyber analysts miss true attack alerts in the noise of false alarms.

show abstract

“…Specifically, the system was treated as a statistical Markov model containing a set of observable states and a set of hidden states, and the model was used to effectively detect the intrusion behavior in the network, highlighting the keys in the maintenance of the tolerance system. To prevent illegal intrusion into the network of large non-res-F. Li idential organizations, Harang and Kott [3] proposed a hidden Markov model with restricted hidden state, which couples Markov chain with Monte-Carlo simulation. By analyzing the combination of intrusion time series, the proposed model parses and predicts the network risks and provides the defense measures.…”

Section: Introductionmentioning

confidence: 99%

A Markov-Based Intrusion Tolerance Finite Automaton

2021

CIT. J. comput. inf. technol

View full text Add to dashboard Cite

It is inevitable for networks to be invaded during operation. The intrusion tolerance technology comes into being to enable invaded networks to provide the necessary network services. This paper introduces an automatic learning mechanism of the intrusion tolerance system to update network security strategy, and derives an intrusion tolerance finite automaton model from an existing intrusion tolerance model. The proposed model was quantified by the Markov theory to compute the stable probability of each state. The calculated stable probabilities provide the theoretical guidance and basis for administrators to better safeguard network security. Verification results show that it is feasible, effective, and convenient to integrate the Markov model to the intrusion tolerance finite automaton.

show abstract

Burstiness of Intrusion Detection Process: Empirical Evidence and a Modeling Approach

Cited by 18 publications

References 36 publications

Malware in the future? Forecasting of analyst detection of cyber events

Malware in the future? Forecasting of analyst detection of cyber events

NoDoze: Combatting Threat Alert Fatigue with Automated Provenance Triage

A Markov-Based Intrusion Tolerance Finite Automaton

Contact Info

Product

Resources

About