Network Attack Analysis and the Behaviour Engine

Benham, A.; Read, Huw; Sutherland, Iain

doi:10.12785/ijcnt/010202

Cited by 2 publications

(4 citation statements)

References 12 publications

(14 reference statements)

Supporting

Mentioning

Contrasting

Order By: Relevance

“…In our review, we observed that quite a large number of countermeasures are either not evaluated at all ( [23], [40], [45] , [48] , [49] , [62] , [75] , [88] , [91] , [67] , [92] , [105] , [110], [111], [114], [137], [141], [154], , [160], [174], , [175]) or evaluated weakly ( [60], [70], [100], [109], [132], [138], [147], [158], [161], [165], [171]). We consider an evaluation as weak evaluation when the system is evaluated with a small dataset (e.g.…”

Section: Discussionmentioning

confidence: 99%

“…The behavioural approach seems a rich area for exploration, however, it should be noted that not all abnormal traffic will be data exfiltration. Benham et al [137] also advocate a behavioural approach to network modelling for data exfiltration, but one which is less sensitive to legitimate anomalies. They suggest a 'Behaviour Engine', which begins with no rules at all and gradually learns them by observing and querying a user's use of a network.…”

Section: Unsupervised Modementioning

confidence: 99%

“…Benham et al [137] In transit Behaviour-based detection system which starts from zero and slowly gets trained based on user's behaviour. This system is designed to be less sensitive to legitimate abnormal traffic.…”

Section: Port Scanning Attackmentioning

confidence: 99%

See 2 more Smart Citations

Data exfiltration: A review of external attack vectors and countermeasures

Ullah

Edwards

Ramdhany

et al. 2018

Journal of Network and Computer Applications

104

View full text Add to dashboard Cite

Context: One of the main targets of cyber-attacks is data exfiltration, which is the leakage of sensitive or private data to an unauthorized entity. Data exfiltration can be perpetrated by an outsider or an insider of an organization. Given the increasing number of data exfiltration incidents, a large number of data exfiltration countermeasures have been developed. These countermeasures aim to detect, prevent, or investigate exfiltration of sensitive or private data. With the growing interest in data exfiltration, it is important to review data exfiltration attack vectors and countermeasures to support future research in this field. Objective: This paper is aimed at identifying and critically analysing data exfiltration attack vectors and countermeasures for reporting the status of the art and determining gaps for future research. Method: We have followed a structured process for selecting 108 papers from seven publication databases. Thematic analysis method has been applied to analyse the extracted data from the reviewed papers. Results: We have developed a classification of (1) data exfiltration attack vectors used by external attackers and (2) the countermeasures in the face of external attacks. We have mapped the countermeasures to attack vectors. Furthermore, we have explored the applicability of various countermeasures for different states of data (i.e., in use, in transit, or at rest). Conclusion: This review has revealed that (a) most of the state of the art is focussed on preventive and detective countermeasures and significant research is required on developing investigative countermeasures that are equally important; (b) Several data exfiltration countermeasures are not able to respond in real-time, which specifies that research efforts need to be invested to enable them to respond in real-time (c) A number of data exfiltration countermeasures do not take privacy and ethical concerns into consideration, which may become an obstacle in their full adoption (d) Existing research is primarily focussed on protecting data in 'in use' state, therefore, future research needs to be directed towards securing data in 'in rest' and 'in transit' states (e) There is no standard or framework for evaluation of data exfiltration countermeasures. We assert the need for developing such an evaluation framework.

show abstract

Section: Discussionmentioning

confidence: 99%

Section: Unsupervised Modementioning

confidence: 99%

See 1 more Smart Citation

Data exfiltration: A review of external attack vectors and countermeasures

Ullah

Edwards

Ramdhany

et al. 2018

Journal of Network and Computer Applications

104

View full text Add to dashboard Cite

show abstract

“…Furthermore, we have only mentioned those classifiers that were selected as best classifiers for a study because most of the studies initially tried out multiple classifiers. Considering the reflections from learning type, we classified the classifier structure into four types: base, Amnesia testbed dataset [125] , SQLMAP [126] [S59, S62, S70] Malware/RAT ESET NOD32 [127], Kingsoft [128], Anubis [129], VirusTotal [130], [S1, S41] APT Sysmon Tool [131], Winlogbeat [132] [S79] Overt Channels ZeuS Tracker [133], Waledac [134], Storm [135] [S22, S39] Side Channel PAPI [136] [S8, S63] Steganography F5 [137], Model Based Steganography [138], Outguess [139], YASS [140] [S3, S9, S20] Data dns2tcp [141],BRO [142],Iodine [143], dnscat [144] and Ozymandns [145], [S4, S14, S15, S21, Tunnelling CobaltStrike [146], ReverseDNShell [147] S29, S32, S67, S68,S80] Fig. 10: Analysis of ML Modelling Phase (The number shows the total studies in each category, while the bold number shows total studies in terms of y-axis) that can handle linear, non-linear, high dimensional data [154].…”

Section: Sql Injectionmentioning

confidence: 99%

Machine Learning for Detecting Data Exfiltration: A Review

Sabir,

Ullah,

Babar

et al. 2020

Preprint

View full text Add to dashboard Cite

Research at the intersection of cybersecurity, Machine Learning (ML), and Software Engineering (SE) has recently taken significant steps in proposing countermeasures for detecting sophisticated data exfiltration attacks. It is important to systematically review and synthesize the ML-based data exfiltration countermeasures for building a body of knowledge on this important topic. Objective: This paper aims at systematically reviewing ML-based data exfiltration countermeasures to identify and classify ML approaches, feature engineering techniques, evaluation datasets, and performance metrics used for these countermeasures. This review also aims at identifying gaps in research on ML-based data exfiltration countermeasures. Method: We used Systematic Literature Review (SLR) method to select and review 92 papers. Results: The review has enabled us to (a) classify the ML approaches used in the countermeasures into data-driven, and behaviour-driven approaches, (b) categorize features into six types: behavioral, content-based, statistical, syntactical, spatial and temporal, (c) classify the evaluation datasets into simulated, synthesized, and real datasets and (d) identify 11 performance measures used by these studies. Conclusion: We conclude that: (i) the integration of data-driven and behaviour-driven approaches should be explored; (ii) There is a need of developing high quality and large size evaluation datasets; (iii) Incremental ML model training should be incorporated in countermeasures; (iv) resilience to adversarial learning should be considered and explored during the development of countermeasures to avoid poisoning attacks; and (v) the use of automated feature engineering should be encouraged for efficiently detecting data exfiltration attacks.

show abstract

Network Attack Analysis and the Behaviour Engine

Cited by 2 publications

References 12 publications

Data exfiltration: A review of external attack vectors and countermeasures

Data exfiltration: A review of external attack vectors and countermeasures

Machine Learning for Detecting Data Exfiltration: A Review

Contact Info

Product

Resources

About