Network entity characterization and attack prediction

Bartoš, Václav; Žádník, Martin; Habib, Sheikh Mahbub; Vasilomanolakis, Emmanouil

doi:10.1016/j.future.2019.03.016

Cited by 32 publications

(29 citation statements)

References 17 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…Further works improved the hit counts but did not discuss the hit rates [17,32,38]. The highest hit rates were achieved by Bartoš et al [2], but the hit rate degrades with the size of the blacklist, as presented in Table 1. The success rate of around 65 % in our work outperforms previous works even with large blacklists.…”

Section: Comparison To Previous Resultsmentioning

confidence: 99%

“…Finally, Melis et al [32] combined two of the previous approaches [17,38], and achieved balance of their strengths and weaknesses, again on DShield data. Predictive blacklisting is also the desired use case of network entity reputation scoring in the work of Bartoš et al [2], who used the data from the SABU alert sharing platform [6] that was also used in this work. The attention of the researchers in the field is also focused on countermeasure selection, e.g., as surveyed by Nespoli et al [33].…”

Section: Dshieldmentioning

confidence: 99%

See 1 more Smart Citation

Predictive Cyber Situational Awareness and Personalized Blacklisting

Husák

Bajtoš

Kašpar

et al. 2020

ACM Trans. Manage. Inf. Syst.

View full text Add to dashboard Cite

Cybersecurity adopts data mining for its ability to extract concealed and indistinct patterns in the data, such as for the needs of alert correlation. Inferring common attack patterns and rules from the alerts helps in understanding the threat landscape for the defenders and allows for the realization of cyber situational awareness, including the projection of ongoing attacks. In this paper, we explore the use of data mining, namely sequential rule mining, in the analysis of intrusion detection alerts. We employed a dataset of 12 million alerts from 34 intrusion detection systems in 3 organizations gathered in an alert sharing platform, and processed it using our analytical framework. We execute the mining of sequential rules that we use to predict security events, which we utilize to create a predictive blacklist. Thus, the recipients of the data from the sharing platform will receive only a small number of alerts of events that are likely to occur instead of a large number of alerts of past events. The predictive blacklist has the size of only 3 % of the raw data, and more than 60 % of its entries are shown to be successful in performing accurate predictions in operational, real-world settings.

show abstract

Section: Comparison To Previous Resultsmentioning

confidence: 99%

Section: Dshieldmentioning

confidence: 99%

Predictive Cyber Situational Awareness and Personalized Blacklisting

Husák

Bajtoš

Kašpar

et al. 2020

ACM Trans. Manage. Inf. Syst.

View full text Add to dashboard Cite

show abstract

“…The data set offers an up-to-date view of network security alerts and reflects the current cybersecurity threat landscape. The data set encourages experimenting with the advanced methods of alert aggregation and correlation [4] , including temporal and spatial correlations [6] , reputation scoring [7] , attack scenario reconstruction [8] , and attack projection [9] . Alert correlation and attack scenario reconstructions methods allow inferring insights into the behavior of the attackers.…”

Section: Value Of the Datamentioning

confidence: 99%

Dataset of intrusion detection alerts from a sharing platform

et al. 2020

View full text Add to dashboard Cite

The dataset contains intrusion detection alerts obtained via an alert sharing platform (SABU) for one week. A plethora of heterogeneous intrusion detection systems deployed across several organizations contributed to the sharing platform. The alerts are stored in the intrusion Detection Extensible Alert (IDEA) format and categorized using the eCSIRT.net Incident Taxonomy. Dataset can be used in several areas of cybersecurity research for the analysis of intrusion detection alerts including temporal and spatial correlations, reputation scoring, attack scenario reconstruction, and attack projection. The network identifiers (e.g., IP addresses, hostnames) are anonymized. However, the list of interesting features (e.g., presence on blacklists, geolocation) of such entities at the time of data collection is provided.

show abstract

“…Interestingly, Antonakakis, Perdisci, Dagon, Lee, and Feamster [2010] propose a dynamic approach to reputation scoring that adjusts the reputation score according to the level of maliciousness. However, Pronk [2011] and Bartos et al [2019] highlight limitations associated with dependence on blacklists, where attack signatures may change and thus render blacklists inefficient. Pronk [2011] describes IP reputation as a concept of rating a host based on their past actions and comparing high-level information such as domain names to a group of hosts whose reputation is known.…”

Section: Reputation Scoringmentioning

confidence: 99%

IP Reputation Scoring with Geo-Contextual Feature Augmentation

Sainani

Namayanja

Sharma

et al. 2020

ACM Trans. Manage. Inf. Syst.

View full text Add to dashboard Cite

The focus of this article is to present an effective anomaly detection model for an encrypted network session by developing a novel IP reputation scoring model that labels the incoming session IP address based on the most similar IP addresses in terms of both network and geo-contextual knowledge. We provide empirical evidence that considering not only traditional network information but also geo-contextual information provides better threat assessment. The reputation scores provide a means to quantitatively capture good and bad IP behavior, making our model ideal for detecting malicious network behavior. With network encryption being the most practical solution to data security and privacy today, our approach expands the network administrator's ability to make decisions about IP addresses' trustworthiness in an encrypted session with limited network information.

show abstract

Network entity characterization and attack prediction

Cited by 32 publications

References 17 publications

Predictive Cyber Situational Awareness and Personalized Blacklisting

Predictive Cyber Situational Awareness and Personalized Blacklisting

Dataset of intrusion detection alerts from a sharing platform

IP Reputation Scoring with Geo-Contextual Feature Augmentation

Contact Info

Product

Resources

About