Semantics-aware detection of targeted attacks: a survey

Luh, Robert; Marschalek, Stefan; Kaiser, Manfred; Janicke, Helge; Schrittwieser, Sebastian

doi:10.1007/s11416-016-0273-3

Cited by 47 publications

(26 citation statements)

References 97 publications

(138 reference statements)

Supporting

Mentioning

Contrasting

Order By: Relevance

“…Additionally, the adversary can also hack and acquire the credentials of a root user of the system. This can be carried out using various attack procedures available in the conventional attack catalog [30]. However, possessing the knowledge of a private database system or a remotely acquiring credentials of a root user would require exceptional capabilities for the adversary.…”

Section: Threat Modelmentioning

confidence: 99%

Secure and transparent audit logs with BlockAudit

Ahmad

Saad

Mohaisen

2019

Journal of Network and Computer Applications

View full text Add to dashboard Cite

Audit logs serve as a critical component in enterprise business systems and are used for auditing, storing, and tracking changes made to the data. However, audit logs are vulnerable to a series of attacks enabling adversaries to tamper data and corresponding audit logs without getting detected. Among them, two well-known attacks are "the physical access attack, " which exploits root privileges, and "the remote vulnerability attack, " which compromises known vulnerabilities in database systems. In this paper, we present BlockAudit: a scalable and tamper-proof system that leverages the design properties of audit logs and security guarantees of blockchain to enable secure and trustworthy audit logs. Towards that, we construct the design schema of BlockAudit and outline its functional and operational procedures. We implement our design on a custom-built Practical Byzantine Fault Tolerance (PBFT) blockchain system and evaluate the performance in terms of latency, network size, payload size, and transaction rate. Our results show that conventional audit logs can seamlessly transition into BlockAudit to achieve higher security and defend against the known attacks on audit logs.

show abstract

Section: Threat Modelmentioning

confidence: 99%

Secure and transparent audit logs with BlockAudit

Ahmad

Saad

Mohaisen

2019

Journal of Network and Computer Applications

View full text Add to dashboard Cite

show abstract

“…For an in-depth look at related and similar work refer to Luh et al's literature survey [11] as well as the system's core publication [6].…”

Section: Related Workmentioning

confidence: 99%

Advanced threat intelligence: detection and classification of anomalous behavior in system processes

Luh

Schrittwieser

2019

Elektrotech. Inftech.

Self Cite

View full text Add to dashboard Cite

With the advent of Advanced Persistent Threats (APTs), it has become increasingly difficult to identify and understand attacks on computer systems. This paper presents a system capable of explaining anomalous behavior within network-enabled user sessions by describing and interpreting kernel event anomalies detected by their deviation from normal behavior.The prototype has been developed at the Josef Ressel Center for Unified Threat Intelligence on Targeted Attacks (TARGET) at St. Pölten University of Applied Sciences. Advanced Threat Intelligence: Erkennung und Klassifizierung von anomalem Verhalten in Systemprozessen. Mit dem Aufkommen von Advanced Persistent Threats (APTs) ist es immer schwieriger geworden, Angriffe aufComputersysteme zu identifizieren und zu verstehen. Diese Arbeit stellt ein System vor, das in der Lage ist, anomales Verhalten innerhalb von Benutzer-Sessions zu erklären, indem es Kernel-Ereignisanomalien beschreibt und klassifiziert, welche durch ihre Abweichung vom Normalverhalten erkannt werden. Der Prototyp wurde am Josef Ressel-Zentrum für konsolidierte Erkennung gezielter Angriffe (TARGET) an der Fachhochschule St. Pölten entwickelt.

show abstract

“…12 Research has demonstrated the potential of using data mining techniques to identify hidden patterns in malware data to support SIEM analysis. Recent review papers detail the challenges facing by the SIEM analysis, particularly in the areas of intrusion 11 and attack detection.…”

Section: Related Workmentioning

confidence: 99%

“…Recent review papers detail the challenges facing by the SIEM analysis, particularly in the areas of intrusion 11 and attack detection. 12 Research has demonstrated the potential of using data mining techniques to identify hidden patterns in malware data to support SIEM analysis. 13 Another interesting approach is the use of latent semantic analysis to help reduce unnecessary noise in large datasets.…”

Section: Related Workmentioning

confidence: 99%

GraphBAD: A general technique for anomaly detection in security information and event management

Parkinson

Vallati

Crampton

et al. 2018

Concurrency and Computation

View full text Add to dashboard Cite

The reliance on expert knowledge-required for analysing security logs and performing security audits-has created an unhealthy balance, where many computer users are not able to correctly audit their security configurations and react to potential security threats. The decreasing cost of IT and the increasing use of technology in domestic life are exacerbating this problem, where small companies and home IT users are not able to afford the price of experts for auditing their system configuration. In this paper, we present GraphBAD, a graph-based analysis tool that is able to analyse security configurations in order to identify anomalies that could lead to potential security risks. GraphBAD, which does not require any prior domain knowledge, generates graph-based models from security configuration data and, by analysing such models, is able to propose mitigation plans that can help computer users in increasing the security of their systems. A large experimental analysis, conducted on both publicly available (the well-known KDD dataset) and synthetically generated testing sets (file system permissions), demonstrates the ability of GraphBAD in correctly identifying security configuration anomalies and suggesting appropriate mitigation plans. KEYWORDSanomaly detection, graph structure, log files, security auditing, SIEM INTRODUCTIONAuditing security configurations is the process of searching for anomalies that potentially expose a vulnerability of a considered system. The term Security Information and Event Management (SIEM) is often used to describe the process of monitoring audit logs and security configurations to identify vulnerabilities. Given the complexity of the task, there is a heavy reliance on expert knowledge, which is required for understanding the different security configurations. This reliance has two main drawbacks: first, expert knowledge can be incomplete or erroneous; second, the high cost of security experts makes it infeasible for many users to correctly configure the security of their Information Technology (IT) systems. Therefore, in many cases, unseen weaknesses, which can be exploited, will remain in the configuration. Clearly, auditing security configurations is a critical problem for organisations that significantly rely on their IT infrastructure for undertaking business. For this reason, many companies frequently employ a third party security auditing company to examine their IT infrastructure to identify weaknesses and suggest suitable mitigation plans (named as penetration testing 1,2 ). Although businesses are prepared to pay a premium for maintaining their security, the average home IT user or small companies are left to maintain their own IT security. Furthermore, the decreasing cost of IT and the increasing use of technology in domestic life are exacerbating this problem.These limitations are heightened by the following factors. (i) The complexity of computational infrastructure-the cyber-physical platform on which security is attained-is increasing, and the technological landscape i...

show abstract

Semantics-aware detection of targeted attacks: a survey

Cited by 47 publications

References 97 publications

Secure and transparent audit logs with BlockAudit

Secure and transparent audit logs with BlockAudit

Advanced threat intelligence: detection and classification of anomalous behavior in system processes

GraphBAD: A general technique for anomaly detection in security information and event management

Contact Info

Product

Resources

About