Towards Automated Incident Handling: How to Select an Appropriate Response against a Network-Based Attack?

Ossenbuhl, Sven; Steinberger, Jessica; Baier, Harald

doi:10.1109/imf.2015.13

Cited by 23 publications

(8 citation statements)

References 20 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…We want to note that much of the alert correlation work, e.g., [49], which relies on misuse-based IDS, assumes that raised alerts can be treated as an attack, i.e., single-stage attack or attack step. Based on those assumptions, a lot of work exists that identifies multistaged attacks by analyzing those alerts.…”

Section: Delimitation From Soaaprmentioning

confidence: 99%

Exploiting the Outcome of Outlier Detection for Novel Attack Pattern Recognition on Streaming Data

et al. 2021

View full text Add to dashboard Cite

Future-oriented networking infrastructures are characterized by highly dynamic Streaming Data (SD) whose volume, speed and number of dimensions increased significantly over the past couple of years, energized by trends such as Software-Defined Networking or Artificial Intelligence. As an essential core component of network security, Intrusion Detection Systems (IDS) help to uncover malicious activity. In particular, consecutively applied alert correlation methods can aid in mining attack patterns based on the alerts generated by IDS. However, most of the existing methods lack the functionality to deal with SD data affected by the phenomenon called concept drift and are mainly designed to operate on the output from signature-based IDS. Although unsupervised Outlier Detection (OD) methods have the ability to detect yet unknown attacks, most of the alert correlation methods cannot handle the outcome of such anomaly-based IDS. In this paper, we introduce a novel framework called Streaming Outlier Analysis and Attack Pattern Recognition, denoted as SOAAPR, which is able to process the output of various online unsupervised OD methods in a streaming fashion to extract information about novel attack patterns. Three different privacy-preserving, fingerprint-like signatures are computed from the clustered set of correlated alerts by SOAAPR, which characterizes and represents the potential attack scenarios with respect to their communication relations, their manifestation in the data's features and their temporal behavior. Beyond the recognition of known attacks, comparing derived signatures, they can be leveraged to find similarities between yet unknown and novel attack patterns. The evaluation, which is split into two parts, takes advantage of attack scenarios from the widely-used and popular CICIDS2017 and CSE‐CIC‐IDS2018 datasets. Firstly, the streaming alert correlation capability is evaluated on CICIDS2017 and compared to a state-of-the-art offline algorithm, called Graph-based Alert Correlation (GAC), which has the potential to deal with the outcome of anomaly-based IDS. Secondly, the three types of signatures are computed from attack scenarios in the datasets and compared to each other. The discussion of results, on the one hand, shows that SOAAPR can compete with GAC in terms of alert correlation capability leveraging four different metrics and outperforms it significantly in terms of processing time by an average factor of 70 in 11 attack scenarios. On the other hand, in most cases, all three types of signatures seem to reliably characterize attack scenarios such that similar ones are grouped together, with up to 99.05\% similarity between the FTP and SSH Patator attack.intrusion detection; alert analysis; alert correlation; outlier detection; attack scenario; streaming data; network security

show abstract

Section: Delimitation From Soaaprmentioning

confidence: 99%

Exploiting the Outcome of Outlier Detection for Novel Attack Pattern Recognition on Streaming Data

et al. 2021

View full text Add to dashboard Cite

show abstract

“…They state several propagation patterns in which they consider not only the damage caused by the propagation of dependency's functionality loss but also other types of propagation, such as the propagation of positive effects and propagation of the dependent service's compromise on its dependencies. The response selection model (REASSESS) [13] allows mitigating network-based attacks by incorporating a response selection process that evaluates negative and positive impacts associated with each countermeasure. The considered negative effects are the disturbance of the service caused by the action, which takes into account the importance of the service and the level of disturbance.…”

Section: Related Workmentioning

confidence: 99%

Decision Support for Mission-Centric Cyber Defence

Javorník

Komárková

Husák

2019

Proceedings of the 14th International Conference on Availability, Reliability and Security

View full text Add to dashboard Cite

In this paper, we propose a novel approach to enterprise mission modeling and mission-centric decision support for cybersecurity operations. The goal of the decision support analytical process is to suggest an effective response for an ongoing attack endangering established mission security requirements. First, we propose an enterprise mission decomposition model to represent the requirements of the missions' processes and components on their confidentiality, integrity, availability. The model is illustrated in a real-world scenario of a medical information system. Second, we propose an analytical process that calculates mission resilience metrics using the attack graphs and Bayesian network reasoning. The process is designed to help cybersecurity operations teams in understanding the complexity of a situation and decision making concerning requirements on enterprise missions.As the IT infrastructures grow larger, it is more and more complicated to protect them and all their components. The insufficient workforce in cyber security and the risks of misunderstanding between security operations and management further underline the problem. The security teams are not always aware of all the missions in an organization, nor knowing about missions' priorities. Under such circumstances, the risk of unwanted actions rises. For example, dropping network traffic of an infected system interrupts operations of a critical IT system or one of its dependencies, which ARES '

show abstract

“…Many work, for instance [5], make assumptions for response planning that each alert raised by a detection engine is treated as one attack. The aggregation and fusion of alarms should be taken into account by the detection system but they assume 100% confidence of the alerts.…”

Section: B Analysismentioning

confidence: 99%

“…The alert analysis and planning as well as executing appropriate reactions can no longer be clamped by humans. Also under the circumstances that manual operation cannot guarantee the response time and accuracy, an efficient automatic decision-making support method is desperately needed [5]. New approaches for instance applying machine learning techniques help to handle the detection of massive input data.…”

Section: Introductionmentioning

confidence: 99%

Incident Reaction Based on Intrusion Detections’ Alert Analysis

Heigl

Doerr

Almaini

et al. 2018

2018 International Conference on Applied Electronics (AE)

View full text Add to dashboard Cite

The protection of internetworked systems by cryptographic techniques have crystallized as a fundamental aspect in establishing secure systems. Complementary, detection mechanisms for instance based on Intrusion Detection Systems has established itself as a fundamental part in holistic security ecosystems in the previous years. However, the interpretation of and reaction on detected incidents is still a challenging task. In this paper an incident handling environment with relevant components and exemplary functionality is proposed that involves the processes from the detection of incidents over their analysis to the execution of appropriate reactions. An evaluation of a selection of implemented interacting components using technology such as OpenFlow or Snort generally proofs the concept.

show abstract

Towards Automated Incident Handling: How to Select an Appropriate Response against a Network-Based Attack?

Cited by 23 publications

References 20 publications

Exploiting the Outcome of Outlier Detection for Novel Attack Pattern Recognition on Streaming Data

Exploiting the Outcome of Outlier Detection for Novel Attack Pattern Recognition on Streaming Data

Decision Support for Mission-Centric Cyber Defence

Incident Reaction Based on Intrusion Detections’ Alert Analysis

Contact Info

Product

Resources

About