1. Using Contextual Information to Identify Cyber-Attacks
Abstract
A recent trend is toward utilizing knowledge-based intrusion detection systems (IDSs). Knowledge-based IDSs store knowledge about cyber-attacks and possible vulnerabilities and use this knowledge to guide the process of attack prediction. Since an IDS contains information about these vulnerabilities, it can discover attempts to exploit them. One significant limitation of knowledge-based IDSs is the lack of contextual information used to detect attacks. Contextual information is not only information about the configuration on the targeted systems and their vulnerabilities. It also covers any relevant preconditions the attacks require to proceed successfully and the possible contextual semantic relationships between the activities of attackers in terms of time of these activities and the targeted locations. To overcome these limitations, we introduce a novel contextual framework which consists of several attack prediction models that can be utilized in conjunction with IDSs to detect cyber-attacks. We utilized extractable contextual elements from network data to create several knowledge-based, context-aware prediction models that are applied in conjunction with other intrusion detection techniques to assist in identifying known and unknown attacks. The created prediction models are utilized for several tasks including (1) expanding the predictions of other intrusion detection techniques using pre-identified contextual relationships between attacker activities, (2) filtering the nonrelevant predictions based on the situation of the hosts targeted by attacks, and (3) predicting the occurrence of unknown attacks. Our framework focuses on the significant dimensions in data; thus, it can be utilized to detect cyber-attacks while keeping the computational overhead as low as possible.
1.1 Significance of the Problem
Providing appropriate protection techniques is significant to combat cyber threats and preserve the integrity, confidentiality, and availability of information systems. The increasing volume of malicious cyber-attacks demands a collaborative effort between security professionals and researchers to design and develop effective cyber-defense systems. Cyber-attacks continue to rise worldwide in a manner that costs companies millions of dollars each year and leads to loss or misuse of information assets. Therefore, companies are under pressure to avoid the occurrence of these attacks or decrease the damage they cause to cyber systems.
There are various types of cyber-attacks, including infected Web pages, viruses, worms, spam botnets, and other unauthorized use of computer systems to modify or access data. Any computer system that does not have a proper security infrastructure can be compromised. Therefore, the cybersecurity authorities aim to design defensive security techniques to protect these systems. However, in spite of the increasing efforts in creating security countermeasures, new attack types arise on a regular basis. The reasons for these include programming errors, design flaws, insider threats, and inadequate security tools. Additionally, attackers keep evolving attack strategies, resulting in new attack variations being undetected at real time.
While it is theoretically possible to combat all types of cyber-attacks, most of the existing techniques provide reactive rather than proactive solutions to these attacks. The proactive techniques aim to eliminate the vulnerabilities in computer systems; however, avoiding all types of vulnerabilities is not possible in practice. Over the past decades, intrusion detection systems (IDSs) have been employed as one of the major reactive techniques against computer attacks. IDSs are an important component of defensive measures for protecting computer systems and networks from abuse. IDSs utilize logic operations, statistical techniques, and machine learning approaches to discern between different types of network activities.
Although modern IDSs are definitely useful and they keep on improving, they still generate a high amount of false alarms, fail to identify unknown attacks, and exhibit a low degree of reliability. Most of the existing IDSs depend on data analytics techniques that work on raw network data at a very low abstraction level to detect cyber-attacks.
1.1.1 Background
Safeguarding computer systems against attacks is one of the most challenging tasks that cannot be easily measured. Most security mechanisms can be breached due to unknown system vulnerabilities that exist and novel hacks applied by attackers to initiate an intrusion. The latter has been defined as any action the user of an information system takes when he/she is not legally allowed to [].
Systems with the capability of detecting intrusions are called intrusion detection systems (IDSs). The role of IDSs is to differentiate between intrusions and normal system execution. The existing intrusion detection techniques combat cyber-attacks at two levels of protection, the network level and the host level. The network-based IDSs monitor the features of network connections in order to detect cyber-attacks. Conversely, host-based IDSs monitor the status of workstations and the internals of a computing system using intrusion detection techniques to discover possible attacks at the host level. There have been also other classifications of IDSs [] is one of the most well-known signature-based intrusion detection systems. Snort performs real-time traffic analysis, content searching, and content matching to discover attacks using pre-identified attack signatures. While these systems are accurate in identifying known attacks, they cannot recognize new types of attacks. In anomaly-based IDSs, normal profiles are created and used by an anomaly detection technique to detect anomaly patterns that deviate from such profiles. The anomaly-based IDSs rely on statistical techniques to create normal profiles. Overall, the main advantage of these systems is their ability to detect unknown attacks that do not have existing signatures; however, their major limitation is the difficulty of accurately defining normal profiles. Intuitively, activities that deviate from normal profiles are not necessarily attacks. Failure to identify the boundaries of normal activity in network data leads to incorrect prediction of normal activities as attacks; thus, a high false positive rate is very possible. The hybrid-based IDSs combine signature-based and anomaly-based detection techniques to discover attacks. The major disadvantage of hybrid-based approaches is the computational overhead of using both signature matching and anomaly detection to analyze incoming network connections. Although IDSs have shown a good level of success in detecting intrusion attempts to networks, they show a visible deficiency in their effectiveness. Yet again, intrusion detection technologies have several research challenges that need to be addressed:
