Premium
Attack chain detection
Author(s) -
Sexton Joseph,
Storlie Curtis,
Neil Joshua
Publication year - 2015
Publication title -
statistical analysis and data mining: the asa data science journal
Language(s) - English
Resource type - Journals
SCImago Journal Rank - 0.381
H-Index - 33
eISSN - 1932-1872
pISSN - 1932-1864
DOI - 10.1002/sam.11296
Subject(s) - computer science , intrusion detection system , probabilistic logic , host (biology) , construct (python library) , chain (unit) , attack model , intrusion , data mining , attack patterns , detector , computer security , computer network , artificial intelligence , ecology , geochemistry , astronomy , biology , geology , telecommunications , physics
A targeted network intrusion typically evolves through multiple phases, termed the attack chain. When appropriate data are monitored, these phases will generate multiple events across the attack chain on a compromised host. It is shown empirically that events in different parts of the attack chain are largely independent under nonattack conditions. This suggests that a powerful detector can be constructed by combining across events spanning the attack. This article describes the development of such a detector for a larger network. To construct events that span the attack chain, multiple data sources are used, and the detector combines across events observed on the same machine, across local neighborhoods of machines linked by network communications, as well as across events observed on multiple computers. A probabilistic approach for evaluating the combined events is developed, and empirical investigations support the underlying assumptions. The detection power of the approach is studied by inserting plausible attack scenarios into observed network and host data, and an application to a real‐world intrusion is given.