extracting attack scenarios using intrusion semantics
play

EXTRACTING ATTACK SCENARIOS USING INTRUSION SEMANTICS Sherif Saad, - PowerPoint PPT Presentation

Nov 10, 2023 •718 likes •946 views

EXTRACTING ATTACK SCENARIOS USING INTRUSION SEMANTICS Sherif Saad, Issa Traore Information Security and Object Technology Lab University of Victoria ECE Department 5 th FPS 2012 Overview 2 Introduction Related Work Approach

  1. EXTRACTING ATTACK SCENARIOS USING INTRUSION SEMANTICS Sherif Saad, Issa Traore Information Security and Object Technology Lab University of Victoria ECE Department 5 th FPS 2012

  2. Overview 2  Introduction  Related Work  Approach  Experiment  Conclusion UVic, 12-12-18

  3. Introduction: Definition 3  Attack Scenario:  Elicits the steps and actions taken by the intruder to breach/compromise the system.  Also known as attack plan.  Attack Pattern:  A collection of malicious actions that together represent a pattern. UVic, 12-12-18

  4. Introduction: Motivation 4  Extracting attack scenario is needed to:  Elicit the attack and extract useful attack intelligence,  Identify the compromised resources,  Spot the system vulnerabilities,  Determine the intruder objectives and the attack severity. UVic, 12-12-18

  5. Introduction: Research problem 5  IDSs generate low level intrusion alerts that describe individual attack event.  IDS are not designed to recognize attack plans or discover multistage attack scenarios.  IDSs tend to generate massive amount of alerts with high rate of redundant alerts and false positives.  False negatives, which correspond to the attacks missed by the IDS. UVic, 12-12-18

  6. Related Works 6  Statistical and Clustering Approaches  Use alerts similarity and statistical characteristics.  Can handle large amount of IDS alerts.  Can reconstruct novel and unknown attack scenarios.  Cannot detect causality between individual attacks  Limited to simple attack scenarios and attack patterns.  Reconstruct false attack scenarios. UVic, 12-12-18

  7. Related Works (ctd.) 7  Knowledge Based Approaches  Use hard coded knowledge and rely on explicit knowledge.  Hard to maintain and update the knowledge-base  Can reconstruct complex and multistage attack scenarios, but not novel attacks scenarios.  Cannot handle false negatives and missing attack steps.  Cannot detect hidden and implicit relations between attacks. UVic, 12-12-18

  8. Research Objectives 8  Develop a new approach that:  Handle large amount of IDS alerts.  Handle complex multistage attack scenarios.  Automatically reconstruct novel and unknown attack scenarios with high accuracy.  Minimize the affect of missing attack steps. UVic, 12-12-18

  9. Approach: Semantic Correlation 9  IDS sensors use different formats and vocabularies to describe the alerts.  IDMEF provides common alert message structure (syntax) not semantic.  IDS alerts message attributes are symbolic data. It is hard to measure similarity or distance between symbolic data. UVic, 12-12-18

  10. Approach: Intrusion Ontology 10 UVic, 12-12-18

  11. Approach: Semantic Relevance 11 UVic, 12-12-18

  12. Approach: Semantic Clustering 12  Use the ontology to measure the semantic relevance between different alert messages.  Using the semantic relevance we build the alert correlation graph (ACG).  Analyze the ACG to extract all maximum cliques in ACG. We consider every maximum clique in the ACG as a candidate attack scenario/pattern. UVic, 12-12-18

  13. Semantic Clustering Example 13 UVic, 12-12-18

  14. Semantic Clustering Example 14 Alerts Correlation Graph All Maximum Cliques in ACG UVic, 12-12-18

  15. Attack Causality Analysis 15  The Impact class in the ontology contains the set of attack prerequisites and consequences.  The causality relation between two attack instances a and b is a value between 0 and 1 given by  The sequence of attacks in the attack scenario is based on the causality between attack instance in the scenario UVic, 12-12-18

  16. Experiments 16  Datasets  DARPA 2000 dataset from MIT Lincoln Laboratory.  The Treasure Hunt dataset. UVic, 12-12-18

  17. Evaluation Metrics 17  Two performance metrics:  Completeness: the ratio between the number of correctly correlated alerts by the number of related alerts (i.e. that belong to the same attack scenario).  Soundness: the ratio between the number of correctly correlated alerts by the number of correlated alerts. UVic, 12-12-18

  18. Experiments Results 18 UVic, 12-12-18

  19. Conclusion & Future Work 19  The use of semantic correlation and ontology:  Allow us to develop a better alert correlation and attack scenario reconstruction technique.  Enable interoperability between heterogeneous IDS sensors.  Improve the knowledge-base maintenance.  Eliminate the need of hard-coded rules. UVic, 12-12-18

  20. Conclusion & Future Work 20  Our future work will focus on:  False negative: improve the attack causality analysis to predict missing attack steps  False positive: develop an ontology-based rule induction to reduce the false positive alerts. UVic, 12-12-18

  21. Thanks Questions?? UVic, 12-12-18

Recommend

Online Template Attack on ECDSA: Extracting Keys Via The Other Side By: Niels Roelofs, Niels

Online Template Attack on ECDSA: Extracting Keys Via The Other Side By: Niels Roelofs, Niels

Online Template Attack on ECDSA: Extracting Keys Via The Other Side By: Niels Roelofs, Niels Samwel, Lejla Batina and Joan Daemen Africacrypt Conference 2020 July 2020 Side Channel Attack Introduction A side-channel is any unintentional

375 views • 36 slides
A DEPTS : Adaptive Intrusion Response using Attack Graphs in an e-Commerce Environment Bingrui

A DEPTS : Adaptive Intrusion Response using Attack Graphs in an e-Commerce Environment Bingrui

A DEPTS : Adaptive Intrusion Response using Attack Graphs in an e-Commerce Environment Bingrui Foo, Yu-Sung Wu, Yu-Chun Mao, Saurabh Bagchi, Eugene Spafford Purdue University Dependable Computing Systems Lab (http://shay.ecn.purdue.edu/~dcsl)

608 views • 23 slides
Cyber Intrusion Detection by Using Deep Neural Networks with Attack-sharing Loss IEEE DataCom

Cyber Intrusion Detection by Using Deep Neural Networks with Attack-sharing Loss IEEE DataCom

Cyber Intrusion Detection by Using Deep Neural Networks with Attack-sharing Loss IEEE DataCom 19 Boxiang Dong 1 Hui (Wendy) Wang 2 Aparna S. Varde 1 Dawei Li 1 Bharath K. Samanthula 1 Weifeng Sun 3 Liang Zhao 3 1 Montclair State University

476 views • 24 slides
PANACEA: AUTOMATING ATTACK CLASSIFICATION FOR ANOMALY-BASED NETWORK INTRUSION DETECTION SYSTEMS

PANACEA: AUTOMATING ATTACK CLASSIFICATION FOR ANOMALY-BASED NETWORK INTRUSION DETECTION SYSTEMS

PANACEA: AUTOMATING ATTACK CLASSIFICATION FOR ANOMALY-BASED NETWORK INTRUSION DETECTION SYSTEMS DAMIANO BOLZONI, SANDRO ETALLE AND PIETER HARTEL DISTRIBUTED AND EMBEDDED SECURITY GROUP TWENTE SECURITY LAB 10+ YEARS OF RESEARCH OVER ANOMALY

160 views • 14 slides
ATTACK-AWARENESS FOR SPIRE (INTRUSION-TOLERANT SCADA) Tiger Gao, Dan Qian, Elaine Wong, &

ATTACK-AWARENESS FOR SPIRE (INTRUSION-TOLERANT SCADA) Tiger Gao, Dan Qian, Elaine Wong, &

ATTACK-AWARENESS FOR SPIRE (INTRUSION-TOLERANT SCADA) Tiger Gao, Dan Qian, Elaine Wong, & Jason Wong 1. BACKGROUND What is Spire? What is SCADA? What is SCADA? Supervisory Control and Data Acquisition Allows for centralized

530 views • 18 slides
OrchIDS: on the value of rigor in intrusion detection Jean Goubault-Larrecq CPS, Grenoble, July

OrchIDS: on the value of rigor in intrusion detection Jean Goubault-Larrecq CPS, Grenoble, July

OrchIDS: on the value of rigor in intrusion detection Jean Goubault-Larrecq CPS, Grenoble, July 08 2014 vendredi 11 juillet 14 Outline 1.A few scary stories about computer security 2. ORCHIDS : an intrusion prevention system 3. Semantics and

1.93k views • 177 slides
Automated Translation Automated Translation Between Attack Languages Between Attack Languages

Automated Translation Automated Translation Between Attack Languages Between Attack Languages

Automated Translation Automated Translation Between Attack Languages Between Attack Languages (Translating Snort rules to STATL scenarios) (Translating Snort rules to STATL scenarios) Steven T. Eckmann Eckmann Steven T. Reliable Software

296 views • 27 slides
Automatically Extracting, Analyzing, and Visualizing Information on Music Artists from the Web

Automatically Extracting, Analyzing, and Visualizing Information on Music Artists from the Web

Automatically Extracting, Analyzing, and Visualizing Information on Music Artists from the Web Workshop on Learning the Semantics of Audio Signals (LSAS) 21 st June 2008, Paris, France Markus Schedl, Peter Knees Department of Computational

691 views • 26 slides
Semantics 1 / 21 Outline What is semantics? Denotational semantics Semantics of naming What

Semantics 1 / 21 Outline What is semantics? Denotational semantics Semantics of naming What

Semantics 1 / 21 Outline What is semantics? Denotational semantics Semantics of naming What is semantics? 2 / 21 What is the meaning of a program? Recall: aspects of a language syntax : the structure of its programs semantics : the

551 views • 21 slides
Extracting Gait Parameters Extracting Gait Parameters from Raw Data from Raw Data

Extracting Gait Parameters Extracting Gait Parameters from Raw Data from Raw Data

Extracting Gait Parameters Extracting Gait Parameters from Raw Data from Raw Data Accelerometers Accelerometers Andr DIAS a,b,c , Lukas GORZELNIAK b , Angela DRING c , Gunnar HARTVIGSEN a,d , Alexander HORSCH b,d a Norwegian Centre for

582 views • 15 slides
Press intrusion. Identifying similar words with different connotations What is press intrusion?

Press intrusion. Identifying similar words with different connotations What is press intrusion?

Topic 12: Press intrusion. Identifying similar words with different connotations What is press intrusion? Press intrusion is an issue which has many stances, often depending on whether you are a member of the press or have been on the receiving

602 views • 9 slides
Styles of Intrusion Detection Misuse intrusion detection Try to detect things known to be

Styles of Intrusion Detection Misuse intrusion detection Try to detect things known to be

Styles of Intrusion Detection Misuse intrusion detection Try to detect things known to be bad Anomaly intrusion detection Try to detect deviations from normal behavior Specification intrusion detection Try to detect

627 views • 15 slides
Intrusion Detection Principles Basics Models of Intrusion Detection

Intrusion Detection Principles Basics Models of Intrusion Detection

Intrusion Detection Principles Basics Models of Intrusion Detection Architecture of an IDS Architecture of an IDS Organization Incident Response Slide #22-1 FEARLESS engineering Principles of Intrusion Detection

744 views • 40 slides
Intrusion Detection System Amir Hossein Payberah payberah@yahoo.com 1 Contents Intrusion

Intrusion Detection System Amir Hossein Payberah payberah@yahoo.com 1 Contents Intrusion

Intrusion Detection System Amir Hossein Payberah payberah@yahoo.com 1 Contents Intrusion Detection Systems Tripwire Snort 2 IDS (Definition) Intrusion Detection is the process of monitoring the events occurring in a computer

571 views • 30 slides
NFC Payments: The Art of Relay & Replay Attacks Who are we? Troopers 2018? NFC

NFC Payments: The Art of Relay & Replay Attacks Who are we? Troopers 2018? NFC

NFC Payments: The Art of Relay & Replay Attacks Who are we? Troopers 2018? NFC Replay/Relay @Netxing @L_AGalloway Content Terminology Replay Attack Intro to NFC Relay Attack EMV Flow Process Extracting

1.09k views • 65 slides
1 Methods of Extracting or Obtaining Essential Oils The most common method for extracting

1 Methods of Extracting or Obtaining Essential Oils The most common method for extracting

1 Methods of Extracting or Obtaining Essential Oils The most common method for extracting essential oils is using steam distillation. Solvents are often used in extracting oils that are waxy The most expensive method is using CO2 which does not

358 views • 16 slides
Attack on Traffic Systems These attack examples have happened in the past. We will take an

Attack on Traffic Systems These attack examples have happened in the past. We will take an

From start to finish how a cyber attack would be performed on traffic system, we will go over first day >> exploitation of the device >> the real-world aftermath. Mission Secure, Inc. Attack on Traffic Systems These attack examples

556 views • 18 slides
Operational Semantics 1 / 14 Outline What is semantics? Operational Semantics What is

Operational Semantics 1 / 14 Outline What is semantics? Operational Semantics What is

Operational Semantics 1 / 14 Outline What is semantics? Operational Semantics What is semantics? 2 / 14 What is the meaning of a program? Recall: aspects of a language syntax : the structure of its programs semantics : the meaning of

588 views • 14 slides
Chapter 25: Intrusion Detection Principles Basics Models of Intrusion Detection

Chapter 25: Intrusion Detection Principles Basics Models of Intrusion Detection

Chapter 25: Intrusion Detection Principles Basics Models of Intrusion Detection Architecture of an IDS Organization Incident Response June 2, 2005 ECS 235, Computer and Information Slide #1 Security Principles of

1.38k views • 104 slides
THE VAPOR INTRUSION PATHWAY DANIEL G. GREENE, CPG MISCONCEPTIONS MISCONCEPTIONS VAPOR INTRUSION

THE VAPOR INTRUSION PATHWAY DANIEL G. GREENE, CPG MISCONCEPTIONS MISCONCEPTIONS VAPOR INTRUSION

engineers | scientists | architects | constructors THE VAPOR INTRUSION PATHWAY DANIEL G. GREENE, CPG MISCONCEPTIONS MISCONCEPTIONS VAPOR INTRUSION The migration of volatile chemical from the subsurface into overlying building (USEPA 2002)

585 views • 31 slides
Extracting Tables from PDFs Extracting Tables from PDFs Using Camelot and Excalibur to

Extracting Tables from PDFs Extracting Tables from PDFs Using Camelot and Excalibur to

Extracting Tables from PDFs Extracting Tables from PDFs Using Camelot and Excalibur to automate PDF table extraction and export Dimiter Naydenov @dimitern 1 . 1 Overview Overview PDF: brief history, structure, representing tables Camelot

355 views • 13 slides
Intrusion Detection W enke Lee Com puter Science Departm ent Colum bia University Intrusion and

Intrusion Detection W enke Lee Com puter Science Departm ent Colum bia University Intrusion and

Intrusion Detection W enke Lee Com puter Science Departm ent Colum bia University Intrusion and Computer Security Com puter security: confidentiality, integrity, and availability Intrusion: actions to com prom ise security W hy

1.09k views • 63 slides
Cryptanalysis of C2 Julia Borghoff , Lars R. Knudsen, Gregor Leander, Krystian Matusiewicz CRYPTO

Cryptanalysis of C2 Julia Borghoff , Lars R. Knudsen, Gregor Leander, Krystian Matusiewicz CRYPTO

Outline C2 - description Attack scenarios Conclusion Cryptanalysis of C2 Julia Borghoff , Lars R. Knudsen, Gregor Leander, Krystian Matusiewicz CRYPTO 2009 1 / 19 Outline C2 - description Attack scenarios Conclusion C2 - description 1

979 views • 36 slides
Semantics so far in course Lexical Semantics, Distributions, Previous semantics lectures

Semantics so far in course Lexical Semantics, Distributions, Previous semantics lectures

11/13/18 Semantics so far in course Lexical Semantics, Distributions, Previous semantics lectures discussed Predicate-Argument Structure, and composing meanings of parts to produce the correct global sentence meaning Frame Semantic Parsing

460 views • 14 slides

More recommend