Ahmed Aleroud

A Contextual Anomaly Detection Approach to Discover Zero-Day Attacks

There is a considerable interest in developing techniques to detect zero-day (unknown) cyber-attacks, and considering context is a promising approach. This paper describes a contextual misuse approach combined with an anomaly detection technique to detect zero-day cyber attacks. The contextual misuse detection utilizes similarity with attack context profiles, and the anomaly detection technique identifies new types of attacks using the One Class Nearest Neighbor (1-NN) algorithm. Experimental results on the NSL-KDD intrusion detection dataset have shown that the proposed approach is quite effective in detecting zero-day attacks.

Toward Zero-Day Attack Identification Using Linear Data Transformation Techniques

Intrusion Detection Systems (IDSs) have been developed for many years, but in general they fall short in efficiently detecting zero-day attacks. A promising approach to this problem is to apply linear data transformation and anomaly detection techniques on top of known attack signatures that convey contextual properties. The linear data transformation technique relies on several discriminant functions, which are used to calculate the estimated probability of zero-day attacks by analyzing network connection features. The anomaly detection technique identifies zero-day attacks using the One Class Nearest Neighbor (1-class NN) algorithm, which has been applied using Singular Value Decomposition (SVD) technique to achieve dimensionality reduction. An experimental prototype has been implemented to evaluate these techniques using data from the NSL-KDD intrusion detection dataset. The results indicate that linear data transformation techniques are quite effective and efficient in detecting zero-day attacks.

Evaluating Google queries based on language preferences

This paper evaluates the assumption that users expect search engines to retrieve the same results for queries regardless of the language or the location of the originator. The dependency of the Google search engine on the language and location from which the query is submitted has been evaluated. The most popular queries in Arabic language were selected and translated into English for comparison using the Google translator. When studying keyword traffic on both Google search based keyword tool and Google Insights for Search, results showed that 67% of the Arab Internet users prefer to use English queries instead of their Arabic counterpart. When studying Google responses to some popular queries we have found that Google ranking algorithm depends on the language of the query more than on the keyword popularity. Although results justify search engines’ favouritism of giving documents in English priority over those of other languages, nonetheless, future search engine indexers should separate the document language from its content in a structure that makes the language a pluggable attribute for those indexed documents.

Context Infusion in Semantic Link Networks to Detect Cyber-attacks: A Flow-Based Detection Approach

Detection of cyber-attacks is a major responsibility for network managers and security specialists. Most existing Network Intrusion Detection systems rely on inspecting individual packets, an increasingly resource consuming task in todays high speed networks due to the overhead associated with accessing packet content. An alternative approach is to detect attack patterns by investigating IP flows. Since analyzing raw data extracted from IP flows lacks the semantic information needed to discover attacks, a novel approach is introduced that utilizes contextual information to semantically reveal cyber-attacks from IP flows. Time, location, and other contextual information mined from network flow data is utilized to create semantic links among alerts raised in response to suspicious flows. The semantic links are identified through an inference process on probabilistic semantic link networks (SLNs). The resulting links are used at run-time to retrieve relevant suspicious activities that represent possible steps in multi-step attacks.

Context and semantics for detection of cyber attacks

This paper presents a novel layered cyber-attack detection approach utilising: 1 semantic relationships between attacks to infer possible related suspicious network activities from connections between hosts; 2 contextual information expressed as attack context profiles on top of semantic relationships. The combined use of context and semantics in intrusion detection results in predicting attacks with higher accuracy while decreasing the number of false positives at the same time. A prototype system has been implemented and experiments have been conducted on it. The results exhibit higher or competitive detection rates compared with other existing approaches.

A System for Cyber Attack Detection Using Contextual Semantics

In this paper, we present a layered cyber-attack detection system with semantics and context capabilities. The described approach has been implemented in a prototype system which uses semantic information about related attacks to infer all possible suspicious network activities from connections between hosts. The relevant attacks generated by semantic techniques are forwarded to context filters that use attack context profiles and host contexts to filter out irrelevant attacks. The prototype system is evaluated on the KDD 1999 intrusion detection dataset, where the experimental results have shown competitive precision and recall values of the system compared with previous approaches.

Contextual information fusion for intrusion detection: a survey and taxonomy

Research in cyber-security has demonstrated that dealing with cyber-attacks is by no means an easy task. One particular limitation of existing research originates from the uncertainty of information that is gathered to discover attacks. This uncertainty is partly due to the lack of attack prediction models that utilize contextual information to analyze activities that target computer networks. The focus of this paper is a comprehensive review of data analytics paradigms for intrusion detection along with an overview of techniques that apply contextual information for intrusion detection. A new research taxonomy is introduced consisting of several dimensions of data mining techniques, which create attack prediction models. The survey reveals the need to use multiple categories of contextual information in a layered manner with consistent, coherent, and feasible evidence toward the correct prediction of cyber-attacks.

Queryable Semantics to Detect Cyber-Attacks: A Flow-Based Detection Approach

Cyber-attacks continue to increase worldwide, leading to significant loss or misuse of information assets. Most of the existing intrusion detection systems rely on per-packet inspection, a resource consuming task in today’s high speed networks. A recent trend is to analyze netflows (or simply flows) instead of packets, a technique performed at a relative low level leading to high false alarm rates. Since analyzing raw data extracted from flows lacks the semantic information needed to discover attacks, a novel approach is introduced, which uses contextual information to automatically identify and query possible semantic links between different types of suspicious activities extracted from flows. Time, location, and other contextual information mined from flows is applied to generate semantic links among alerts raised in response to suspicious flows. These semantic links are identified through an inference process on probabilistic semantic link networks (SLNs), which receive an initial prediction from a classifier that analyzes incoming flows. The SLNs are then queried at run-time to retrieve other relevant predictions. We show that our approach can be extended to detect unknown attacks in flows as variations of known attacks. An extensive validation of our approach has been performed with a prototype system on several benchmark datasets yielding very promising results in detecting both known and unknown attacks.

Multi-granular aggregation of network flows for security analysis

Investigating network flows is an approach of detecting attacks by identifying known patterns. Flow statistics are used to discover anomalies by aggregating network traces and then using machine-learning classifiers to discover suspicious activities. However, the efficiency and effectiveness of the flow classification models depends on the granularity of aggregation. This paper describes a novel approach that aggregates packets into network flows and correlates them with security events generated by payload-based IDSs for detection of cyber-attacks.

Identifying cyber-attacks on software defined networks

Software Defined Networking is an emerging architecture which focuses on the role of software to manage computer networks. Software Defined Networks (SDNs) introduce several mechanisms to detect specific types of attacks such as Denial of Service (DoS). Nevertheless, they are vulnerable to similar attacks that occur in traditional networks, such as the attacks that target control and data plane. Several techniques are proposed to handle the security vulnerabilities in SDNs. However, it is fairly challenging to create attack signatures, scenarios, or even intrusion detection rules that are applicable to dynamic environments such SDNs. This paper introduces a new approach to identify attacks on SDNs that uses: (1) similarity with existing attacks that target traditional networks, (2) an inference mechanism to avoid false positives and negatives during the prediction process, and (3) a packet aggregation technique which aims at creating attack signatures and use them to predict attacks on SDNs. We validated our approach on two datasets and showed that it yields promising results.