Natalia Stakhanova

A taxonomy of intrusion response systems

Recent advances in the field of intrusion detection brought new requirements to intrusion prevention and response. Traditionally, the response to an attack is manually triggered by an administrator. However, increased complexity and speed of the attack-spread during recent years show acute necessity for complex dynamic response mechanisms. Although intrusion detection systems are being actively developed, research efforts in intrusion response are still isolated. In this work we present a taxonomy of intrusion response systems, together with a review of current trends in intrusion response research. We also provide a set of essential features as a requirement for an ideal intrusion response system.

Software fault tree and coloured Petri net based specification, design and implementation of agent-based intrusion detection systems

The integration of Software Fault Tree (SFT), which describes intrusions and Coloured Petri Nets (CPNs) that specifies design, is examined for an Intrusion Detection System (IDS). The IDS under development is a collection of mobile agents that detect, classify, and correlate the system and network activities. SFTs, augmented with nodes that describe trust, temporal and contextual relationships, are used to describe intrusions. CPNs for intrusion detection are built using CPN templates created from the augmented SFTs. Hierarchical CPNs are created to detect critical stages of intrusions. The agentbased implementation of the IDS is then constructed from the CPNs. Examples of intrusions and descriptions of the prototype implementation are used to demonstrate how the CPN approach has been used in the development of the IDS. The main contribution of this paper is an approach to systematic specification, design and implementation of an IDS; Innovations include (1) using stages of intrusions to structure the specification and design of the IDS; (2) augmentation of SFT with trust, temporal and contextual nodes to model intrusions; (3) algorithmic construction of CPNs from augmented SFT; and (4) generation of mobile agents from CPNs.

An online adaptive approach to alert correlation

The current intrusion detection systems (IDSs) generate a tremendous number of intrusion alerts. In practice, managing and analyzing this large number of low-level alerts is one of the most challenging tasks for a system administrator. In this context alert correlation techniques aiming to provide a succinct and high-level view of attacks gained a lot of interest. Although, a variety of methods were proposed, the majority of them address the alert correlation in the off-line setting. In this work, we focus on the online approach to alert correlation. Specifically, we propose a fully automated adaptive approach for online correlation of intrusion alerts in two stages. In the first online stage, we employ a Bayesian network to automatically extract information about the constraints and causal relationships among alerts. Based on the extracted information, we reconstruct attack scenarios on-the-fly providing network administrator with the current network view and predicting the next potential steps of the attacker. Our approach is illustrated using both the well known DARPA 2000 data set and the live traffic data collected from a Honeynet network.

Towards effective feature selection in machine learning-based botnet detection approaches

Botnets, as one of the most formidable cyber security threats, are becoming more sophisticated and resistant to detection. In spite of specific behaviors each botnet has, there exist adequate similarities inside each botnet that separate its behavior from benign traffic. Several botnet detection systems have been proposed based on these similarities. However, offering a solution for differentiating botnet traffic (even those using same protocol, e.g. IRC) from normal traffic is not trivial. Extraction of features in either host or network level to model a botnet has been one of the most popular methods in botnet detection. A subset of features, usually selected based on some intuitive understanding of botnets, is used by the machine learning algorithms to classify/ cluster botnet traffic. These approaches, tested against two or three botnet traces, have mostly showed satisfactory detection results. Even though, their effectiveness in detection of other botnets or real traffic remains in doubt. Additionally, effectiveness of different combination of features in terms of providing more detection coverage has not been fully studied. In this paper we revisit flow-based features employed in the existing botnet detection studies and evaluate their relative effectiveness. To ensure a proper evaluation we create a dataset containing a diverse set of botnet traces and background traffic.

A Framework for Cost Sensitive Assessment of Intrusion Response Selection

In recent years, cost-sensitive intrusion response has gained significant interest, mainly due to its emphasis on the balance between potential damage incurred by the intrusion and cost of the response. However, one of the challenges in applying this approach is defining a consistent and adaptable measurement of these cost factors on the basis of system requirements and policy. In this paper,we present a host-based framework for the cost-sensitive assessment and selection of intrusion response. Specifically,we introduce a set of measurements that characterize the potential costs associated with the intrusion handling process, and propose an intrusion response evaluation method with respect to the risk of potential intrusion damage, the effectiveness of the response action and the response cost for a system. We provide an implementation of the proposed solution as an IDS-independent plugin tool and demonstrate its advantages on the several attack examples.

Intrusion response cost assessment methodology

In this paper we present a structured methodology for evaluating cost of responses based on three factors: the response operational cost associated with the daily maintenance of the response, the response goodness that measures the applicability of the selected response for a detected intrusion and the response impact on the system that refers to the possible response effect on the system functionality. The proposed approach provides a consistent basis for response evaluation across different systems while incorporating security policy and properties of the specific system environment.

Trust framework for P2P networks using peer-profile based anomaly technique

Popularity of peer-to-peer (P2P) networks exposed a number of security vulnerabilities including the problem of finding reliable communication partners. In this paper, we present an integrated trust framework for P2P networks that quantifies the trustworthiness of a peer using reputation-based trust mechanism and anomaly detection technique. We describe anomaly detection procedure that analyzes peer activity on the network and flags potentially malicious behavior by detecting deviation from peer profile. We study the performance of our trust framework using simulation and compare it with the existing reputation-based system which does not employ an anomaly detection mechanism.

On the symbiosis of specification-based and anomaly-based detection

As the number of attacks on computer systems increases and become more sophisticated, there is an obvious need for intrusion detection systems to be able to effectively recognize the known attacks and adapt to novel threats. The specification-based intrusion detection has been long considered as a promising solution that integrates the characteristics of ideal intrusion detection system: the accuracy of detection and ability to recognize novel attacks. However, one of the main challenges of applying this technique in practice is its dependence on the user guidance in developing the specification of normal system behavior. In this work, we present an approach for automatic generation of specifications for any software systems executing on a single host based on the combination of two techniques: specification-based and anomaly-based approaches. The proposed technique allows automatic development of the normal and abnormal behavioral specifications in a form of variable-length patterns classified via anomaly-based approach. Specifically, we use machine-learning algorithm to classify fixed-length patterns generated via sliding window technique to infer the classification of variable-length patterns from the aggregation of the machine learning based classification results. We describe the design and implementation of our technique and show its practical applicability in the domain of security monitoring through simulation and experiments.

DroidKin: Lightweight Detection of Android Apps Similarity

The appearance of the Android platform and its popularity has resulted in a sharp rise in the number of reported vulnerabilities and consequently in the number of mobile threats. Leveraging openness of Android app markets and the lack of security testing, malware authors commonly plagiarize Android applications (e.g., through code reuse and repackaging) boosting the amount of malware on the markets and consequently the infection rate.

Towards cost-sensitive assessment of intrusion response selection

In recent years, cost-sensitive intrusion response has gained significant interest mainly due to its emphasis on the balance between potential damage incurred by the intrusion and cost of the response. However, one of the challenges in applying this approach is defining consistent and adaptable measurements of these cost factors on the basis of requirements and policy of the system being protected against intrusions.In this paper we present a framework for the cost-sensitive selection of intrusion response. Specifically, we introduce a set of measurements that characterize potential costs associated with the intrusion handling process and propose evaluation method of intrusion response with respect to the risk of potential intrusion damage, effectiveness of response action and response cost for a system. We provide an implementation of the proposed solution as a plugin tool for Snort IDS and demonstrate its advantages on DARPA data set and real network traffic.