TY - JOUR
T1 - Queryable Semantics to Detect Cyber-Attacks
T2 - A Flow-Based Detection Approach
AU - AlEroud, Ahmed F.
AU - Karabatis, George
N1 - Funding Information:
Manuscript received February 22, 2016; revised April 17, 2016; accepted July 27, 2016. Date of publication September 7, 2016; date of current version January 15, 2018. This work was supported by the State of Maryland, TEDCO (MII) under Grant 01140-002. This paper was recommended by Associate Editor J. Lu.
Publisher Copyright:
© 2016 IEEE.
PY - 2018/2
Y1 - 2018/2
N2 - Cyber-attacks continue to increase worldwide, leading to significant loss or misuse of information assets. Most of the existing intrusion detection systems rely on per-packet inspection, a resource consuming task in today's high speed networks. A recent trend is to analyze netflows (or simply flows) instead of packets, a technique performed at a relative low level leading to high false alarm rates. Since analyzing raw data extracted from flows lacks the semantic information needed to discover attacks, a novel approach is introduced, which uses contextual information to automatically identify and query possible semantic links between different types of suspicious activities extracted from flows. Time, location, and other contextual information mined from flows is applied to generate semantic links among alerts raised in response to suspicious flows. These semantic links are identified through an inference process on probabilistic semantic link networks (SLNs), which receive an initial prediction from a classifier that analyzes incoming flows. The SLNs are then queried at run-time to retrieve other relevant predictions. We show that our approach can be extended to detect unknown attacks in flows as variations of known attacks. An extensive validation of our approach has been performed with a prototype system on several benchmark datasets yielding very promising results in detecting both known and unknown attacks.
AB - Cyber-attacks continue to increase worldwide, leading to significant loss or misuse of information assets. Most of the existing intrusion detection systems rely on per-packet inspection, a resource consuming task in today's high speed networks. A recent trend is to analyze netflows (or simply flows) instead of packets, a technique performed at a relative low level leading to high false alarm rates. Since analyzing raw data extracted from flows lacks the semantic information needed to discover attacks, a novel approach is introduced, which uses contextual information to automatically identify and query possible semantic links between different types of suspicious activities extracted from flows. Time, location, and other contextual information mined from flows is applied to generate semantic links among alerts raised in response to suspicious flows. These semantic links are identified through an inference process on probabilistic semantic link networks (SLNs), which receive an initial prediction from a classifier that analyzes incoming flows. The SLNs are then queried at run-time to retrieve other relevant predictions. We show that our approach can be extended to detect unknown attacks in flows as variations of known attacks. An extensive validation of our approach has been performed with a prototype system on several benchmark datasets yielding very promising results in detecting both known and unknown attacks.
KW - Context
KW - information security
KW - intrusion detection
KW - netflow
KW - network attacks
KW - semantic link network (SLN)
UR - http://www.scopus.com/inward/record.url?scp=85040662754&partnerID=8YFLogxK
UR - http://www.scopus.com/inward/citedby.url?scp=85040662754&partnerID=8YFLogxK
U2 - 10.1109/TSMC.2016.2600405
DO - 10.1109/TSMC.2016.2600405
M3 - Article
AN - SCOPUS:85040662754
SN - 2168-2216
VL - 48
SP - 207
EP - 223
JO - IEEE Transactions on Systems, Man, and Cybernetics: Systems
JF - IEEE Transactions on Systems, Man, and Cybernetics: Systems
IS - 2
M1 - 7562536
ER -