Using contextual information to identify cyber-attacks

A recent trend is toward utilizing knowledge-based intrusion detection systems (IDSs). Knowledge-based IDSs store knowledge about cyber-attacks and possible vulnerabilities and use this knowledge to guide the process of attack prediction. Since an IDS contains information about these vulnerabilities, it can discover attempts to exploit them. One significant limitation of knowledge-based IDSs is the lack of contextual information used to detect attacks. Contextual information is not only information about the configuration on the targeted systems and their vulnerabilities. It also covers any relevant preconditions the attacks require to proceed successfully and the possible contextual semantic relationships between the activities of attackers in terms of time of these activities and the targeted locations. To overcome these limitations, we introduce a novel contextual framework which consists of several attack prediction models that can be utilized in conjunction with IDSs to detect cyber-attacks. We utilized extractable contextual elements from network data to create several knowledge-based, context-aware prediction models that are applied in conjunction with other intrusion detection techniques to assist in identifying known and unknown attacks. The created prediction models are utilized for several tasks including (1) expanding the predictions of other intrusion detection techniques using pre-identified contextual relationships between attacker activities, (2) filtering the nonrelevant predictions based on the situation of the hosts targeted by attacks, and (3) predicting the occurrence of unknown attacks. Our framework focuses on the significant dimensions in data; thus, it can be utilized to detect cyber-attacks while keeping the computational overhead as low as possible.