Causal knowledge analysis for detecting and modeling multi‐step attacks

Ramaki, Ali Ahmadian; Rasoolzadegan, Abbas

doi:10.1002/sec.1756

Cited by 15 publications

(1 citation statement)

References 27 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…Cluster Correlation Analysis e clustering alert correlation method associates alert information with some identical or similar features, that is, clustering by the similarity between alert a ribute values, such as the same destination address, the same a ack source, a ack means, etc. Ahmadianramaki et al [1] proposed a three-layer processing framework that uses causal knowledge to correlate alerts, automatically extracts causal relationships between alerts, builds the a ack scenario using Bayesian networks. And further predict the most likely next a ack behavior.…”

Section: Related Workmentioning

confidence: 99%

Bidirectional RNN-based Few-shot Training for Detecting Multi-stage Attack

Zhao

Liu

Wang

et al. 2019

Preprint

View full text Add to dashboard Cite

Feint A ack", as a new type of APT a ack, has become the focus of a ention. It adopts a multi-stage a acks mode which can be concluded as a combination of virtual a acks and real a acks. Under the cover of virtual a acks, real a acks can achieve the real purpose of the a acker, as a result, it o en caused huge losses inadvertently. However, to our knowledge, all previous works use common methods such as Causal-Correlation or Cased-based to detect outdated multi-stage a acks. Few a entions have been paid to detect the "Feint A ack", because the di culty of detection lies in the diversi cation of the concept of "Feint A ack" and the lack of professional datasets, many detection methods ignore the semantic relationship in the a ack. Aiming at the existing challenge, this paper explores a new method to solve the problem. In the a ack scenario, the fuzzy clustering method based on a ribute similarity is used to mine multi-stage a ack chains. en we use a few-shot deep learning algorithm (SMOTE&CNN-SVM) and bidirectional Recurrent Neural Network model (Bi-RNN) to obtain the "Feint A ack" chains. "Feint A ack" is simulated by the real a ack inserted in the normal causal a ack chain, and the addition of the real a ack destroys the causal relationship of the original a ack chain. So we used Bi-RNN coding to obtain the hidden feature of "Feint A ack" chain. In the end, our method achieved the goal to detect the "Feint A ack" accurately by using the LLDoS1.0 and LLDoS2.0 of DARPA2000 and CICIDS2017 of Canadian Institute for Cybersecurity.

show abstract

Section: Related Workmentioning

confidence: 99%

Bidirectional RNN-based Few-shot Training for Detecting Multi-stage Attack

Zhao

Liu

Wang

et al. 2019

Preprint

View full text Add to dashboard Cite

show abstract

Security analytics for real‐time forecasting of cyberattacks

et al. 2020

View full text Add to dashboard Cite

Summary Protection of networked computing infrastructures (such as Internet of Things, Industrial Control Systems, and Edge computing) is dependent on the continuous monitoring of interaction between such devices and network/Cloud‐based hosts (especially in Industry 4.0 environments). This real‐time monitoring enables an analyst to quantify evolving and emerging threats to such network infrastructures. A framework for identifying patterns in observed cyberthreats and the use of these patterns for forecasting the growth of an emerging threat to network infrastructure is proposed. This framework enables predicting the maximum threat intensity and the time period over which this maximum intensity is likely to occur. The proposed framework integrates: (a) continuous monitoring of device/network activity, (b) forecasting behavior using exponentially weighted moving averages, (c) utilizing Fibonacci retracement for estimating the potential intensity of a cyberattack, and (d) linear regression for predicting response time for high risk thresholds and a machine learning strategy to predict potential risk over a pre‐defined time window. Using this approach, we can produce time intervals between the forecast and the actual attacks using real‐world network activity data. Our results show an average lead time of around 1.75 hours, providing a window of opportunity to limit the impact of an attack and counter it.

show abstract