Abstract
With a major change in the attack landscape, away from well-known attack vectors towards unique and highly tailored attacks, limitations of common rule- and signature-based security systems become more and more obvious. Novel security mechanisms can provide the means to extend existing solutions in order to provide a more sophisticated security approach. As critical infrastructures get increasingly accessible from public networks they show up on attackers’ radars. As a consequence, establishing cyber situational awareness on a higher level through incident information sharing is vital for assessing the increased risk to national security in the cyber space. But legal obligations and economical considerations limit the motivation of companies to pursue information sharing initiatives. To support companies and governmental initiatives, novel security mechanisms should inherently address limiting factors. One novel approach, AECID, is presented that accounts for the limitations of many common intrusion and anomaly detection mechanisms; and which further provides the features to support privacy-aware information sharing for cyber situational awareness.
Zusammenfassung
Mit der nachhaltigen Änderung heutiger Angriffsmethoden, weg von gut bekannten Attacken Richtung individueller und hoch-spezialisierter Angriffe, werden die Beschränkungen gewöhnlicher Regel- und Signatur-basierter IT-Sicherheitssysteme mehr und mehr sichtbar. Neuartige Sicherheitsmechanismen haben das Potential, bestehende Lösungen diesbezüglich wesentlich zu verbessern und somit einen weitreichenderen Sicherheitsansatz zu bieten. Da kritische Infrastrukturen zunehmend auch aus öffentlichen Netzen zugänglich werden, werden sie auch vermehrt für Angreifer zu attraktiven Zielen. Als Konsequenz ist die Etablierung eines Cyber-Lagebildes auf höherer Ebene auf Basis geteilter Informationen über Cyber-Zwischenfälle entscheidend für die Beurteilung der erhöhten Gefahr für die nationale Sicherheit im Cyberspace. Aber gesetzliche Verpflichtungen und wirtschaftliche Überlegungen beschränken die Motivation von Organisationen, einen Sicherheits-kritischen Informationsaustausch voranzutreiben. Um nun Unternehmen und Regierungsinitiativen zu unterstützen, sollten neue Sicherheitsmechanismen die Faktoren, welche die Akzeptanz von Systemen für den Informationsaustausch limitieren, gezielt kompensieren. Ein neuartiger Ansatz, AECID, welcher hierbei zur Anwendung kommen könnte, wird in diesem Artikel vorgestellt. AECID berücksichtigt die angesprochenen Beschränkungen vieler gängiger Anomalie-Erkennungssysteme und unterstützt darüber hinaus jene Eigenschaften, die für einen Datenschutz-konformen Informationsaustausch zum Aufbau eines allgemeinen Lagebildverständnisses erforderlich sind.
Similar content being viewed by others
References
Bartoš, V., Žádník, M. (2012): Network anomaly detection: comparison and real-time issues. In Dependable networks and services (pp. 118–121). Berlin: Springer.
Binsalleeh, H., Ormerod, T., Boukhtouta, A., Sinha, P., Youssef, A., Debbabi, M., Wang, L. (2010): On the analysis of the zeus botnet crimeware toolkit. In 2010 Eighth annual international conference on privacy security and trust (PST) (pp. 31–38). New York: IEEE Press.
Chandola, V., Banerjee, A., Kumar, V. (2009): Anomaly detection: a survey. ACM Comput. Surv. (CSUR), 41(3), 15.
Endsley, M. R. (1995): Toward a theory of situation awareness in dynamic systems. Hum. Factors, 37(1), 32–64.
European Commission (2013): Commission proposal for a directive concerning measures to ensure a high common level of network and information security across the union. http://ec.europa.eu/digital-agenda/en/news/commission-proposal-directive-concerning-measures-ensure-high-common-level-network-and.
Fracker, M. L. (1991): Measures of situation awareness: review and future directions. Technical Report AL-TR-1991-0128, Wright-Patterson Air Force Base.
Friedberg, I., Skopik, F., Settanni, G., Fiedler, R. (2015): Combating advanced persistent threats: from network event correlation to incident detection. Comput. Secur., 48, 35–57.
Hernandez-Ardieta, J. L., Tapiador, J. E., Suarez-Tangil, G. (2013): Information sharing models for cooperative cyber defence. In Cyber conflict (pp. 1–28).
ISO (2012-03-20): Iso/iec27010: Info. tech.: security techniques—information security management for inter-sector and inter-organizational communications.
ITU-T (2012): Recommendation itu-t x. 1500 cybersecurity info. exchange tech.
Jajodia, S., Liu, P., Swarup, V., Wang, C. (2009): Cyber situational awareness: issues and research. Berlin: Springer.
Li, G., Japkowicz, N., Yang, L. (2012): Anomaly detection via coupled Gaussian kernels. In Advances in artificial intelligence (pp. 343–349). Berlin: Springer.
NIST (2014-02-12): Framework for improving critical infrastructure cybersecurity.
Sabahi, F., Movaghar, A. (2008): Intrusion detection: a survey. In 3rd international conference on systems and networks communications, 2008, ICSNC’08 (pp. 23–26). New York: IEEE Press.
Sarter, N. D., Woods, D. D. (1991): Situation awareness: a critical but ill-defined phenomenon. Int. J. Aviat. Psychol., 1, 45–57.
Thottan, M., Ji, C. (2003): Anomaly detection in ip networks. IEEE Trans. Signal Process., 51(8), 2191–2204.
Yin, J., Zhang, G., Chen, Y.-Q., Fan, X.-L. (2004): Multi-events analysis for anomaly intrusion detection. In Proceedings of 2004 international conference on machine learning and cybernetics, 2004 (Vol. 2, pp. 1298–1303). New York: IEEE Press.
Yu, Y. (2012): A survey of anomaly intrusion detection techniques. J. Comput. Sci. Coll., 28(1), 9–17.
Zhang, W., Yang, Q., Geng, Y. (2009): A survey of anomaly detection methods in networks. In International symposium on computer network and multimedia technology, 2009, CNMT 2009 (pp. 1–3). New York: IEEE Press.
Zhang, Y.-l., Han, Z.-g., Ren, J.-x. (2009): A network anomaly detection method based on relative entropy theory. In Second international symposium on electronic commerce and security, 2009, ISECS’09 (Vol. 1, pp. 231–235). New York: IEEE Press.
Zhao, Y., Zheng, Z., Wen, H. (2010): Bayesian statistical inference in machine learning anomaly detection. In 2010 International conference on communications and intelligence information security (ICCIIS) (pp. 113–116). New York: IEEE Press.
Acknowledgements
This work was partly funded by the Austrian FFG research program KIRAS in course of the project CIIS (840842) and the European Union FP7 project ECOSSIAN (607577).
Author information
Authors and Affiliations
Corresponding author
Rights and permissions
About this article
Cite this article
Friedberg, I., Skopik, F. & Fiedler, R. Cyber situational awareness through network anomaly detection: state of the art and new approaches. Elektrotech. Inftech. 132, 101–105 (2015). https://doi.org/10.1007/s00502-015-0287-4
Received:
Accepted:
Published:
Issue Date:
DOI: https://doi.org/10.1007/s00502-015-0287-4