research-article

Nexat: a history-based approach to predict attacker actions

Authors:

Casey Cipriano,

Amir Houmansadr,

Christopher Kruegel,

Giovanni VignaAuthors Info & Claims

ACSAC '11: Proceedings of the 27th Annual Computer Security Applications Conference

Pages 383 - 392

https://doi.org/10.1145/2076732.2076787

Published: 05 December 2011 Publication History

Abstract

Computer networks are constantly being targeted by different attacks. Since not all attacks are created equal, it is of paramount importance for network administrators to be aware of the status of the network infrastructure, the relevance of each attack with respect to the goals of the organization under attack, and also the most likely next steps of the attackers. In particular, the last capability, attack prediction, is of the most importance and value to the network administrators, as it enables them to provision the required actions to stop the attack and/or minimize its damage to the network's assets. Unfortunately, the existing approaches to attack prediction either provide limited useful information or are too complex to scale to the real-world scenarios.

In this paper, we present a novel approach to the prediction of the actions of the attackers. Our approach uses machine learning techniques to learn the historical behavior of attackers and then, at the run time, leverages this knowledge in order to produce an estimate of the likely future actions of the attackers. We implemented our approach in a prototype tool, called Nexat, and validated its accuracy leveraging a dataset from a hacking competition. The evaluations show that Nexat is able to predict the next steps of attackers with very high accuracy. In particular, Nexat achieves a 94% accuracy in predicting the next actions of the attackers in our prototype implementation. In addition, Nexat requires little computational resources and can be run in real-time for instant prediction of the attacks.

References

[1]

IBM Internet Security Systems. http://www.iss.net/.

[2]

The 2008 UCSB International Capture The Flag (iCTF). http://ictf.cs.ucsb.edu/archive/iCTF_2008/index.html, December 5th 2008.

[3]

Paul Barford, Marc Dacier, Thomas G. Dietterich, Matt Fredrikson, Jon Giffin, Sushil Jajodia, Somesh Jha, Jason Li, Peng Liu, Peng Ning, Xinming Ou, Dawn Song, Laura Strater, Vipin Swarup, George Tadda, Cliff Wang, and John Yen. Cyber SA: Situational Awareness for Cyber Defense. In Sushil Jajodia, Peng Liu, Vipin Swarup, and Cliff Wang, editors, Cyber Situational Awareness, volume 46 of Advances in Information Security, pages 3--13. Springer US, 2010.

[4]

F. Cuppens and A. Miege. Alert Correlation in a Cooperative Intrusion Detection Framework. In Proceedings of the IEEE Symposium on Security and Privacy, 2002.

Digital Library

[5]

H. Debar and A. Wespi. Aggregation and Correlation of Intrusion-Detection Alerts. In Proceedings of the International Symposium on Recent Advances in Intrusion Detection, 2001.

Digital Library

[6]

M. R. Endsley. Towards a Theory of Situation Awareness in Dynamic Systems. Human Factors, 37:32, 1995.

[7]

Mica R. Endsley. Design and Evaluation for Situation Awareness Enhancement. In Proceedings of the Human Factors Society 32nd Annual Meeting, volume 1 of Aerospace Systems: Situation Awareness in Aircraft Systems, pages 97--101, 1988.

[8]

C. W. Geib and R. P. Goldman. Plan Recognition in Intrusion Detection Systems. In DARPA Information Survivability Conference & Exposition (DISCEX), 2001.

[9]

Wei Jiang, Zhi hong Tian, Hong li Zhang, and Xin fang Song. A Stochastic Game Theoretic Approach to Attack Prediction and Optimal Active Defense Strategy Decision. In IEEE International Conference on Networking, Sensing and Control (ICNSC'08), pages 648--653, april 2008.

[10]

Gary Klein and Beth Crandall. Recognition-Primed Decision Strategies. Technical report ARI Research Note 96--36, United States Army Research Institute for the Behavioral and Social Sciences, April 1996. http://handle.dtic.mil/100.2/ADA309570.

[11]

C. Kruegel, W. Robertson, and G. Vigna. Using Alert Verification to Identify Successful Intrusion Attempts. Practice in Information Processing and Communication (PIK), 27(4):219--227, October -- December 2004.

[12]

C. Kruegel, F. Valeur, and G. Vigna. Intrusion Detection and Correlation: Challenges and Solutions, volume 14 of Advances in Information Security. Springer, 2005.

Digital Library

[13]

P. Liu and L. Li. A Game Theoretic Approach to Attack Prediction. Technical report, Penn State Cyber Security Group, 2002.

[14]

V. Mehta, C. Bartzis, H. Zhu, E. Clarke, and J. Wing. Ranking attack graphs. In Recent Advances in Intrusion Detection, 2006.

Digital Library

[15]

Sanjeeb Nanda and Narsingh Deo. The Derivation and Use of a Scalable Model for Network Attack Identification and Path Prediction. JNW, 3(4):64--71, 2008.

[16]

P. Ning, Y. Cui, and D. Reeves. Analyzing Intensive Intrusion Alerts via Correlation. In Proceedings of the International Symposium on the Recent Advances in Intrusion Detection, 2002.

Digital Library

[17]

P. Ning, Y. Cui, and D. Reeves. Constructing Attack Scenarios through Correlation of Intrusion Alerts. In Proceedings of the ACM Conference on Computer and Communications Security, 2002.

Digital Library

[18]

Steven Noel and Sushil Jajodia. Understanding complex network attack graphs through clustered adjacency matrices. In 21st Annual Computer Security Applications Conference (ACSAC 2005), pages 160--169. IEEE Computer Society, 2005.

Digital Library

[19]

V. Paxson. Bro: A system for detecting network intruders in real-time. In Proceedings of the 7th USENIX Security Symposium, 1998.

Digital Library

[20]

P. Porras, M. Fong, and A. Valdes. A Mission-Impact-Based Approach to INFOSEC Alarm Correlation. In Proceedings of the International Symposium on the Recent Advances in Intrusion Detection, 2002.

Digital Library

[21]

X. Qin and W. Lee. Statistical Causality Analysis of INFOSEC Alert Data. In Proceedings of the Symposium on Recent Advances in Intrusion Detection (RAID), 2003.

[22]

X. Qin and W. Lee. Attack Plan Recognition and Prediction Using Causal Networks. In Proceedings of the 20th Annual Computer Security Applications Conference, 2004.

Digital Library

[23]

J. Rasmussen. Skills, Rules, and Knowledge; Signals, Signs and Symbols, and Other Distinctions in Humans Performance Models. IEEE Transactions on Systems, Man and Cybernetics, 13:257, 1983.

[24]

M. Roesch. Snort - Lightweight Intrusion Detection for Networks. In Proceedings of the 13th Large Installation System Administration (LISA) Conference, 1999.

Digital Library

[25]

J. J. Salerno, M. L. Hinman, and D. M. Boulware. A situation awareness model applied to multiple domains. In Proceedings of SPIE, volume 5813, pages 65--74, 2005.

[26]

G. Tadda, J. J. Salerno, D. Boulware, M. Hinman, and S. Gorton. Realizing situation awareness within a cyber environment. In Multisensor, Multisource Information Fusion: Architectures, Algorithms, and Applications 2006, volume 6242. SPIE, 2006.

[27]

F. Valeur, G. Vigna, C. Kruegel, and R. A. Kemmerer. A Comprehensive Approach to Intrusion Detection Alert Correlation. IEEE Transactions on Dependable and Secure Computing, 1:146--169, 2004.

Digital Library

[28]

L. Wang, A. Liu, and S. Jajodia. Using attack graphs for correlating, hypothesizing, and predicting intrusion alerts. Computer Communications, 29(15):2917--2933, 2006.

Digital Library

Cited By

Kimura SInaba H(2023)A Novel Classification System for Faster Assessment of IDS Alerts Using Convolutional Neural Network2023 15th International Congress on Advanced Applied Informatics Winter (IIAI-AAI-Winter)10.1109/IIAI-AAI-Winter61682.2023.00011(7-12)Online publication date: 11-Dec-2023
https://doi.org/10.1109/IIAI-AAI-Winter61682.2023.00011
Albasheer HMd Siraj MMubarakali AElsier Tayfour OSalih SHamdan MKhan SZainal AKamarudeen S(2022)Cyber-Attack Prediction Based on Network Intrusion Detection Systems for Alert Correlation Techniques: A SurveySensors10.3390/s2204149422:4(1494)Online publication date: 15-Feb-2022
https://doi.org/10.3390/s22041494
Ede TAghakhani HSpahn NBortolameotti RCova MContinella ASteen MPeter AKruegel CVigna G(2022)DEEPCASE: Semi-Supervised Contextual Analysis of Security Events2022 IEEE Symposium on Security and Privacy (SP)10.1109/SP46214.2022.9833671(522-539)Online publication date: May-2022
https://doi.org/10.1109/SP46214.2022.9833671
Show More Cited By

Index Terms

Nexat: a history-based approach to predict attacker actions
1. Networks
  1. Network services
    1. Network monitoring

Recommendations

Time series forecasting of cyber attack intensity
CISRC '17: Proceedings of the 12th Annual Conference on Cyber and Information Security Research

Cyber attacks occur on a near daily basis and are becoming exponentially more common. While some research aims to detect the characteristics of an attack, little focus has been given to patterns of attacks in general. This paper aims to exploit temporal ...
Cyber Attacks Against Enterprise Networks: Characterization, Modeling and Forecasting
Science of Cyber Security
Abstract
Cyber attacks are a major and routine threat to the modern society. This highlights the importance of forecasting (i.e., predicting) cyber attacks, just like weather forecasting in the real world. In this paper, we present a study on ...
Incentive-based modeling and inference of attacker intent, objectives, and strategies
CCS '03: Proceedings of the 10th ACM conference on Computer and communications security

Although the ability to model and infer Attacker Intent, Objectives and Strategies (AIOS) may dramatically advance the literature of risk assessment, harm prediction, and predictive or proactive cyber defense, existing AIOS inference techniques are ad ...

Comments

Information & Contributors

Information

Published In

cover image ACM Other conferences

ACSAC '11: Proceedings of the 27th Annual Computer Security Applications Conference

December 2011

432 pages

ISBN:9781450306720

DOI:10.1145/2076732

Conference Chair:
Robert H'obbes' Zakon
Zakon Group LLC
,
Program Chairs:
John McDermott
Naval Research Lab
,
Michael Locasto
University of Calgary

Copyright © 2011 ACM.

Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]

Sponsors

ACSA: Applied Computing Security Assoc

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 05 December 2011

Permissions

Request permissions for this article.

Request Permissions

Check for updates

Author Tags

Qualifiers

Research-article

Funding Sources

Conference

ACSAC '11

Sponsor:

ACSA

ACSAC '11: Annual Computer Security Applications Conference

December 5 - 9, 2011

Florida, Orlando, USA

Acceptance Rates

Overall Acceptance Rate 104 of 497 submissions, 21%

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

18
Total Citations
View Citations
341
Total Downloads

Downloads (Last 12 months)6
Downloads (Last 6 weeks)1

Reflects downloads up to 03 Oct 2024

Other Metrics

View Author Metrics

Citations

Cited By

Kimura SInaba H(2023)A Novel Classification System for Faster Assessment of IDS Alerts Using Convolutional Neural Network2023 15th International Congress on Advanced Applied Informatics Winter (IIAI-AAI-Winter)10.1109/IIAI-AAI-Winter61682.2023.00011(7-12)Online publication date: 11-Dec-2023
https://doi.org/10.1109/IIAI-AAI-Winter61682.2023.00011
Albasheer HMd Siraj MMubarakali AElsier Tayfour OSalih SHamdan MKhan SZainal AKamarudeen S(2022)Cyber-Attack Prediction Based on Network Intrusion Detection Systems for Alert Correlation Techniques: A SurveySensors10.3390/s2204149422:4(1494)Online publication date: 15-Feb-2022
https://doi.org/10.3390/s22041494
Ede TAghakhani HSpahn NBortolameotti RCova MContinella ASteen MPeter AKruegel CVigna G(2022)DEEPCASE: Semi-Supervised Contextual Analysis of Security Events2022 IEEE Symposium on Security and Privacy (SP)10.1109/SP46214.2022.9833671(522-539)Online publication date: May-2022
https://doi.org/10.1109/SP46214.2022.9833671
Antonopoulos MDrainakis GOuzounoglou EPapavassiliou GAmditis A(2022)Design and proof of concept of a prediction engine for decision support during cyber range attack simulations in the maritime domain2022 IEEE International Conference on Cyber Security and Resilience (CSR)10.1109/CSR54599.2022.9850280(305-310)Online publication date: 27-Jul-2022
https://doi.org/10.1109/CSR54599.2022.9850280
Kotenko IGaifulina DZelichenok I(2022)Systematic Literature Review of Security Event Correlation MethodsIEEE Access10.1109/ACCESS.2022.316897610(43387-43420)Online publication date: 2022
https://doi.org/10.1109/ACCESS.2022.3168976
Chamotra SBarbhuiya F(2020)Analysis and modelling of multi-stage attacks2020 IEEE 19th International Conference on Trust, Security and Privacy in Computing and Communications (TrustCom)10.1109/TrustCom50675.2020.00170(1268-1275)Online publication date: Dec-2020
https://doi.org/10.1109/TrustCom50675.2020.00170
Husák MKašpar J(2019)AIDA FrameworkProceedings of the 14th International Conference on Availability, Reliability and Security10.1145/3339252.3340513(1-8)Online publication date: 26-Aug-2019
https://dl.acm.org/doi/10.1145/3339252.3340513
Cheng QWu CHu BKong DZhou B(2019)Think That Attackers Think: Using First-Order Theory of Mind in Intrusion Response System2019 IEEE Global Communications Conference (GLOBECOM)10.1109/GLOBECOM38437.2019.9013291(1-6)Online publication date: Dec-2019
https://doi.org/10.1109/GLOBECOM38437.2019.9013291
Zhang KZhao FLuo SXin YZhu H(2019)An Intrusion Action-Based IDS Alert Correlation Analysis and Prediction FrameworkIEEE Access10.1109/ACCESS.2019.29462617(150540-150551)Online publication date: 2019
https://doi.org/10.1109/ACCESS.2019.2946261
Bajtoš TSokol PMézešová T(2019)Multi-stage Cyber-Attacks Detection in the Industrial Control SystemsRecent Developments on Industrial Control Systems Resilience10.1007/978-3-030-31328-9_8(151-173)Online publication date: 6-Oct-2019
https://doi.org/10.1007/978-3-030-31328-9_8
Show More Cited By

View Options

Get Access

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

View options

PDF

View or Download as a PDF file.

eReader

View online with eReader.

Media

Figures

Other

Tables

View Table of Contents