research-article

Automating Network Security Analysis at Packet-level by using Rule-based Engine

Authors:

Martin Holkovič,

Ondřej Ryšavý,

Jindřich DudekAuthors Info & Claims

ECBS '19: Proceedings of the 6th Conference on the Engineering of Computer Based Systems

Article No.: 14, Pages 1 - 8

https://doi.org/10.1145/3352700.3352714

Published: 02 September 2019 Publication History

Abstract

When a network incident is detected, a network administrator has to manually verify the incident and provide a solution to stop the incident from continuing and prevent similar incidents in the future. The network analysis is a time-consuming and labor-intensive activity which requires good network knowledge. Creating a solution which automates the administrator's work can dramatically speed up the analysis process and can make the whole process easier for less experienced administrators. In this paper, we describe a method that uses a predefined set of rules to identify incident patterns. Though this principle is used by many security tools, the new aspect is that the presented approach uses the Wireshark tool which is well known among the administrators, and it is expressive enough to specify complex relations among source data thus being able to detect quite sophisticated attacks. The created rule's format uses the same language as the Wireshark filters.

References

[1]

MITRE ATT&CK. 2019. Technique: Multiband Communication. https://attack.mitre.org/techniques/T1026/

[2]

Laura Chappell. 2017. Wireshark 101: Essential Skills for Network Analysis-Wireshark Solution Series. Laura Chappell University, USA.

Digital Library

[3]

Michael Cohen. 2017. Scanning memory with Yara. Digital Investigation (2017).

Digital Library

[4]

Gerard Draper-Gil, Arash Habibi Lashkari, Mohammad Saiful Islam Mamun, and Ali A. Ghorbani. 2016. Characterization of Encrypted and VPN Traffic using Time-related Features. In Proceedings of the 2nd International Conference on Information Systems Security and Privacy - Volume 1: ICISSP. 407--414.

[5]

Alia Yahia El Sheikh. 2018. Evaluation of the capabilities of Wireshark as network intrusion system. Journal of Global Research in Computer Science 9, 8 (2018), 01--08.

[6]

Pedro Garcia-Teodoro, Jesus Diaz-Verdejo, Gabriel Maciá-Fernández, and Enrique Vázquez. 2009. Anomaly-based network intrusion detection: Techniques, systems and challenges. computers & security 28, 1-2 (2009), 18--28.

Digital Library

[7]

Ibrahim Ghafir, Vaclav Prenosil, Jakub Svoboda, and Mohammad Hammoudeh. 2016. A survey on network security monitoring systems. In 2016 IEEE 4th International Conference on Future Internet of Things and Cloud Workshops (FiCloudW). IEEE, 77--82.

[8]

John R Goodall, Wayne G Lutters, Penny Rheingans, and Anita Komlodi. 2006. Focusing on Context in Network. Security April (2006), 72--80.

Digital Library

[9]

Rick Hofstede, Pavel Čeleda, Brian Trammell, Idilio Drago, Ramin Sadre, Anna Sperotto, and Aiko Pras. 2014. Flow monitoring explained: From packet capture to data analysis with netflow and ipfix. IEEE Communications Surveys & Tutorials 16, 4 (2014), 2037--2064.

[10]

Computer Economics Inc. 2007. 2007 malware report: The economic impact of viruses, spyware, adware, botnets, and other malicious code. http://www.computereconomics.com

[11]

Karen Kent, Suzanne Chevalier, Tim Grance, and Hung Dang. 2006. Guide to integrating forensic techniques into incident response. NIST Special Publication 10, 14 (2006), 800--86.

Digital Library

[12]

Sven Krasser, Gregory Conti, Julian Grizzard, Jeff Gribschaw, and Henry Owen. 2005. Real-time and forensic network data analysis using animated and coordinated visualization. In Proceedings from the 6th Annual IEEE System, Man and Cybernetics Information Assurance Workshop, SMC 2005.

[13]

Kiran Lakkaraju, William Yurcik, and Adam J Lee. 2004. NVisionIP: NetFlow Visualizations of System State for Security Situational Awareness. Proceedings of the 2004 ACM workshop on Visualization and data mining for computer security - VizSEC/DMSEC '04 (2004).

Digital Library

[14]

Hao Li, Guangjie Liu, Weiwei Jiang, and Yuewei Dai. 2015. Designing snort rules to detect abnormal dnp3 network data. In 2015 International Conference on Control, Automation and Information Sciences (ICCAIS). IEEE, 343--348.

[15]

Yarden Livnat, Jim Agutter, Shaun Moon, Robert F. Erbacher, and Stefano Foresti. 2005. A visualization paradigm for network intrusion detection. In Proceedings from the 6th Annual IEEE System, Man and Cybernetics Information Assurance Workshop, SMC 2005.

[16]

GeokHong Phua Lihui Chen Ming Luo, Danhong Zhang. 2011. An interactive rule based event management system for effective equipment troubleshooting. Proceedings of the IEEE Conference on Decision and Control 8, 3 (2011), 2329--2334.

[17]

Srinivas Mukkamala and Andrew H Sung. 2003. Identifying significant features for network forensic analysis using artificial intelligent techniques. International Journal of digital evidence 1, 4 (2003), 1--17.

[18]

Vivens Ndatinya, Zhifeng Xiao, Vasudeva Rao Manepalli, Ke Meng, and Yang Xiao. 2015. Network forensics analysis using Wireshark. International Journal of Security and Networks 10, 2 (2015), 91--106.

Digital Library

[19]

Yoram Orzach. 2013. Network Analysis Using Wireshark Cookbook. Packt Publishing Ltd.

[20]

Samuel Patton, William Yurcik, and David Doss. 2001. An AchillesâĂ&Zacute; heel in signature-based IDS: Squealing false positives in SNORT. In Proceedings of RAID, Vol. 2001. Citeseer.

[21]

Vern Paxson. 1999. Bro: a system for detecting network intruders in real-time. Computer networks 31, 23-24 (1999), 2435--2463.

Digital Library

[22]

Christian Rossow, Cj Dietrich, Herbert Bos, Lorenzo Cavallaro, Maarten Van Steen, Felix C. Freiling, and Norbert Pohlmann. 2011. Sandnet: Network Traffic Analysis of Malicious Software. Proceedings of the First Workshop on Building Analysis Datasets and Gathering Experience Returns for Security (BADGERS '11) (2011), 78--88.

Digital Library

[23]

Sankardas Roy, Charles Ellis, Sajjan Shiva, Dipankar Dasgupta, Vivek Shandilya, and Qishi Wu. 2010. A survey of game theory as applied to network security. In 2010 43rd Hawaii International Conference on System Sciences. IEEE, 1--10.

Digital Library

[24]

Anna Cinzia Squicciarini, Giuseppe Petracca, William G Horne, and Aurnob Nath. 2014. Situational awareness through reasoning on network incidents. In Proceedings of the 4th ACM conference on Data and application security and privacy. ACM, 111--122.

Digital Library

[25]

Yi Yang, Keiran McLaughlin, Tim Littler, Sakir Sezer, and HF Wang. 2013. Rule-based intrusion detection system for SCADA networks. (2013).

[26]

Wang Zhenqi and Wang Xinyu. 2008. Netflow based intrusion detection system. In 2008 International conference on multimedia and information technology. IEEE, 825--828.

Digital Library

Cited By

Uccello FPawlicki MD’Antonio SKozik RChoraś M(2024)Effective Rules for a Rule-Based SIEM System in Detecting DoS Attacks: An Association Rule Mining ApproachApplied Intelligence10.1007/978-981-97-0827-7_21(236-246)Online publication date: 1-Mar-2024
https://doi.org/10.1007/978-981-97-0827-7_21
H RFusic SCornelius K S R JM SM A(2023)Case study on Integrating Legacy Devices in Industry 4.0 framework using OPC UA2023 International Conference on Energy, Materials and Communication Engineering (ICEMCE)10.1109/ICEMCE57940.2023.10434133(1-6)Online publication date: 14-Dec-2023
https://doi.org/10.1109/ICEMCE57940.2023.10434133
Sarker I(2023) Multi‐aspects AI ‐based modeling and adversarial learning for cybersecurity intelligence and robustness: A comprehensive overview SECURITY AND PRIVACY10.1002/spy2.2956:5Online publication date: 10-Jan-2023
https://doi.org/10.1002/spy2.295
Show More Cited By

Index Terms

Automating Network Security Analysis at Packet-level by using Rule-based Engine
1. Networks
  1. Network properties
    1. Network reliability
      1. Error detection and error correction
    2. Network security
  2. Network services
    1. Network monitoring
2. Security and privacy
  1. Intrusion/anomaly detection and malware mitigation
    1. Intrusion detection systems

Recommendations

Causality reasoning about network events for detecting stealthy malware activities

Malicious software activities have become more and more clandestine, making them challenging to detect. Existing security solutions rely heavily on the recognition of known code or behavior signatures, which are incapable of detecting new malware ...
Misuse-based intrusion detection using Bayesian networks

This paper presents an application of Bayesian networks to the process of intrusion detection in computer networks. The presented system, called Bayesian system for intrusion detection (Basset) extends functionality of Snort, an open-source network ...
nicter: a large-scale network incident analysis system: case studies for understanding threat landscape
BADGERS '11: Proceedings of the First Workshop on Building Analysis Datasets and Gathering Experience Returns for Security

We have been developing the Network Incident analysis Center for Tactical Emergency Response (nicter), whose objective is to detect and identify propagating malwares. The nicter mainly monitors darknet, a set of unused IP addresses, to observe global ...

Comments

Information & Contributors

Information

Published In

cover image ACM Other conferences

ECBS '19: Proceedings of the 6th Conference on the Engineering of Computer Based Systems

September 2019

182 pages

ISBN:9781450376365

DOI:10.1145/3352700

Copyright © 2019 ACM.

Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than the author(s) must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected].

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 02 September 2019

Permissions

Request permissions for this article.

Request Permissions

Check for updates

Author Tags

Qualifiers

Research-article
Research
Refereed limited

Conference

ECBS '19

ECBS '19: 6th Conference on the Engineering of Computer Based Systems

September 2 - 3, 2019

Bucharest, Romania

Acceptance Rates

ECBS '19 Paper Acceptance Rate 25 of 49 submissions, 51%;

Overall Acceptance Rate 25 of 49 submissions, 51%

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

4
Total Citations
View Citations
224
Total Downloads

Downloads (Last 12 months)25
Downloads (Last 6 weeks)2

Reflects downloads up to 21 Sep 2024

Other Metrics

View Author Metrics

Citations

Cited By

Uccello FPawlicki MD’Antonio SKozik RChoraś M(2024)Effective Rules for a Rule-Based SIEM System in Detecting DoS Attacks: An Association Rule Mining ApproachApplied Intelligence10.1007/978-981-97-0827-7_21(236-246)Online publication date: 1-Mar-2024
https://doi.org/10.1007/978-981-97-0827-7_21
H RFusic SCornelius K S R JM SM A(2023)Case study on Integrating Legacy Devices in Industry 4.0 framework using OPC UA2023 International Conference on Energy, Materials and Communication Engineering (ICEMCE)10.1109/ICEMCE57940.2023.10434133(1-6)Online publication date: 14-Dec-2023
https://doi.org/10.1109/ICEMCE57940.2023.10434133
Sarker I(2023) Multi‐aspects AI ‐based modeling and adversarial learning for cybersecurity intelligence and robustness: A comprehensive overview SECURITY AND PRIVACY10.1002/spy2.2956:5Online publication date: 10-Jan-2023
https://doi.org/10.1002/spy2.295
Allison J(2022)Network Packet Analysis as a Unit of Assessment: Identifying EmotetProceedings of the 22nd Koli Calling International Conference on Computing Education Research10.1145/3564721.3565952(1-2)Online publication date: 17-Nov-2022
https://dl.acm.org/doi/10.1145/3564721.3565952

View Options

Get Access

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

View options

PDF

View or Download as a PDF file.

eReader

View online with eReader.

Media

Figures

Other

Tables

View Table of Contents