Learning attack strategies from intrusion alerts
Proceedings of the 10th ACM conference on Computer and communications security
Investigating hidden Markov models capabilities in anomaly detection
Proceedings of the 43rd annual Southeast regional conference - Volume 1
Bro: a system for detecting network intruders in real-time
SSYM'98 Proceedings of the 7th conference on USENIX Security Symposium - Volume 7
A large-scale hidden semi-Markov model for anomaly detection on user browsing behaviors
IEEE/ACM Transactions on Networking (TON)
Principles of Information Security
Principles of Information Security
Real-Time Traffic Analyzer for Measurement-Based Admission Control
AICT '09 Proceedings of the 2009 Fifth Advanced International Conference on Telecommunications
Multi-domain trust management in variable-threat environments: a user-centric model
MILCOM'09 Proceedings of the 28th IEEE conference on Military communications
Markovian analysis of large finite state machines
IEEE Transactions on Computer-Aided Design of Integrated Circuits and Systems
Hi-index | 0.00 |
Trust Management (TM) systems are frameworks for managing security in decentralized environments. Recently two TM systems were presented that support authorization in variable-threat environments: the first one deals with unanticipated network activities, the second with unanticipated user behavior. A trust agent is used to monitor the threat levels in each domain of the system. When the level is elevated, access to resources may be revoked, independently of other trust mechanisms that may apply (based on discretionary or mandatory controls). When the threat level is later lowered, services get restored---this is termed rollback access. In this paper we explore the application of Markov chains and hidden Markov models to trace anomalous domain and/or user behavior. Our model for TM in variable-threat environments provides for real-time proactive system defenses, based on anomalous behavior. Such behavior is not necessarily caused by adversarial actions: it is triggered by atypical behavior during a certain time-period. This is because with security critical applications it is not always possible to distinguish malicious from atypical behavior---of course our model also defends against malicious behavior that can be identified (using Intrusion Detection mechanisms). Our approach supports a new control layer, the Threat Level Control (TLC) layer, above the existing MAC and DAC layers, and implements a novel real-time Markov stochastic anomaly analyzer that defends system resources by using threat level controls. This work is part of ongoing research to develop dynamic, real-time trigger mechanisms for rollback-access Trust Management systems.