Situational awareness through reasoning on network incidents

Authors:
Anna Cinzia Squicciarini;Giuseppe Petracca;William G. Horne;Aurnob Nath
Affiliations:
Pennsylvania State University, University Park, PA, USA;Pennsylvania State University, University Park, PA, USA;Hewlett-Packard Laboratories, Princeton, NJ, USA;Pennsylvania State University, University Park, PA, USA
Venue:
Proceedings of the 4th ACM conference on Data and application security and privacy
Year:
2014

Citing 9
Cited 0

The base-rate fallacy and the difficulty of intrusion detection

ACM Transactions on Information and System Security (TISSEC)
Anomaly Detection over Noisy Data using Learned Probability Distributions

ICML '00 Proceedings of the Seventeenth International Conference on Machine Learning
Case-Based Reasoning for Intrusion Detection

ACSAC '96 Proceedings of the 12th Annual Computer Security Applications Conference
Measuring normality in HTTP traffic for anomaly-based intrusion detection

Computer Networks: The International Journal of Computer and Telecommunications Networking
Intrusion detection using sequences of system calls

Journal of Computer Security
Behavioral clustering of HTTP-based malware and signature generation using malicious network traces

NSDI'10 Proceedings of the 7th USENIX conference on Networked systems design and implementation
Prioritizing intrusion analysis using Dempster-Shafer theory

Proceedings of the 4th ACM workshop on Security and artificial intelligence
Disclosure: detecting botnet command and control servers through large-scale NetFlow analysis

Proceedings of the 28th Annual Computer Security Applications Conference
Anomaly detection and mitigation at internet scale: a survey

AIMS'13 Proceedings of the 7th IFIP WG 6.6 international conference on Autonomous Infrastructure, Management, and Security: emerging management mechanisms for the future internet - Volume 7943

Quantified Score

Hi-index	0.00

Visualization

Abstract

Corporations worldwide work with teams of often dedicated system administrators to maintain, detect and prevent network infringements. This is a highly user-driven process that consumes hundreds (if not thousands) of man hours yearly. User reporting, the basis of most of these incident detection systems suffers from various biases and leads to below-par security measures. In the paper, we provide an approach for near real-time analysis of ongoing events on controlled networks, while requiring no end-user interaction and saving on system administrator's effort. Our proposed solution, ReasONets, a lightweight, distributed system, provides situational awareness in case of network incidents. ReasONets combines aspects of anomaly detection with Case-Based Reasoning (CBR) methodologies to reason about ongoing security events in a network, including their nature, severity and sources. We build a fully running prototype of ReasONets, to demonstrate the accuracy of the system, in doing reasoning and inference on the network status by exploiting events and network features. To the best of our knowledge, ReasONets is the first of its kind system combining detection and classification of network events with realtime reasoning while being capable of scaling up to large network sizes.