Intrusion Detection Systems (IDS), designed during the early era of the Internet to protect against attacks by individual attackers, have been ill-equipped to protect against attacks executed by organized crime and nation-state actors. The IDSs typically monitor individual sources of data, such as network connections, OS events, or application logs, and use rule-based or anomaly-based methods to detect intrusions. Advanced attackers defeat such IDSs by molding their actions to match normal activities on the network and hosts.
I propose a new method for detecting intrusions from advanced attackers by connecting weak evidence of malicious behavior, such as failed logins, from across the network. My method takes advantage of an important characteristics of targeted attacks: these attacks involve activities, such as lateral movement, that create temporal connections between various actors involved in the attack. I create an 'identity social graph' that captures these connections and provide an algorithm to connect suspicious activities occurring throughout the network into profiles of suspicious behavior. Finally, I use anomaly ranking to identify profiles of suspicious behavior whose presence is more than coincidence. The resulting profiles of suspicious behavior provide an analyst with evidence needed to detect targeted attacks.
A common problem in evaluating security methods is the difficulty of collecting an evaluation dataset containing examples of real-world attacks. This difficulty is exacerbated for targeted attacks because companies that have suffered such attacks are unwilling to share details of the attacks. In order to address this difficulty, I propose a method of generating a hybrid evaluation dataset consisting of real-world security logs and synthetic targeted attack data. The attack data is automatically generated using a model that describes the suspicious activities that can occur during a targeted attack. A training set of normally occurring, real-world data is used such that the generated attack data mimics the statistical properties of normally occurring activities.
I evaluate the proposed method of creating profiles of suspicious behavior against a naïve approach using a hybrid evaluation dataset. The proposed method creates profiles of suspicious behavior that are both more complete and more accurately ranked than profiles created using the naïve approach.
|Commitee:||Gottumukkala, Raju, Loganantharaj, Rasiah, Maida, Anthony|
|School:||University of Louisiana at Lafayette|
|School Location:||United States -- Louisiana|
|Source:||DAI-B 78/12(E), Dissertation Abstracts International|
|Keywords:||Intrusion detection, Security and protection, Social graph, Suspicious behavior, Targeted attacks|
Copyright in each Dissertation and Thesis is retained by the author. All Rights Reserved
The supplemental file or files you are about to download were provided to ProQuest by the author as part of a
dissertation or thesis. The supplemental files are provided "AS IS" without warranty. ProQuest is not responsible for the
content, format or impact on the supplemental file(s) on our system. in some cases, the file type may be unknown or
may be a .exe file. We recommend caution as you open such files.
Copyright of the original materials contained in the supplemental file is retained by the author and your access to the
supplemental files is subject to the ProQuest Terms and Conditions of use.
Depending on the size of the file(s) you are downloading, the system may take some time to download them. Please be