Dissertation/Thesis Abstract

Creating Profiles of Suspicious Behavior to Locate Plausible Evidence of Targeted Attacks
by LeDoux, Charles, Ph.D., University of Louisiana at Lafayette, 2016, 179; 10245924
Abstract (Summary)

Intrusion Detection Systems (IDS), designed during the early era of the Internet to protect against attacks by individual attackers, have been ill-equipped to protect against attacks executed by organized crime and nation-state actors. The IDSs typically monitor individual sources of data, such as network connections, OS events, or application logs, and use rule-based or anomaly-based methods to detect intrusions. Advanced attackers defeat such IDSs by molding their actions to match normal activities on the network and hosts.

I propose a new method for detecting intrusions from advanced attackers by connecting weak evidence of malicious behavior, such as failed logins, from across the network. My method takes advantage of an important characteristics of targeted attacks: these attacks involve activities, such as lateral movement, that create temporal connections between various actors involved in the attack. I create an 'identity social graph' that captures these connections and provide an algorithm to connect suspicious activities occurring throughout the network into profiles of suspicious behavior. Finally, I use anomaly ranking to identify profiles of suspicious behavior whose presence is more than coincidence. The resulting profiles of suspicious behavior provide an analyst with evidence needed to detect targeted attacks.

A common problem in evaluating security methods is the difficulty of collecting an evaluation dataset containing examples of real-world attacks. This difficulty is exacerbated for targeted attacks because companies that have suffered such attacks are unwilling to share details of the attacks. In order to address this difficulty, I propose a method of generating a hybrid evaluation dataset consisting of real-world security logs and synthetic targeted attack data. The attack data is automatically generated using a model that describes the suspicious activities that can occur during a targeted attack. A training set of normally occurring, real-world data is used such that the generated attack data mimics the statistical properties of normally occurring activities.

I evaluate the proposed method of creating profiles of suspicious behavior against a naïve approach using a hybrid evaluation dataset. The proposed method creates profiles of suspicious behavior that are both more complete and more accurately ranked than profiles created using the naïve approach.

Indexing (document details)
Advisor: Lakhotia, Arun
Commitee: Gottumukkala, Raju, Loganantharaj, Rasiah, Maida, Anthony
School: University of Louisiana at Lafayette
Department: Computer Science
School Location: United States -- Louisiana
Source: DAI-B 78/12(E), Dissertation Abstracts International
Subjects: Computer science
Keywords: Intrusion detection, Security and protection, Social graph, Suspicious behavior, Targeted attacks
Publication Number: 10245924
ISBN: 978-0-355-11316-7
Copyright © 2020 ProQuest LLC. All rights reserved. Terms and Conditions Privacy Policy Cookie Policy