Context Infusion in Semantic Link Networks to Detect Cyber-attacks: A Flow-Based Detection Approach

Abstract

Detection of cyber-attacks is a major responsibility for network managers and security specialists. Most existing Network Intrusion Detection systems rely on inspecting individual packets, an increasingly resource consuming task in today's high speed networks due to the overhead associated with accessing packet content. An alternative approach is to detect attack patterns by investigating IP flows. Since analyzing raw data extracted from IP flows lacks the semantic information needed to discover attacks, a novel approach is introduced that utilizes contextual information to semantically reveal cyber-attacks from IP flows. Time, location, and other contextual information mined from network flow data is utilized to create semantic links among alerts raised in response to suspicious flows. The semantic links are identified through an inference process on probabilistic semantic link networks (SLNs). The resulting links are used at run-time to retrieve relevant suspicious activities that represent possible steps in multi-step attacks.