Multi-step Attack Pattern Detection on Normalized Event Logs

2015 IEEE 2nd International Conference on Cyber Security and Cloud Computing Pub Date : 2015-11-03 DOI:10.1109/CSCloud.2015.26

David Jaeger, M. Ussath, Feng Cheng, C. Meinel

{"title":"Multi-step Attack Pattern Detection on Normalized Event Logs","authors":"David Jaeger, M. Ussath, Feng Cheng, C. Meinel","doi":"10.1109/CSCloud.2015.26","DOIUrl":null,"url":null,"abstract":"Looking at recent cyber-attacks in the news, a growing complexity and sophistication of attack techniques can be observed. Many of these attacks are performed in multiple steps to reach the core of the targeted network. Existing signature detection solutions are focused on the detection of a single step of an attack, but they do not see the big picture. Furthermore, current signature languages cannot integrate valuable external threat intelligence, which would simplify the creation of complex signatures and enables the detection of malicious activities seen by other targets. We extend an existing multi-step signature language to support attack detection on normalized log events, which were collected from various applications and devices. Additionally, the extended language supports the integration of external threat intelligence and allows us to reference current threat indicators. With this approach, we can create generic signatures that stay up-to-date. Using our language, we could detect various login brute-force attempts on multiple applications with only one generic signature.","PeriodicalId":278090,"journal":{"name":"2015 IEEE 2nd International Conference on Cyber Security and Cloud Computing","volume":"144 1","pages":"0"},"PeriodicalIF":0.0000,"publicationDate":"2015-11-03","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":"16","resultStr":null,"platform":"Semanticscholar","paperid":null,"PeriodicalName":"2015 IEEE 2nd International Conference on Cyber Security and Cloud Computing","FirstCategoryId":"1085","ListUrlMain":"https://doi.org/10.1109/CSCloud.2015.26","RegionNum":0,"RegionCategory":null,"ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"","JCRName":"","Score":null,"Total":0}

引用次数: 16

Abstract

Looking at recent cyber-attacks in the news, a growing complexity and sophistication of attack techniques can be observed. Many of these attacks are performed in multiple steps to reach the core of the targeted network. Existing signature detection solutions are focused on the detection of a single step of an attack, but they do not see the big picture. Furthermore, current signature languages cannot integrate valuable external threat intelligence, which would simplify the creation of complex signatures and enables the detection of malicious activities seen by other targets. We extend an existing multi-step signature language to support attack detection on normalized log events, which were collected from various applications and devices. Additionally, the extended language supports the integration of external threat intelligence and allows us to reference current threat indicators. With this approach, we can create generic signatures that stay up-to-date. Using our language, we could detect various login brute-force attempts on multiple applications with only one generic signature.

查看原文本刊更多论文

规范化事件日志的多步攻击模式检测

看看最近新闻中的网络攻击，我们可以观察到攻击技术越来越复杂和复杂。许多此类攻击分多个步骤执行，以到达目标网络的核心。现有的签名检测解决方案专注于检测攻击的单个步骤，但它们没有看到全局。此外，目前的签名语言不能集成有价值的外部威胁情报，这将简化复杂签名的创建，并能够检测到其他目标所看到的恶意活动。我们扩展了现有的多步骤签名语言，以支持对从各种应用程序和设备收集的规范化日志事件进行攻击检测。此外，扩展语言支持外部威胁情报的集成，并允许我们引用当前的威胁指标。通过这种方法，我们可以创建保持最新的通用签名。使用我们的语言，我们可以仅使用一个通用签名检测对多个应用程序的各种登录暴力尝试。

本文章由计算机程序翻译，如有差异，请以英文原文为准。

求助全文

约1分钟内获得全文求助全文

来源期刊

2015 IEEE 2nd International Conference on Cyber Security and Cloud Computing

自引率

0.00%

发文量