Behavior-dependent Routing: Responding to Anomalies with Automated Low-cost Measures

C. Oehmen, T. E. Carroll, Patrick C. Paulson, D. Best, C. Noonan, S. R. Thompson, Jeffrey L. Jensen, Glenn A. Fink, Elena S. Peterson
{"title":"Behavior-dependent Routing: Responding to Anomalies with Automated Low-cost Measures","authors":"C. Oehmen, T. E. Carroll, Patrick C. Paulson, D. Best, C. Noonan, S. R. Thompson, Jeffrey L. Jensen, Glenn A. Fink, Elena S. Peterson","doi":"10.1145/2809826.2809835","DOIUrl":null,"url":null,"abstract":"As cyber attacks on enterprise systems and critical infrastructure increase in prevalence and severity, persistent presence of adversaries in these systems is a common theme. While there are many efforts and tools focused on locating and removing adversaries from cyber systems, there is an increasing need for automated, steerable response that happens in attack-relevant time scales-an active cyber defense. The research presented here describes design and implementation of a system (SEQUESTOR) to achieve a form of active defense at the network layer by using the output of multiple behavior models to drive differential routing of traffic through a core network. This approach is based on two assertions: 1) methods for detecting behavior that are inconsistent with a user's past are a proxy for compromised systems or credentials, but are subject to high rate of false positives; and 2) automatically changing the logical route taken by future traffic emanating from the potentially compromised system provides a means for graded response that makes is possible to balance the cost of false positive with the risk of allowing the behavior to continue. The presented system is a framework that combines behavior models in a modular way and allows for future models and responses to be incorporated. Ultimately, this is a model for how real-time situational awareness technologies can be coupled to automated responses as well as supporting steerable responses that provide decision support to human operators.","PeriodicalId":303467,"journal":{"name":"Proceedings of the 2015 Workshop on Automated Decision Making for Active Cyber Defense","volume":"1 1","pages":"0"},"PeriodicalIF":0.0000,"publicationDate":"2015-10-12","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":"2","resultStr":null,"platform":"Semanticscholar","paperid":null,"PeriodicalName":"Proceedings of the 2015 Workshop on Automated Decision Making for Active Cyber Defense","FirstCategoryId":"1085","ListUrlMain":"https://doi.org/10.1145/2809826.2809835","RegionNum":0,"RegionCategory":null,"ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"","JCRName":"","Score":null,"Total":0}
引用次数: 2

Abstract

As cyber attacks on enterprise systems and critical infrastructure increase in prevalence and severity, persistent presence of adversaries in these systems is a common theme. While there are many efforts and tools focused on locating and removing adversaries from cyber systems, there is an increasing need for automated, steerable response that happens in attack-relevant time scales-an active cyber defense. The research presented here describes design and implementation of a system (SEQUESTOR) to achieve a form of active defense at the network layer by using the output of multiple behavior models to drive differential routing of traffic through a core network. This approach is based on two assertions: 1) methods for detecting behavior that are inconsistent with a user's past are a proxy for compromised systems or credentials, but are subject to high rate of false positives; and 2) automatically changing the logical route taken by future traffic emanating from the potentially compromised system provides a means for graded response that makes is possible to balance the cost of false positive with the risk of allowing the behavior to continue. The presented system is a framework that combines behavior models in a modular way and allows for future models and responses to be incorporated. Ultimately, this is a model for how real-time situational awareness technologies can be coupled to automated responses as well as supporting steerable responses that provide decision support to human operators.
行为依赖路由:用自动化低成本措施响应异常
随着针对企业系统和关键基础设施的网络攻击的流行程度和严重性的增加,攻击者在这些系统中的持续存在是一个常见的主题。虽然有许多努力和工具专注于定位和清除网络系统中的对手,但在与攻击相关的时间尺度上,对自动化、可操纵响应的需求越来越大,这是一种主动的网络防御。本文介绍的研究描述了一个系统(SEQUESTOR)的设计和实现,该系统通过使用多个行为模型的输出来驱动通过核心网络的流量差异路由,从而在网络层实现一种主动防御形式。这种方法基于两个断言:1)用于检测与用户过去不一致的行为的方法是受损系统或凭证的代理,但容易出现高误报率;2)自动改变从潜在受损系统发出的未来流量所采取的逻辑路线,为分级响应提供了一种手段,使得平衡误报成本与允许行为继续的风险成为可能。所呈现的系统是一个框架,它以模块化的方式组合了行为模型,并允许合并未来的模型和响应。最终,这是一个实时态势感知技术如何与自动响应相结合的模型,并支持为人类操作员提供决策支持的可操纵响应。
本文章由计算机程序翻译,如有差异,请以英文原文为准。
求助全文
约1分钟内获得全文 求助全文
来源期刊
自引率
0.00%
发文量
0
×
引用
GB/T 7714-2015
复制
MLA
复制
APA
复制
导出至
BibTeX EndNote RefMan NoteFirst NoteExpress
×
提示
您的信息不完整,为了账户安全,请先补充。
现在去补充
×
提示
您因"违规操作"
具体请查看互助需知
我知道了
×
提示
确定
请完成安全验证×
copy
已复制链接
快去分享给好友吧!
我知道了
右上角分享
点击右上角分享
0
联系我们:info@booksci.cn Book学术提供免费学术资源搜索服务,方便国内外学者检索中英文文献。致力于提供最便捷和优质的服务体验。 Copyright © 2023 布克学术 All rights reserved.
京ICP备2023020795号-1
ghs 京公网安备 11010802042870号
Book学术文献互助
Book学术文献互助群
群 号:604180095
Book学术官方微信