Skip to main content
SpringerLink
Log in

Temporal and Spatial Analyses for Large-Scale Cyber Attacks

  • Chapter
  • First Online:
Handbook of Computational Approaches to Counterterrorism

Abstract

Prevalent computing devices with networking capabilities have become critical cyber infrastructure for government, industry, academia and every-day life. As their value rises, the motivation driving cyber attacks on this infrastructure has shifted from the pursuit of notoriety to the pursuit of profit [1, 2] or political gains, leading to cyber terrorism on various scales. Cyber terrorism has had its share of case studies and definitions since late 1990s and early 2000s [3–5]. A common denominator of the definition of cyber terrorism is the threat posed through the use of cyber infrastructure, especially the Internet. Stuxnet, a malware discovered in June 2010, which was a directed attack against the Iranian nuclear program [6], represented a milestone on cyber warfare and posed a new challenge to analyze and understand cyber attacks due to its complexity in attack strategy. While cyber terrorism can have many elements beyond exploiting cyber vulnerabilities, this chapter focuses on analyzing techniques that process observables of malicious activities in the cyberspace.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution
Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD 84.99
Price excludes VAT (USA)
  • Available as EPUB and PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD 149.00
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info
Hardcover Book
USD 109.99
Price excludes VAT (USA)
  • Durable hardcover edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

Notes

  1. 1.

    In general, it is hard to infer about the attacker(s), because the basic unit of most observable is at host level (e.g., IP address) but not person level.

  2. 2.

    We also noticed there are missing steps between Alerts #12 and #13. Vulnerability attempts are conducted against 10.14.1.17, but no alerts indicates the target has been probed and discovered. This is because Snort alert is one type of observed evidence, and it may not be a comprehensive since current IDS cannot perform the perfect detection.

  3. 3.

    Table 5 only listed eight alerts for each team. Figure 5 represents two teams’ all observed alerts.

  4. 4.

    In the real-world data set, there is no ground truth suggesting how attack sources are coordinated. We collect evidence to support our assumption. In this two example, inter-arrival time and geographical information are consistent with the assumption of leader and zombie hosts.

  5. 5.

    The spatial pattern example is extracted from UCSD data set, in which the alert can be triggered by chance such as mis-configuration. In hacking competition data, we do not have such a case.

  6. 6.

    Conspirator to be a Heavy Attacking Conspirator, if it has at least one HAT

  7. 7.

    For anonymity reason, in this chapter, the first byte of IP address from real-world data is masked with 0.

References

  1. Fossl M et al (2010) Symantec internet security threat report for 2010. Technical Report

    Google Scholar 

  2. Zhou C, Leckie C, Karunasekera S (2010) A survey of coordinated attacks and collaborative intrusion detection. Comput Secur 29(1):124–140

    Google Scholar 

  3. Denning DE (2000) Cyberterrorism: testimony before the special oversight panel on terrorism committee on armed services US house of representatives. Nova Science Pub. Inc, New York

    Google Scholar 

  4. Flemming P, Stohl M (2001) Myths and realities of cyberterrorism. In: Proceedings of the international conference on countering terrorism through enhanced international cooperation. ISPAC, pp 70–108

    Google Scholar 

  5. Gordon S, Ford R (2002) Cyberterrorism? Comput Secur 21(7):636–647

    Google Scholar 

  6. Langner R (2011) Stuxnet: dissecting a cyberwarfare weapon. IEEE Secur Priv 9(3):49–51

    Google Scholar 

  7. Roesch M et al (1999) Snort-lightweight intrusion detection for networks. In: Proceedings of the 13th USENIX conference on system administration. USENIX, Berkeley, CA pp 229–238

    Google Scholar 

  8. Fuchsberger A (2005) Intrusion detection systems and intrusion prevention systems. Inf Secur Tech Rep 10(3):134–139

    Google Scholar 

  9. Valdes A, Skinner K (2001) Probabilistic alert correlation. In: Proceedings of the international symposium of the recent advances in intrusion detection (RAID’01). Springer, Berlin, pp 54–68

    Google Scholar 

  10. Dain O, Cunningham RK (2001) Fusing a heterogeneous alert stream into scenarios. In: Proceedings of ACM workshop on data mining and security ACM, New York

    Google Scholar 

  11. Debar H, Wespi A (2001) Aggregation and correlation of intrusion-detection alerts. In: Proceedings of the international symposium of the recent advances in intrusion detection (RAID’01). Springer, Berlin, pp 85–103

    Google Scholar 

  12. Cuppens F, Miège A (2002) Alert correlation in a cooperative intrusion detection framework. In: Proceedings of IEEE symposium on security and privacy: IEEE, New York, pp 202–215

    Google Scholar 

  13. Cheung S, Lindqvist U, Fong MW (2003) Modeling multistep cyber attacks for scenario recognition. In: Proceedings of DARPA information survivability conference and exposition, IEEE, New York, vol 1. pp 284–292

    Google Scholar 

  14. Valeur F, Vigna G, Kruegel C, Kemmerer R (2004) A comprehensive approach to intrusion detection alert correlation. IEEE Trans Dependable Secur Comput 1(3):46–169

    Google Scholar 

  15. Ning P, Xu D, Healey CG, Amant RS (2004) Building attack scenarios through integration of complementary alert correlation methods. In: Proceedings of the 11th annual network and distributed system security symposium (NDSS’04). pp 97–111

    Google Scholar 

  16. Arnes A, Valeur F, Kemmerer R (2006) Using hidden markov models to evaluate the risk of intrusions. In: Proceedings of the international symposium of the recent advances in intrusion detection (RAID’06), Hamburg, Germany, Springer, Berlin

    Google Scholar 

  17. Stotz A, Sudit M (2007) INformation fusion engine for real-time decision-making (INFERD): a perceptual system for cyber attack tracking. In: Proceedings of 10th IEEE international conference on information fusion, IEEE, New York

    Google Scholar 

  18. Qin X, Lee W (2004) Attack plan recognition and prediction using causal networks. In: Proceedings of the 20th ACM annual computer security applications conference. ACM, New York, pp 370–379

    Google Scholar 

  19. Wang L, Liu A, Jajodia S (2006) Using attack graphs for correlating, hypothesizing, and predicting intrusion alerts. Comput Commun 29(15):2917–2933

    Google Scholar 

  20. Holsopple J, Yang SJ (2008) FuSIA: future situation and impact awareness. In: Proceedings of the 11th ISIF/IEEE international conference on information fusion, IEEE, New York

    Google Scholar 

  21. Fava D, Byers S, Yang S (2008) Projecting cyberattacks through variable-length markov models. IEEE Trans Inf Forensics Secur 3(3):359–369

    Google Scholar 

  22. Du H, Liu D, Holsopple J, Yang S (2010) Toward ensemble characterization and projection of multistage cyber attacks. In: Proceedings of the 19th IEEE international conference on computer communications and networks (ICCCN’10). EEE, New York pp 1–8

    Google Scholar 

  23. Soldo F, Le A, Markopoulou A (2011) Blacklisting recommendation system: using spatio-temporal patterns to predict future attacks. IEEE J Sel Areas Commun 29(7):1423–1437

    Google Scholar 

  24. Wei S, Mirkovic J, Kissel E (2006) Profiling and clustering internet hosts. In: Proceedings of the 6th IEEE international conference on data mining (ICDM’06). IEEE, New York, pp 269–275

    Google Scholar 

  25. Xu K, Zhang Z, Bhattacharyya S (2005) Profiling internet backbone traffic: behavior models and applications. ACM SIGCOMM Comput Commun Rev. USENIX, Berkeley, CA 35(4): 69–180

    Google Scholar 

  26. Gu G, Perdisci R, Zhang J, Lee W (2008) BotMiner: clustering analysis of network traffic for protocol-and structure-independent botnet detection. In: Proceedings of the 17th conference on security symposium. USENIX Association. USENIX, Berkeley, CA pp 139–154

    Google Scholar 

  27. Soldo F, Le A, Markopoulou A (2010) Predictive blacklisting as an implicit recommendation system. In: Proceedings of IEEE INFOCOM’10. IEEE, New York, pp 1–9

    Google Scholar 

  28. Xu K, Wang F, Gu L (2011) Network-aware behavior clustering of Internet end hosts. In: Proceedings of IEEE INFOCOM’11. IEEE, New York, pp 2078–2086

    Google Scholar 

  29. Debar H, Dacier M (1999) Towards a taxonomy of intrusion-detection systems. Comput Netw 31(8):805–822

    Google Scholar 

  30. Tsai C, Hsu Y, Lin C, Lin W (2009) Intrusion detection by machine learning: a review. Expert Syst Appl 36(10):11994–12000

    Google Scholar 

  31. Wu S, Banzhaf W (2010) The use of computational intelligence in intrusion detection systems: a review. Appl Soft Comput 10(1):1–35

    Google Scholar 

  32. Bass T (2000) Intrusion detection systems and multisensor data fusion. Commun ACM 43(4):99–105

    Google Scholar 

  33. Sadoddin R, Ghorbani A (2006) Alert correlation survey: framework and techniques. In: Proceedings of the ACM international conference on privacy, security and trust. ACM, New York, pp 1–10

    Google Scholar 

  34. Haines J, Ryder D, Tinnel L, Taylor S, Kewley Ryder D (2003) Validation of sensor alert correlators. IEEE Secur Priv 1(1):46–56

    Google Scholar 

  35. Cuppens F (2001) Managing alerts in a multi-intrusion detection environment. In: Proceedings of the 17th ACM annual computer security applications conference. ACM, New York, 32

    Google Scholar 

  36. Ning P, Cui Y (2002) Constructing attack scenarios through correlation of intrusion alerts. In: Proceedings of the 9th ACM conference on computer and communications security. pp 245–254

    Google Scholar 

  37. Iyer P, Reeves D et al (2004) Reasoning about complementary intrusion evidence. In: Proceedings of the 20th ACM annual computer security applications conference. ACM, New York, pp 39–48

    Google Scholar 

  38. Qin X (2005) A probabilistic-based framework for INFOSEC alert correlation. Ph.D. dissertation

    Google Scholar 

  39. Sadoddin R, Ghorbani AA (2009) An incremental frequent structure mining framework for real-time alert correlation. Comput Secur 28(3–4):153–173

    Google Scholar 

  40. Li JH, Levy R (2010) Using Bayesian networks for cyber security analysis. In: Proceedings of the 40th IEEE/IFIP international conference on dependable systems & networks (DSN’10). pp 211–220

    Google Scholar 

  41. Li J, Ou X (2010) Uncertainty and risk management in cyber situational awareness. Adv Inf Secur 46:51–68

    Google Scholar 

  42. Adomavicius G, Tuzhilin A (2005) Toward the next generation of recommender systems: a survey of the state-of-the-art and possible extensions. IEEE Trans Knowl Data Eng 17(6): 734–749

    Google Scholar 

  43. Hastie T, Tibshirani R et al (2001) The elements of statistical learning: data mining, inference and prediction. Springer, Berlin/New York

    Google Scholar 

  44. Bell T, Cleary J, Witten I (1990) Text compression. Prentice-Hall, Englewood

    Google Scholar 

  45. Du H, Yang S (2011) Discovering collaborative cyber attack patterns using social network analysis. In: Proceedings of social computing, behavioral-cultural modeling and prediction (SBP’10). Springer, Berlin/Heidelberg, pp 129–136

    Google Scholar 

  46. Childers N, Vigna G et al (2010) Organizing large scale hacking competitions. In: Proceedings of detection of intrusions and malware, and vulnerability assessment (DIMVA’10), vol 6201. Springer, Berlin/Heidelberg, pp 132–152

    Google Scholar 

  47. ICTF Data set [Online]. Available: http://ictf.cs.ucsb.edu/data.php. Accessed Jan 2012

  48. Moore D, Shannon C, Voelker G, Savage S (2004) Network telescopes: technical report. Technical Report

    Google Scholar 

  49. Aben E et al The CAIDA UCSD network telescope two days in November 2008 dataset [Online]. Available: http://www.caida.org/data/passive/telescope-2days-2008\_dataset.xml. Accessed Jan 2012

  50. Bonacich P (1987) Power and centrality: a family of measures. Am J Sociol 92:1170–1182

    Google Scholar 

Download references

Author information

Authors and Affiliations

  1. Rochester Institute of Technology, One Lomb Memorial Drive, Rochester, NY, USA

    Haitao Du & Shanchieh Jay Yang

Authors
  1. Haitao Du
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Shanchieh Jay Yang
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Haitao Du .

Editor information

Editors and Affiliations

  1. , Computer Science Department, University of Maryland, AV Williams Building, College Park, 20854, Maryland, USA

    V.S. Subrahmanian

Rights and permissions

Reprints and permissions

Copyright information

© 2013 Springer Science+Business Media New York

About this chapter

Cite this chapter

Du, H., Yang, S.J. (2013). Temporal and Spatial Analyses for Large-Scale Cyber Attacks. In: Subrahmanian, V. (eds) Handbook of Computational Approaches to Counterterrorism. Springer, New York, NY. https://doi.org/10.1007/978-1-4614-5311-6_25

Download citation

  • DOI: https://doi.org/10.1007/978-1-4614-5311-6_25

  • Published:

  • Publisher Name: Springer, New York, NY

  • Print ISBN: 978-1-4614-5310-9

  • Online ISBN: 978-1-4614-5311-6

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Search

Navigation