Abstract
Prevalent computing devices with networking capabilities have become critical cyber infrastructure for government, industry, academia and every-day life. As their value rises, the motivation driving cyber attacks on this infrastructure has shifted from the pursuit of notoriety to the pursuit of profit [1, 2] or political gains, leading to cyber terrorism on various scales. Cyber terrorism has had its share of case studies and definitions since late 1990s and early 2000s [3–5]. A common denominator of the definition of cyber terrorism is the threat posed through the use of cyber infrastructure, especially the Internet. Stuxnet, a malware discovered in June 2010, which was a directed attack against the Iranian nuclear program [6], represented a milestone on cyber warfare and posed a new challenge to analyze and understand cyber attacks due to its complexity in attack strategy. While cyber terrorism can have many elements beyond exploiting cyber vulnerabilities, this chapter focuses on analyzing techniques that process observables of malicious activities in the cyberspace.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Notes
- 1.
In general, it is hard to infer about the attacker(s), because the basic unit of most observable is at host level (e.g., IP address) but not person level.
- 2.
We also noticed there are missing steps between Alerts #12 and #13. Vulnerability attempts are conducted against 10.14.1.17, but no alerts indicates the target has been probed and discovered. This is because Snort alert is one type of observed evidence, and it may not be a comprehensive since current IDS cannot perform the perfect detection.
- 3.
- 4.
In the real-world data set, there is no ground truth suggesting how attack sources are coordinated. We collect evidence to support our assumption. In this two example, inter-arrival time and geographical information are consistent with the assumption of leader and zombie hosts.
- 5.
The spatial pattern example is extracted from UCSD data set, in which the alert can be triggered by chance such as mis-configuration. In hacking competition data, we do not have such a case.
- 6.
Conspirator to be a Heavy Attacking Conspirator, if it has at least one HAT
- 7.
For anonymity reason, in this chapter, the first byte of IP address from real-world data is masked with 0.
References
Fossl M et al (2010) Symantec internet security threat report for 2010. Technical Report
Zhou C, Leckie C, Karunasekera S (2010) A survey of coordinated attacks and collaborative intrusion detection. Comput Secur 29(1):124–140
Denning DE (2000) Cyberterrorism: testimony before the special oversight panel on terrorism committee on armed services US house of representatives. Nova Science Pub. Inc, New York
Flemming P, Stohl M (2001) Myths and realities of cyberterrorism. In: Proceedings of the international conference on countering terrorism through enhanced international cooperation. ISPAC, pp 70–108
Gordon S, Ford R (2002) Cyberterrorism? Comput Secur 21(7):636–647
Langner R (2011) Stuxnet: dissecting a cyberwarfare weapon. IEEE Secur Priv 9(3):49–51
Roesch M et al (1999) Snort-lightweight intrusion detection for networks. In: Proceedings of the 13th USENIX conference on system administration. USENIX, Berkeley, CA pp 229–238
Fuchsberger A (2005) Intrusion detection systems and intrusion prevention systems. Inf Secur Tech Rep 10(3):134–139
Valdes A, Skinner K (2001) Probabilistic alert correlation. In: Proceedings of the international symposium of the recent advances in intrusion detection (RAID’01). Springer, Berlin, pp 54–68
Dain O, Cunningham RK (2001) Fusing a heterogeneous alert stream into scenarios. In: Proceedings of ACM workshop on data mining and security ACM, New York
Debar H, Wespi A (2001) Aggregation and correlation of intrusion-detection alerts. In: Proceedings of the international symposium of the recent advances in intrusion detection (RAID’01). Springer, Berlin, pp 85–103
Cuppens F, Miège A (2002) Alert correlation in a cooperative intrusion detection framework. In: Proceedings of IEEE symposium on security and privacy: IEEE, New York, pp 202–215
Cheung S, Lindqvist U, Fong MW (2003) Modeling multistep cyber attacks for scenario recognition. In: Proceedings of DARPA information survivability conference and exposition, IEEE, New York, vol 1. pp 284–292
Valeur F, Vigna G, Kruegel C, Kemmerer R (2004) A comprehensive approach to intrusion detection alert correlation. IEEE Trans Dependable Secur Comput 1(3):46–169
Ning P, Xu D, Healey CG, Amant RS (2004) Building attack scenarios through integration of complementary alert correlation methods. In: Proceedings of the 11th annual network and distributed system security symposium (NDSS’04). pp 97–111
Arnes A, Valeur F, Kemmerer R (2006) Using hidden markov models to evaluate the risk of intrusions. In: Proceedings of the international symposium of the recent advances in intrusion detection (RAID’06), Hamburg, Germany, Springer, Berlin
Stotz A, Sudit M (2007) INformation fusion engine for real-time decision-making (INFERD): a perceptual system for cyber attack tracking. In: Proceedings of 10th IEEE international conference on information fusion, IEEE, New York
Qin X, Lee W (2004) Attack plan recognition and prediction using causal networks. In: Proceedings of the 20th ACM annual computer security applications conference. ACM, New York, pp 370–379
Wang L, Liu A, Jajodia S (2006) Using attack graphs for correlating, hypothesizing, and predicting intrusion alerts. Comput Commun 29(15):2917–2933
Holsopple J, Yang SJ (2008) FuSIA: future situation and impact awareness. In: Proceedings of the 11th ISIF/IEEE international conference on information fusion, IEEE, New York
Fava D, Byers S, Yang S (2008) Projecting cyberattacks through variable-length markov models. IEEE Trans Inf Forensics Secur 3(3):359–369
Du H, Liu D, Holsopple J, Yang S (2010) Toward ensemble characterization and projection of multistage cyber attacks. In: Proceedings of the 19th IEEE international conference on computer communications and networks (ICCCN’10). EEE, New York pp 1–8
Soldo F, Le A, Markopoulou A (2011) Blacklisting recommendation system: using spatio-temporal patterns to predict future attacks. IEEE J Sel Areas Commun 29(7):1423–1437
Wei S, Mirkovic J, Kissel E (2006) Profiling and clustering internet hosts. In: Proceedings of the 6th IEEE international conference on data mining (ICDM’06). IEEE, New York, pp 269–275
Xu K, Zhang Z, Bhattacharyya S (2005) Profiling internet backbone traffic: behavior models and applications. ACM SIGCOMM Comput Commun Rev. USENIX, Berkeley, CA 35(4): 69–180
Gu G, Perdisci R, Zhang J, Lee W (2008) BotMiner: clustering analysis of network traffic for protocol-and structure-independent botnet detection. In: Proceedings of the 17th conference on security symposium. USENIX Association. USENIX, Berkeley, CA pp 139–154
Soldo F, Le A, Markopoulou A (2010) Predictive blacklisting as an implicit recommendation system. In: Proceedings of IEEE INFOCOM’10. IEEE, New York, pp 1–9
Xu K, Wang F, Gu L (2011) Network-aware behavior clustering of Internet end hosts. In: Proceedings of IEEE INFOCOM’11. IEEE, New York, pp 2078–2086
Debar H, Dacier M (1999) Towards a taxonomy of intrusion-detection systems. Comput Netw 31(8):805–822
Tsai C, Hsu Y, Lin C, Lin W (2009) Intrusion detection by machine learning: a review. Expert Syst Appl 36(10):11994–12000
Wu S, Banzhaf W (2010) The use of computational intelligence in intrusion detection systems: a review. Appl Soft Comput 10(1):1–35
Bass T (2000) Intrusion detection systems and multisensor data fusion. Commun ACM 43(4):99–105
Sadoddin R, Ghorbani A (2006) Alert correlation survey: framework and techniques. In: Proceedings of the ACM international conference on privacy, security and trust. ACM, New York, pp 1–10
Haines J, Ryder D, Tinnel L, Taylor S, Kewley Ryder D (2003) Validation of sensor alert correlators. IEEE Secur Priv 1(1):46–56
Cuppens F (2001) Managing alerts in a multi-intrusion detection environment. In: Proceedings of the 17th ACM annual computer security applications conference. ACM, New York, 32
Ning P, Cui Y (2002) Constructing attack scenarios through correlation of intrusion alerts. In: Proceedings of the 9th ACM conference on computer and communications security. pp 245–254
Iyer P, Reeves D et al (2004) Reasoning about complementary intrusion evidence. In: Proceedings of the 20th ACM annual computer security applications conference. ACM, New York, pp 39–48
Qin X (2005) A probabilistic-based framework for INFOSEC alert correlation. Ph.D. dissertation
Sadoddin R, Ghorbani AA (2009) An incremental frequent structure mining framework for real-time alert correlation. Comput Secur 28(3–4):153–173
Li JH, Levy R (2010) Using Bayesian networks for cyber security analysis. In: Proceedings of the 40th IEEE/IFIP international conference on dependable systems & networks (DSN’10). pp 211–220
Li J, Ou X (2010) Uncertainty and risk management in cyber situational awareness. Adv Inf Secur 46:51–68
Adomavicius G, Tuzhilin A (2005) Toward the next generation of recommender systems: a survey of the state-of-the-art and possible extensions. IEEE Trans Knowl Data Eng 17(6): 734–749
Hastie T, Tibshirani R et al (2001) The elements of statistical learning: data mining, inference and prediction. Springer, Berlin/New York
Bell T, Cleary J, Witten I (1990) Text compression. Prentice-Hall, Englewood
Du H, Yang S (2011) Discovering collaborative cyber attack patterns using social network analysis. In: Proceedings of social computing, behavioral-cultural modeling and prediction (SBP’10). Springer, Berlin/Heidelberg, pp 129–136
Childers N, Vigna G et al (2010) Organizing large scale hacking competitions. In: Proceedings of detection of intrusions and malware, and vulnerability assessment (DIMVA’10), vol 6201. Springer, Berlin/Heidelberg, pp 132–152
ICTF Data set [Online]. Available: http://ictf.cs.ucsb.edu/data.php. Accessed Jan 2012
Moore D, Shannon C, Voelker G, Savage S (2004) Network telescopes: technical report. Technical Report
Aben E et al The CAIDA UCSD network telescope two days in November 2008 dataset [Online]. Available: http://www.caida.org/data/passive/telescope-2days-2008\_dataset.xml. Accessed Jan 2012
Bonacich P (1987) Power and centrality: a family of measures. Am J Sociol 92:1170–1182
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2013 Springer Science+Business Media New York
About this chapter
Cite this chapter
Du, H., Yang, S.J. (2013). Temporal and Spatial Analyses for Large-Scale Cyber Attacks. In: Subrahmanian, V. (eds) Handbook of Computational Approaches to Counterterrorism. Springer, New York, NY. https://doi.org/10.1007/978-1-4614-5311-6_25
Download citation
DOI: https://doi.org/10.1007/978-1-4614-5311-6_25
Published:
Publisher Name: Springer, New York, NY
Print ISBN: 978-1-4614-5310-9
Online ISBN: 978-1-4614-5311-6
eBook Packages: Computer ScienceComputer Science (R0)