Using Behavioral Modeling and Customized Normalcy Profiles as Protection against Targeted Cyber-Attacks

  • Andrey Dolgikh
  • Tomas Nykodym
  • Victor Skormin
  • Zachary Birnbaum
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 7531)


Targeted cyber-attacks present significant threat to modern computing systems. Modern industrial control systems (SCADA) or military networks are example of high value targets with potentially severe implications in case of successful attack. Anomaly detection can provide solution to targeted attacks as attack is likely to introduce some distortion to observable system activity. Most of the anomaly detection has been done on the level of sequences of system calls and is known to have problems with high false alarm rates. In this paper, we show that better results can be obtained by performing behavioral analysis on higher semantic level. We observe that many critical computer systems serve a specific purpose and are expected to run strictly limited sets of software. We model this behavior by creating customized normalcy profile of this system and evaluate how well does anomaly based detection work in this scenario.


Behavior Based IDS Automatic Signature Generation 


Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.


  1. 1.
    Percoco, N., Ilyas, J.: Malware Freakshow 2010: White paper for Black Hat USA (2010) Google Scholar
  2. 2.
    Falliere, N., Murchu, L., Chien, E.: W32.Stuxnet Dossier: Symantec security response version 1.4 (2011) Google Scholar
  3. 3.
    Cook, D.J., Holder, L.B.: Graph-based data mining. IEEE Intelligent Systems and their Applications 15(2), 32–41 (2000)CrossRefGoogle Scholar
  4. 4.
    Inokuchi, A., Washio, T., Motoda, H.: An Apriori-Based Algorithm for Mining Frequent Substructures from Graph Data. In: Zighed, D.A., Komorowski, J., Żytkow, J.M. (eds.) PKDD 2000. LNCS (LNAI), vol. 1910, pp. 13–23. Springer, Heidelberg (2000)CrossRefGoogle Scholar
  5. 5.
    Peshkin, L.: Structure induction by lossless graph compression. In: Data Compression Conference, DCC, pp. 53–62 (2007)Google Scholar
  6. 6.
    Hayashida, M., Akutsu, T.: Comparing Biological Networks via Graph Compression. In: Symposium on Optimization and Systems Biology (2009) Google Scholar
  7. 7.
    Choi, Y., Szpankowski, W.: Compression of Graphical Structures: Fundamental Limits, Algorithms, and Experiments. IEEE Transactions on Information Theory (2012) Google Scholar
  8. 8.
    Maruyama, S., Sakamoto, H., Takeda, M.: An Online Algorithm for Lightweight Grammar-Based Compression. Algorithms 5(2), 214–235 (2012)CrossRefGoogle Scholar
  9. 9.
    Offensive Computing, (accessed, November 2011)
  10. 10.
    Dolgikh, A., Nykodym, T., Skormin, V., Antonakos, J.: Colored Petri nets as the enabling technology in intrusion detection systems. In: Military Communications Conference, MILCOM 2011, pp. 1297–1301 (2011)Google Scholar
  11. 11.
    Chen, C., Lin, C.X., Fredrikson, M., Christodorescu, M., Yan, X.: Mining graph patterns efficiently via randomized summaries. In: Proceedings VLDB Endow, vol. 2(1), pp. 742–753 (2009)Google Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 2012

Authors and Affiliations

  • Andrey Dolgikh
    • 1
  • Tomas Nykodym
    • 1
  • Victor Skormin
    • 1
  • Zachary Birnbaum
    • 1
  1. 1.Binghamton UniversityBinghamtonUSA

Personalised recommendations