Predicting cyber security incidents using feature-based characterization of network-level malicious activities

Yang Liu; Jing Zhang; Armin Sarabi; Mingyan Liu; Manish Karir; Michael Bailey

doi:10.1145/2713579.2713582

Predicting cyber security incidents using feature-based characterization of network-level malicious activities

Yang Liu, Jing Zhang, Armin Sarabi, Mingyan Liu, Manish Karir, Michael Bailey

Research output: Chapter in Book/Report/Conference proceeding › Conference contribution

Abstract

This study offers a first step toward understanding the extent to which we may be able to predict cyber security incidents (which can be of one of many types) by applying machine learning techniques and using externally observed malicious activities associated with network entities, including spamming, phishing, and scanning, each of which may or may not have direct bearing on a specific attack mechanism or incident type. Our hypothesis is that when viewed collectively, malicious activities originating from a network are indicative of the general cleanness of a network and how well it is run, and that furthermore, collectively they exhibit fairly stable and thus predictive behavior over time. To test this hypothesis, we utilize two datasets in this study: (1) a collection of commonly used IP address-based/host reputation blacklists (RBLs) collected over more than a year, and (2) a set of security incident reports collected over roughly the same period. Specifically, we first aggregate the RBL data at a prefix level and then introduce a set of features that capture the dynamics of this aggregated temporal process. A comparison between the distribution of these feature values taken from the incident dataset and from the general population of prefixes shows distinct differences, suggesting their value in distinguishing between the two while also highlighting the importance of capturing dynamic behavior (second order statistics) in the malicious activities. These features are then used to train a support vector machine (SVM) for prediction. Our preliminary results show that we can achieve reasonably good prediction performance over a forecasting window of a few months. Copyright is held by the owner/author(s).

Original language	English (US)
Title of host publication	IWSPA 2015 - Proceedings of the 2015 ACM International Workshop on Security and Privacy Analytics, Co-located with CODASPY 2015
Publisher	Association for Computing Machinery
Pages	3-9
Number of pages	7
ISBN (Electronic)	9781450333412
DOIs	https://doi.org/10.1145/2713579.2713582
State	Published - Mar 4 2015
Externally published	Yes
Event	2015 ACM International Workshop on Security and Privacy Analytics, IWSPA 2015 - San Antonio, United States Duration: Mar 4 2015 → …

Publication series

Name	IWSPA 2015 - Proceedings of the 2015 ACM International Workshop on Security and Privacy Analytics, Co-located with CODASPY 2015

Other

Other	2015 ACM International Workshop on Security and Privacy Analytics, IWSPA 2015
Country/Territory	United States
City	San Antonio
Period	3/4/15 → …

Keywords

Network reputation
Network security
Prediction
Temporal pattern
Time-series data

ASJC Scopus subject areas

Computer Networks and Communications
Information Systems
Software
Computational Theory and Mathematics
Computer Science Applications

Online availability

10.1145/2713579.2713582

Library availability

Discover UIUC Full Text

Cite this

Liu, Y., Zhang, J., Sarabi, A., Liu, M., Karir, M., & Bailey, M. (2015). Predicting cyber security incidents using feature-based characterization of network-level malicious activities. In IWSPA 2015 - Proceedings of the 2015 ACM International Workshop on Security and Privacy Analytics, Co-located with CODASPY 2015 (pp. 3-9). (IWSPA 2015 - Proceedings of the 2015 ACM International Workshop on Security and Privacy Analytics, Co-located with CODASPY 2015). Association for Computing Machinery. https://doi.org/10.1145/2713579.2713582

Predicting cyber security incidents using feature-based characterization of network-level malicious activities. / Liu, Yang; Zhang, Jing; Sarabi, Armin et al.
IWSPA 2015 - Proceedings of the 2015 ACM International Workshop on Security and Privacy Analytics, Co-located with CODASPY 2015. Association for Computing Machinery, 2015. p. 3-9 (IWSPA 2015 - Proceedings of the 2015 ACM International Workshop on Security and Privacy Analytics, Co-located with CODASPY 2015).

Research output: Chapter in Book/Report/Conference proceeding › Conference contribution

Liu, Y, Zhang, J, Sarabi, A, Liu, M, Karir, M & Bailey, M 2015, Predicting cyber security incidents using feature-based characterization of network-level malicious activities. in IWSPA 2015 - Proceedings of the 2015 ACM International Workshop on Security and Privacy Analytics, Co-located with CODASPY 2015. IWSPA 2015 - Proceedings of the 2015 ACM International Workshop on Security and Privacy Analytics, Co-located with CODASPY 2015, Association for Computing Machinery, pp. 3-9, 2015 ACM International Workshop on Security and Privacy Analytics, IWSPA 2015, San Antonio, United States, 3/4/15. https://doi.org/10.1145/2713579.2713582

Liu Y, Zhang J, Sarabi A, Liu M, Karir M, Bailey M. Predicting cyber security incidents using feature-based characterization of network-level malicious activities. In IWSPA 2015 - Proceedings of the 2015 ACM International Workshop on Security and Privacy Analytics, Co-located with CODASPY 2015. Association for Computing Machinery. 2015. p. 3-9. (IWSPA 2015 - Proceedings of the 2015 ACM International Workshop on Security and Privacy Analytics, Co-located with CODASPY 2015). doi: 10.1145/2713579.2713582

Liu, Yang ; Zhang, Jing ; Sarabi, Armin et al. / Predicting cyber security incidents using feature-based characterization of network-level malicious activities. IWSPA 2015 - Proceedings of the 2015 ACM International Workshop on Security and Privacy Analytics, Co-located with CODASPY 2015. Association for Computing Machinery, 2015. pp. 3-9 (IWSPA 2015 - Proceedings of the 2015 ACM International Workshop on Security and Privacy Analytics, Co-located with CODASPY 2015).

@inproceedings{355efa835a0d456f897108edca502ecb,

title = "Predicting cyber security incidents using feature-based characterization of network-level malicious activities",

abstract = "This study offers a first step toward understanding the extent to which we may be able to predict cyber security incidents (which can be of one of many types) by applying machine learning techniques and using externally observed malicious activities associated with network entities, including spamming, phishing, and scanning, each of which may or may not have direct bearing on a specific attack mechanism or incident type. Our hypothesis is that when viewed collectively, malicious activities originating from a network are indicative of the general cleanness of a network and how well it is run, and that furthermore, collectively they exhibit fairly stable and thus predictive behavior over time. To test this hypothesis, we utilize two datasets in this study: (1) a collection of commonly used IP address-based/host reputation blacklists (RBLs) collected over more than a year, and (2) a set of security incident reports collected over roughly the same period. Specifically, we first aggregate the RBL data at a prefix level and then introduce a set of features that capture the dynamics of this aggregated temporal process. A comparison between the distribution of these feature values taken from the incident dataset and from the general population of prefixes shows distinct differences, suggesting their value in distinguishing between the two while also highlighting the importance of capturing dynamic behavior (second order statistics) in the malicious activities. These features are then used to train a support vector machine (SVM) for prediction. Our preliminary results show that we can achieve reasonably good prediction performance over a forecasting window of a few months. Copyright is held by the owner/author(s).",

keywords = "Network reputation, Network security, Prediction, Temporal pattern, Time-series data",

author = "Yang Liu and Jing Zhang and Armin Sarabi and Mingyan Liu and Manish Karir and Michael Bailey",

year = "2015",

month = mar,

day = "4",

doi = "10.1145/2713579.2713582",

language = "English (US)",

series = "IWSPA 2015 - Proceedings of the 2015 ACM International Workshop on Security and Privacy Analytics, Co-located with CODASPY 2015",

publisher = "Association for Computing Machinery",

pages = "3--9",

booktitle = "IWSPA 2015 - Proceedings of the 2015 ACM International Workshop on Security and Privacy Analytics, Co-located with CODASPY 2015",

address = "United States",

note = "2015 ACM International Workshop on Security and Privacy Analytics, IWSPA 2015 ; Conference date: 04-03-2015",

}

TY - GEN

T1 - Predicting cyber security incidents using feature-based characterization of network-level malicious activities

AU - Liu, Yang

AU - Zhang, Jing

AU - Sarabi, Armin

AU - Liu, Mingyan

AU - Karir, Manish

AU - Bailey, Michael

PY - 2015/3/4

Y1 - 2015/3/4

N2 - This study offers a first step toward understanding the extent to which we may be able to predict cyber security incidents (which can be of one of many types) by applying machine learning techniques and using externally observed malicious activities associated with network entities, including spamming, phishing, and scanning, each of which may or may not have direct bearing on a specific attack mechanism or incident type. Our hypothesis is that when viewed collectively, malicious activities originating from a network are indicative of the general cleanness of a network and how well it is run, and that furthermore, collectively they exhibit fairly stable and thus predictive behavior over time. To test this hypothesis, we utilize two datasets in this study: (1) a collection of commonly used IP address-based/host reputation blacklists (RBLs) collected over more than a year, and (2) a set of security incident reports collected over roughly the same period. Specifically, we first aggregate the RBL data at a prefix level and then introduce a set of features that capture the dynamics of this aggregated temporal process. A comparison between the distribution of these feature values taken from the incident dataset and from the general population of prefixes shows distinct differences, suggesting their value in distinguishing between the two while also highlighting the importance of capturing dynamic behavior (second order statistics) in the malicious activities. These features are then used to train a support vector machine (SVM) for prediction. Our preliminary results show that we can achieve reasonably good prediction performance over a forecasting window of a few months. Copyright is held by the owner/author(s).

AB - This study offers a first step toward understanding the extent to which we may be able to predict cyber security incidents (which can be of one of many types) by applying machine learning techniques and using externally observed malicious activities associated with network entities, including spamming, phishing, and scanning, each of which may or may not have direct bearing on a specific attack mechanism or incident type. Our hypothesis is that when viewed collectively, malicious activities originating from a network are indicative of the general cleanness of a network and how well it is run, and that furthermore, collectively they exhibit fairly stable and thus predictive behavior over time. To test this hypothesis, we utilize two datasets in this study: (1) a collection of commonly used IP address-based/host reputation blacklists (RBLs) collected over more than a year, and (2) a set of security incident reports collected over roughly the same period. Specifically, we first aggregate the RBL data at a prefix level and then introduce a set of features that capture the dynamics of this aggregated temporal process. A comparison between the distribution of these feature values taken from the incident dataset and from the general population of prefixes shows distinct differences, suggesting their value in distinguishing between the two while also highlighting the importance of capturing dynamic behavior (second order statistics) in the malicious activities. These features are then used to train a support vector machine (SVM) for prediction. Our preliminary results show that we can achieve reasonably good prediction performance over a forecasting window of a few months. Copyright is held by the owner/author(s).

KW - Network reputation

KW - Network security

KW - Prediction

KW - Temporal pattern

KW - Time-series data

UR - http://www.scopus.com/inward/record.url?scp=84928342173&partnerID=8YFLogxK

UR - http://www.scopus.com/inward/citedby.url?scp=84928342173&partnerID=8YFLogxK

U2 - 10.1145/2713579.2713582

DO - 10.1145/2713579.2713582

M3 - Conference contribution

AN - SCOPUS:84928342173

T3 - IWSPA 2015 - Proceedings of the 2015 ACM International Workshop on Security and Privacy Analytics, Co-located with CODASPY 2015

SP - 3

EP - 9

BT - IWSPA 2015 - Proceedings of the 2015 ACM International Workshop on Security and Privacy Analytics, Co-located with CODASPY 2015

PB - Association for Computing Machinery

T2 - 2015 ACM International Workshop on Security and Privacy Analytics, IWSPA 2015

Y2 - 4 March 2015

ER -

Predicting cyber security incidents using feature-based characterization of network-level malicious activities

Abstract

Publication series

Other

Keywords

ASJC Scopus subject areas

Online availability

Library availability

Related links

Fingerprint

Cite this