TY - GEN
T1 - Preemptive intrusion detection
T2 - Symposium and Bootcamp on the Science of Security, HotSoS 2015
AU - Cao, Phuong
AU - Badger, Eric
AU - Kalbarczyk, Zbigniew
AU - Iyer, Ravishankar
AU - Slagell, Adam
N1 - Funding Information:
We would like to acknowledge the NCSA security team for providing incident data and ground truth; DEPEND group members, Dr. Charles Kamhoua, Dr. Shuo Chen, and anonymous reviewers for providing valuable feedbacks; and Ms. Jenny Applequist for proofreading. This work was supported in part by the National Science Foundation under Grant No. CNS 10-185303 CISE, by the Army Research Office under Award No. W911NF-12-1-0086, by the National Security Agency under Award No. H98230-14-C-0141, by the Air Force Research Laboratory, and by the Air Force Office of Scientific Research under agreement No. FA8750-11-20084. The opinions, findings, and conclusions stated herein are those of the authors and do not necessarily reflect those of the sponsors.
Publisher Copyright:
Copyright 2015 ACM.
PY - 2015/4/21
Y1 - 2015/4/21
N2 - This paper presents a Factor Graph based framework called AttackTagger for highly accurate and preemptive detection of attacks, i.e., before the system misuse. We use security logs on real incidents that occurred over a six-year period at the National Center for Supercomputing Applications (NCSA) to evaluate AttackTagger. Our data consist of security incidents that led to compromise of the target system, i.e., the attacks in the incidents were only identified after the fact by security analysts. AttackTagger detected 74 percent of attacks, and the majority them were detected before the system misuse. Finally, AttackTagger uncovered six hidden attacks that were not detected by intrusion detection systems during the incidents or by security analysts in post-incident forensic analysis.
AB - This paper presents a Factor Graph based framework called AttackTagger for highly accurate and preemptive detection of attacks, i.e., before the system misuse. We use security logs on real incidents that occurred over a six-year period at the National Center for Supercomputing Applications (NCSA) to evaluate AttackTagger. Our data consist of security incidents that led to compromise of the target system, i.e., the attacks in the incidents were only identified after the fact by security analysts. AttackTagger detected 74 percent of attacks, and the majority them were detected before the system misuse. Finally, AttackTagger uncovered six hidden attacks that were not detected by intrusion detection systems during the incidents or by security analysts in post-incident forensic analysis.
UR - http://www.scopus.com/inward/record.url?scp=84986583856&partnerID=8YFLogxK
UR - http://www.scopus.com/inward/citedby.url?scp=84986583856&partnerID=8YFLogxK
U2 - 10.1145/2746194.2746199
DO - 10.1145/2746194.2746199
M3 - Conference contribution
AN - SCOPUS:84986583856
T3 - ACM International Conference Proceeding Series
BT - Proceedings of the 2015 Symposium and Bootcamp on the Science of Security, HotSoS 2015
PB - Association for Computing Machinery
Y2 - 21 April 2015 through 22 April 2015
ER -