Using Contextual Information to Identify Cyber-Attacks

“An important challenge in cyber-attack detection is to develop learning methods that can integrate and fuse a much broader array of contextual information. Traditional statistical methods break down, because the broader the array of information, the more training examples are required to achieve good performance. We need to develop methods for breaking the learning problem up into modules that can be learned separately and then combined.”

A recent trend is toward utilizing knowledge based intrusion detection systems (IDSs). Knowledge-based IDSs store knowledge about cyber-attacks and possible vulnerabilities and use this knowledge to guide the process of attack prediction. Since an IDS contains information about these vulnerabilities, it can discover attempts to exploit them. One significant limitation of knowledge-based IDSs is the lack of contextual information used to detect attacks.

Contextual information is not only information about the configuration on the target systems and their vulnerabilities. it also covers any relevant preconditions the attacks require to proceed successfully and possible contextual semantic relationships between the activities of the attackers in terms of time of these activities and the targeted locations.

To overcome these limitations, need a novel contextual framework which consists of several attack prediction models that can be utilized in conjunction with IDSs to detect cyber-attacks.

We utilized extractable contextual elements from network data to create several knowledge-based, context-aware prediction models that are applied in conjunction with other intrusion detection techniques to assist in identifying known and unknown attacks.

The created prediction models are utilized for several tasks including (1) expanding the predictions of other intrusion detection techniques using pre-identified contextual relationships between attacker activities, (2) filtering the nonrelevant predictions based on the situation of the hosts targeted by attacks, and (3) predicting the occurrence of unknown attacks. Our framework focuses on the significant dimensions in data;

thus, it can be utilized to detect cyber-attacks while keeping the computational overhead as low as possible

.......

Contextual Information Fusion in IDSs

Context has been utilized in different computing areas where it is vital to be aware of the current situation. Generally, the purpose of creating context-aware IDSs is to decrease the dependency on human experts who perform correlation between runtime activities to determine the current situation and react accordingly.

According to several studies, elements for the description of context information fall into five categories individuality, activity, location, time, and relations

• The activity predominantly defines the relevance of context elements in specific situations, and it covers all tasks the entity may be involved in.

• The location and time primarily drive the creation of relations between activities that target that entity.

• The individuality category contains properties and attributes describing the entity itself.

• The relations category represents information about any possible relationship between activities that target such entity.

Based on these categories, the aspects of contextual 
information create a situation that consists of several 
circumstances that can lead to/avoid a completion of a 
specific task.

In order for an IDS to be aware of context, infusion of these five context aspects in the intrusion detection process is essential.

First, location information reveals the physical or virtual information about location. The IDS has to be aware of the location of victims and attackers. This is very significant to identify relationships between activities that target the system based on the source location of such activities.

Furthermore, semantic correlation with respect to source and target location is necessary to discover multi-step attacks.

Second, the IDS has to be aware of time information which refers to the time of events that target a particular entity. For instance, the occurrence of two activities in several time intervals indicates a possible relationship between them. Moreover, the current situation of an entity is also part of time context.

The configuration of computer systems changes from time to time; it is essential to capture this change in order to identify the dynamic properties of the system from time to time. For instance, when a specific workstation is updated to fix security vulnerabilities, the time of such an update should be added to that workstation’s profile. This makes it easier for an IDS to be aware of the current configuration on the target systems and the relevancy of activities based on their time of occurrence.

Third, activity information describes events that are applicable to the system. This category of contextual information is the major element in the intrusion detection process. The information in this category covers all events that occur during the system execution time. The set of activities that target the system can lead to one or more cyber attacks. In general, the activity element of context is important to create event- and/or situation-based prediction models to detect these cyber-attacks.

For event-based prediction models, the activity aspect of context needs to be profiled and used to predict future attacks based on their history of occurrence. For situation-based prediction models, activity contextual features are needed to identify relationships between suspicious events, given a specific situation.

Fourth, the relations category of contextual information is significant to identify dependency between multiple events. The relation aspect of context is identified over other categories of contextual information such as time, location, and activity. It is very important to capture contextual relationships and use them in attack prediction. As part of demonstrating the relation aspect of context, if two alerts are related in terms of time of occurrence, targeted locations, and activities that lead to them, such a relation needs to be captured using a specific modeling approach (e.g., a graph with node and edges). In intrusion detection process, contextual relationships are significant to analyze situations rather than just single events.

Fifth, the environmental characteristics of computing entities are captured through the individuality aspect of context. For instance, the current characteristics of computer systems, their applications, and the patches applied are considered significant to realize the impact of the activities in progress on the targeted system. Some suspicious events are deemed as nonrelevant when the system is patched against them.

Utilizing context is of utmost importance in improving the effectiveness of the intrusion detection process. As part of this work, we propose a substantial change in approaching these challenges by taking advantage of these categories of contextual information to create a framework which intelligently assists intrusion detection techniques to predict related suspicious activities, identify their actual impact on the targeted system based on the current situation, filter out nonrelevant threats based on the current situation, and be able to detect modifications the attacker can make on a set of known activities to initiate unknown attacks. While we devise an approach that would be classified as research in data mining, databases, statistics, and machine learning, our methodology significantly enhances these techniques through working situations rather than single events using relational databases as evidenced by our recent research, which has revealed encouraging results attributed to the use of context. We will use the following attack scenario to explain some motivations of utilizing contextual information in the intrusion detection process.