Using the KBTA method for inferring computer and network security alerts from time-stamped, raw system metrics

Research output: Contribution to journalArticlepeer-review

14 Scopus citations

Abstract

In this study, we propose a new approach for detecting previously unencountered instances of known classes of malicious software based on their temporal behavior. In the proposed approach, time-stamped security data are continuously monitored within the target computer system or network and then processed by the knowledge-based temporal abstraction (KBTA) methodology. Using KBTA, continuously measured data (e. g., the number of running processes) and events (e. g., installation of a software) are integrated with a security-domain, temporal-abstraction knowledge-base (i. e., a security ontology for abstracting meaningful patterns from raw, time-oriented security data), to create higher-level, time-oriented concepts and patterns, also known as temporal abstractions. Automatically-generated temporal abstractions can be monitored to detect suspicious temporal patterns. These patterns are compatible with a set of predefined classes of malware as defined by a security expert employing a set of time and value constraints. The new approach was applied for detecting worm-related malware using two different ontologies. Evaluation results demonstrated the effectiveness of the new approach. The approach can be used for detecting other types of malware by updating the security ontology with new definitions of temporal patterns.

Original languageEnglish
Pages (from-to)239-259
Number of pages21
JournalJournal in Computer Virology
Volume6
Issue number3
DOIs
StatePublished - 1 Jan 2010

Keywords

  • Computer and network security
  • Host-based intrusion detection systems
  • Intelligent visualization
  • Knowledge-based systems
  • Temporal-abstraction

ASJC Scopus subject areas

  • Computer Science (miscellaneous)
  • Hardware and Architecture

Fingerprint

Dive into the research topics of 'Using the KBTA method for inferring computer and network security alerts from time-stamped, raw system metrics'. Together they form a unique fingerprint.

Cite this