TY - JOUR
T1 - Using the KBTA method for inferring computer and network security alerts from time-stamped, raw system metrics
AU - Shabtai, Asaf
AU - Fledel, Yuval
AU - Elovici, Yuval
AU - Shahar, Yuval
N1 - Funding Information:
This research is supported by Deutsche Telecom
Funding Information:
Once an alert has been issued, it is necessary to drill down and explore the data in order to pinpoint the root cause of the alert and to trace the source of the attack for forensic purposes. The exploration task is supported by the Visual Exploration Tool and the Query Module [29].
PY - 2010/1/1
Y1 - 2010/1/1
N2 - In this study, we propose a new approach for detecting previously unencountered instances of known classes of malicious software based on their temporal behavior. In the proposed approach, time-stamped security data are continuously monitored within the target computer system or network and then processed by the knowledge-based temporal abstraction (KBTA) methodology. Using KBTA, continuously measured data (e. g., the number of running processes) and events (e. g., installation of a software) are integrated with a security-domain, temporal-abstraction knowledge-base (i. e., a security ontology for abstracting meaningful patterns from raw, time-oriented security data), to create higher-level, time-oriented concepts and patterns, also known as temporal abstractions. Automatically-generated temporal abstractions can be monitored to detect suspicious temporal patterns. These patterns are compatible with a set of predefined classes of malware as defined by a security expert employing a set of time and value constraints. The new approach was applied for detecting worm-related malware using two different ontologies. Evaluation results demonstrated the effectiveness of the new approach. The approach can be used for detecting other types of malware by updating the security ontology with new definitions of temporal patterns.
AB - In this study, we propose a new approach for detecting previously unencountered instances of known classes of malicious software based on their temporal behavior. In the proposed approach, time-stamped security data are continuously monitored within the target computer system or network and then processed by the knowledge-based temporal abstraction (KBTA) methodology. Using KBTA, continuously measured data (e. g., the number of running processes) and events (e. g., installation of a software) are integrated with a security-domain, temporal-abstraction knowledge-base (i. e., a security ontology for abstracting meaningful patterns from raw, time-oriented security data), to create higher-level, time-oriented concepts and patterns, also known as temporal abstractions. Automatically-generated temporal abstractions can be monitored to detect suspicious temporal patterns. These patterns are compatible with a set of predefined classes of malware as defined by a security expert employing a set of time and value constraints. The new approach was applied for detecting worm-related malware using two different ontologies. Evaluation results demonstrated the effectiveness of the new approach. The approach can be used for detecting other types of malware by updating the security ontology with new definitions of temporal patterns.
KW - Computer and network security
KW - Host-based intrusion detection systems
KW - Intelligent visualization
KW - Knowledge-based systems
KW - Temporal-abstraction
UR - http://www.scopus.com/inward/record.url?scp=77955174334&partnerID=8YFLogxK
U2 - 10.1007/s11416-009-0125-5
DO - 10.1007/s11416-009-0125-5
M3 - Article
AN - SCOPUS:77955174334
SN - 1772-9890
VL - 6
SP - 239
EP - 259
JO - Journal in Computer Virology
JF - Journal in Computer Virology
IS - 3
ER -