Using the knowledge-based temporal-abstraction (KBTA) method for detection of electronic threats

Research output: Chapter in Book/Report/Conference proceedingConference contributionpeer-review

4 Scopus citations

Abstract

One of the goals of terrorist organizations is to attack critical infrastructures such as power plants, telecommunication companies etc. Since many critical infrastructures employ various Information and Communication Technologies (ICTs), such an attack may be carried out by using dedicated Electronic Threats (eThreats) such as worms, viruses, Trojans, and spywares. The goal of the attack is to interrupt the normal operation of the critical infrastructure in order to cause economic damages and social chaos. Current state-of- the-art technologies, such as antivirus and intrusion detection systems, are aimed at coping with known eThreats that were encountered before. However, terrorists may write dedicated eThreats that will not be identified by the existing tools. Thus, there is a need to develop generic technologies to identify eThreats based on their behavior, especially over time, and not only based on their unique signature. In many cases, identifying that the computer is infected may be sufficient to stop the attack. In this article, we propose a new approach for early detection of the presence of unknown eThreats, based on their behavior within the target computer. First, an agent extracts various time-stamped data, such as number of active processes at each time-point, from the target computer. Then, by using the Knowledge-Based Temporal Abstraction (KBTA) method, we integrate the continuously measured data (e.g., the number of running processes) and events (e.g., installation) with a security-domain temporal-abstraction knowledge base (i.e., a security ontology specialized for abstraction of meaningful patterns from time-oriented security data), to create higher-level time oriented concepts and patterns, also known as temporal abstractions. Detected temporal abstractions and the data they are derived from can be explored by visual means, and assist security experts in detecting suspicious patterns compatible with a set of predefined classes of temporal patterns, each defined by a set of time and value constraints, previously specified by a security expert. The temporal abstractions can also be automatically monitored to detect new patterns that match the behavior of known classes of eThreat.

Original languageEnglish
Title of host publication5th European Conference on Information Warfare and Security 2006, ECIW 2006
Pages215-224
StatePublished - 1 Dec 2006
Event5th European Conference on Information Warfare and Security 2006, ECIW 2006 - Helsinki, Finland
Duration: 1 Jun 20062 Jun 2006

Publication series

Name5th European Conference on Information Warfare and Security 2006, ECIW 2006

Conference

Conference5th European Conference on Information Warfare and Security 2006, ECIW 2006
Country/TerritoryFinland
CityHelsinki
Period1/06/062/06/06

Keywords

  • Electronic threats
  • Information warfare
  • Security
  • Temporal abstraction

Fingerprint

Dive into the research topics of 'Using the knowledge-based temporal-abstraction (KBTA) method for detection of electronic threats'. Together they form a unique fingerprint.

Cite this