Protection of computer and network systems
2.2 CYBER ATTACK DETECTION
As long as a computer and network system allows access to the system even in limited ways, determined and organized attackers with sophisticated skills and plentiful resources (e.g., organization-sponsored attackers) can break into the system through the limited access due to many known and unknown system vulnerabilities. In reality, a computer and network system usually includes software which is released by commercial software vendors without being fully tested and evaluated as free from security holes. Areas of software vulnerabilities are usually discovered and made known only after security incidents occur and expose the exploited vulnerabilities.
Detection provides another layer of protection against security threats by monitoring system data, detecting security-related events, and analyzing security incidents to trace their origin and path, assess their impact, and predict their development. The following sections define
data, events and incidents, and outlines detection methodologies which are described in detail in Parts III–VII.
2.2.1 Data, events and incidents
There are two kinds of data to capture activities, state changes and performance changes on computers and networks: network data and host computer data [11]. Currently, network data comes from either raw data packets or tools which provide network traffic statistics, network performance information [12], etc. Host data reflects activities, state changes and performance changes on a host computer. There are facilities and tools to collect data from various com- puter and network platforms, such as Windows, Linux, and UNIX-based operating systems. Table 2.3 gives some examples of network and host data which can be collected using a Windows operating system.
Different auditing/logging facilities and tools provide different kinds of system data. For example, system log data from Windows captures auditable events generated by given sys- tem programs (e.g., login, logout and privileged programs for network services). Information recorded for each auditable event may reveal, for example:
r
time of the event;r
type of the event;r
user generating the event;r
process requesting the event;r
object accessed in the event;r
return status of the event.Windows performance objects collect activity, state and performance data related to many com- puter objects, such as Cache, Memory, Network Interface, System, etc. An example of activity
variables is Network Interface\Packets/sec which records the number of packets sent and re-
ceived through the network interface card. An example of state variables is Memory\Available
Bytes which measures the amount of memory space available. An example of performance
variables is Process ( Total)\Page Faults /sec. A page fault occurs when a thread refers to a
virtual memory page that is not in its working set in main memory.
Certain applications, e.g., the web application, come with their own logging facilities. Log data provided by a web application may record information such as the source IP address of
Table 2.3 Network and host data from a Windows operating system
Data collected Facility or tool used
Logs of system, security and application events Windows event viewer
Performance logs Performance objects
Registry logs Regmon
Cyber attack detection 31 the user accessing a web site, user ID, session ID, time of the web request, web file requested, number of bytes returned for the request, etc.
Part III of this book gives a detailed description of computer and network data, especially data features and characteristics of attack norm and normal use data [13], which are useful in attack detection. Specifically, Chapter 7 describes the Windows performance objects collected under 11 attack conditions and two normal use conditions of text editing and web browsing. Chapter 8 focuses on a descriptive statistic feature, the mean feature, as well as attack and norm data characteristics which manifest in the mean feature of computer and network data. Chapter 9 describes another statistical feature, probability distribution, which also reveals attack and norm data characteristics. Chapter 10 discusses how a time-series data feature, autocorrelation, is used to discover attack and norm data characteristics. Chapter 11 presents attack and norm data characteristics that are discovered using the time-frequency wavelet feature of computer and network data.
Security events, which are detected while monitoring computer and network data, are as- sociated with special phenomena produced in a security incident of a threat attacking system assets by exploiting system vulnerabilities. The definition of security events varies with dif- ferent methodologies of attack detection. For example, a signature recognition methodology of attack detection [14–16] defines a match of observed data with a known attack signature as a security event. An anomaly detection methodology of attack detection [14–16] considers a large deviation from a normal use profile as a security event. Parts IV–VI describe in detail security events which are detected in various methodologies of attack detection.
Since a security incident has a series of events along its cause–effect chain, analyzing secu- rity incidents involves linking and correlating detected events in a security incident, producing an accurate picture of the incident’s cause–effect chain with the origin, path and impact in- formation, and predicting the incident’s development. That is, a security incident is defined as a cause–effect chain of events produced by a threat attacking certain system assets through exploiting certain system vulnerabilities. Part VII describes security incident assessment.
2.2.2 Detection
There are three means of attack event detection: signature recognition, anomaly detection, and attack norm separation. Signature recognition uses signature patterns of attack data (e.g., three consecutive login failures), which are either manually captured by human analysts or automatically discovered by mining attack and norm data in contrast, to look for matches in observed computer and network data. A match with an attack signature results in the detection of an attack event. Hence, signature recognition relies on the model of attack data to perform attack detection. Most existing commercial Intrusion Detection Systems (IDS) [17] employ the methodology of signature recognition. Part IV gives two techniques for representing and rec- ognizing attack signatures, data clusters [18–21] in Chapter 12 and Artificial Neural Networks (ANN) in Chapter 13.
Anomaly detection first defines the profile of normal use behavior (norm profile) for a computer or network subject of interest, and raises the suspicion of an ongoing attack if it detects a large deviation of the observed data from the norm profile. Hence, anomaly detection relies on the model of normal use data to perform attack detection. Part V describes statistical anomaly detection techniques [22–29] in Chapter 14 and Markov chain techniques for anomaly detection [30–31] in Chapter 15.
Unlike signature recognition and anomaly detection, attack norm separation [13, 32, 33] relies on both an attack model and a normal use data model to detect and identify an attack which often occurs at the same time when there are also ongoing normal use activities. The occurrence of an attack during ongoing normal use activities produces the observed data that contains the mixed data effects of the attack and normal use activities. Considering that the observed computer and network data is the mixed attack and norm data, attack norm separation first uses the normal use data model to cancel the effect of normal use activities from the mixed attack and norm data and then uses the attack data model to detect and identify the presence of the attack in the residual data after canceling the effect of the normal use data. Chapters 16 and 17 present cuscore detection models [34] that use developed mathematical or statistical models of attack and normal use data to perform attack norm separation.
2.2.3 Assessment
Attack assessment analyzes a security incident by linking and correlating the detected events of a security incident in the cause–effect chain to reveal the origin, path, impact and future development of the security incident. Existing solutions of attack assessment [35, 36] rely on mainly prior knowledge of known threats. An event may manifest in several data features and thus produce several detection outcomes from different techniques monitoring different features of the same data stream. An event may be involved in more than one attack. Hence, event optimization is necessary to determine the optimized set of events which correspond to the smallest number of events with the largest coverage of various attacks. Part VII addresses these issues of attack assessment. Chapter 18 describes an Integer Programming method of determining the optimized set of events or attack data characteristics to uniquely identify individual attacks. Chapter 18 also presents the attack profiling method [37] to spatially and temporally correlate events of a security incident in the cause–effect chain.