«

»

Dec
09

Adaptive, Model-based Monitoring for Cyber Attack Detection

Editor’s Note:  The paper, “Adaptive, Model-based Monitoring for Cyber Attack Detection” sponsored by DARPA and written by Alfonso Valdes and Keith Skinner of SRI International is attached here.

Below is an extract from the Summary.

From: Adaptive, Model-based Monitoring for Cyber Attack Detection by Alfonso Valdes and Keith Skinner of SRI International

We have described the eBayes monitoring capability, which employs Bayesian inference steps with transition models between inference to assess whether a particular burst of traffic contains an attack. A coupled component monitors availability of valid services, which are themselves learned via unsupervised discovery.

The efficacy of this system was demonstrated by results from the Lincoln Laboratory Intrusion Detection Evaluation data, and also by a live operation on a real-world site for weeks at a time.

This provides us with several important new capabilities:

  • Probabilistic encoding of attack models provides a complementary capability to anomaly detection and signature analysis, retaining the generalization potential of the former and the sensitivity and specificity of the latter.
  • We now potentially detect distributed attacks in which none of the attack sessions are individually suspicious enough to generate an alert. This comprises correlation byaggregation.
  • Once a successful denial of service has taken place, we are much less likely to generate false alerts for nonmalicious clients requesting the service during the attack (we refer to these clients as “collateral damage”). This form of correlation fuses the belief that an attack is in progress with the symptom of the attack (the service is disabled when the attack achieves its objectives) to explain away subsequent alerts from “collateral damage” sessions. As such, the system correlating symptoms and attacks provides effective false alarm reduction, while still providing the administrator with an alert for the original attack as well as an indication of the status of the victim host/port.

We continuously run this system along with our TCP session monitor on our own TCP gateway. While we do not have ground truth for this traffic, we regularly identify probe attacks and “spidering” activity, as well as the occasional DOS attempt. We also detect service outages and recovery for what appear to be nonmalicious faults.

Leave a Reply

Please Answer: *