The attacker generally cannot dictate which machine

Info icon This preview shows pages 73–75. Sign up to view the full content.

View Full Document Right Arrow Icon
The attacker generally cannot dictate which machine is infected, and the initial host is usually not the ultimate target of the attack, if there even is an ultimate target. Instead, the attacker may wish to move to other machines in order to locate and exfiltrate valuable data, escalate privileges, or to establish broad presence in the network for later exploitation. There- fore, from this initial host, the attacker may proceed to other hosts, hopping from one to the next; see Figure 3.2. In order to maximize the true positive rate, and minimize the false one, statistical testing is performed at the subgraph level, not at that of each edge. The task then is to form a subgraph that simultaneously captures as many attack edges as possible, and as few non-attack edges as possible. Copyright © 2014. Imperial College Press. All rights reserved. May not be reproduced in any form without permission from the publisher, except fair uses permitted under U.S. or applicable copyright law. EBSCO Publishing : eBook Collection (EBSCOhost) - printed on 2/16/2016 3:37 AM via CGC-GROUP OF COLLEGES (GHARUAN) AN: 779681 ; Heard, Nicholas, Adams, Niall M..; Data Analysis for Network Cyber-security Account: ns224671
Image of page 73

Info iconThis preview has intentionally blurred sections. Sign up to view the full version.

View Full Document Right Arrow Icon
74 J. Neil, C. Storlie, C. Hash and A. Brugh Fig. 3.2. A traversal attack. Step 1: Initial infection and local search. Step 2: First traversal has occurred, and further search is performed. Step 3: A full traversal has occurred. This shape is denoted as a caterpillar . The data on each edge in this graph is potentially anomalous. The filled nodes and dotted edges in Step 3 form a 3-path, which is one type of shape used to capture this behavior. 3.1.3. Attack shapes in the graph Our institution is under regular attack by many entities, from simple auto- mated tools scanning our firewalls through a spectrum of attack types including dedicated, sophisticated teams of attackers. This chapter was motivated by two canonical types of attacks seen against our site. While the details cannot be discussed for security reasons, forensic expertise has been brought to bear to describe these attacks to the authors. Scanning Behavior: Out-stars. Attackers may wish to search locally around a single node for vulnerabilities in neighboring computers. This generates traffic emanating from a central node, to a set of destination nodes, forming a star in the graph. Out-stars, introduced by Priebe et al. (2005), are defined as the set of edges whose source is a given central node; see Figure 3.3. Since some computers, such as email servers, communicate with large numbers of hosts, these shapes can contain large numbers of edges, and an attack that only used a few of the edges in the star may be lost in edges not part of the local search behavior. This suggests enumerating subsets of stars, which is the subject of future work. For this discussion, all edges emanating from a node are examined.
Image of page 74
Image of page 75
This is the end of the preview. Sign up to access the rest of the document.

{[ snackBarMessage ]}

What students are saying

  • Left Quote Icon

    As a current student on this bumpy collegiate pathway, I stumbled upon Course Hero, where I can find study resources for nearly all my courses, get online help from tutors 24/7, and even share my old projects, papers, and lecture notes with other students.

    Student Picture

    Kiran Temple University Fox School of Business ‘17, Course Hero Intern

  • Left Quote Icon

    I cannot even describe how much Course Hero helped me this summer. It’s truly become something I can always rely on and help me. In the end, I was not only able to survive summer classes, but I was able to thrive thanks to Course Hero.

    Student Picture

    Dana University of Pennsylvania ‘17, Course Hero Intern

  • Left Quote Icon

    The ability to access any university’s resources through Course Hero proved invaluable in my case. I was behind on Tulane coursework and actually used UCLA’s materials to help me move forward and get everything together on time.

    Student Picture

    Jill Tulane University ‘16, Course Hero Intern