An attack-norm separation approach for detecting cyber attacks

Nong Ye; Toni Farley; Deepak Lakshminarasimhan

doi:10.1007/s10796-006-8731-y

An attack-norm separation approach for detecting cyber attacks

Nong Ye, Toni Farley, Deepak Lakshminarasimhan

Industrial, Systems and Operations Engineering

Research output: Contribution to journal › Article › peer-review

8 Scopus citations

Abstract

The two existing approaches to detecting cyber attacks on computers and networks, signature recognition and anomaly detection, have shortcomings related to the accuracy and efficiency of detection. This paper describes a new approach to cyber attack (intrusion) detection that aims to overcome these shortcomings through several innovations. We call our approach attack-norm separation. The attack-norm separation approach engages in the scientific discovery of data, features and characteristics for cyber signal (attack data) and noise (normal data). We use attack profiling and analytical discovery techniques to generalize the data, features and characteristics that exist in cyber attack and norm data. We also leverage well-established signal detection models in the physical space (e.g., radar signal detection), and verify them in the cyberspace. With this foundation of information, we build attack-norm separation models that incorporate both attack and norm characteristics. This enables us to take the least amount of relevant data necessary to achieve detection accuracy and efficiency. The attack-norm separation approach considers not only activity data, but also state and performance data along the cause-effect chains of cyber attacks on computers and networks. This enables us to achieve some detection adequacy lacking in existing intrusion detection systems.

Original language	English (US)
Pages (from-to)	163-177
Number of pages	15
Journal	Information Systems Frontiers
Volume	8
Issue number	3
DOIs	https://doi.org/10.1007/s10796-006-8731-y
State	Published - Jul 2006

Keywords

Computer and network security
Cyber attacks
Intrusion detection
Signal detection
Signal processing

ASJC Scopus subject areas

Software
Theoretical Computer Science
Information Systems
Computer Networks and Communications

Access to Document

10.1007/s10796-006-8731-y

Cite this

@article{eb8d94506bd342a1acd47c30ccf91d0f,

title = "An attack-norm separation approach for detecting cyber attacks",

abstract = "The two existing approaches to detecting cyber attacks on computers and networks, signature recognition and anomaly detection, have shortcomings related to the accuracy and efficiency of detection. This paper describes a new approach to cyber attack (intrusion) detection that aims to overcome these shortcomings through several innovations. We call our approach attack-norm separation. The attack-norm separation approach engages in the scientific discovery of data, features and characteristics for cyber signal (attack data) and noise (normal data). We use attack profiling and analytical discovery techniques to generalize the data, features and characteristics that exist in cyber attack and norm data. We also leverage well-established signal detection models in the physical space (e.g., radar signal detection), and verify them in the cyberspace. With this foundation of information, we build attack-norm separation models that incorporate both attack and norm characteristics. This enables us to take the least amount of relevant data necessary to achieve detection accuracy and efficiency. The attack-norm separation approach considers not only activity data, but also state and performance data along the cause-effect chains of cyber attacks on computers and networks. This enables us to achieve some detection adequacy lacking in existing intrusion detection systems.",

keywords = "Computer and network security, Cyber attacks, Intrusion detection, Signal detection, Signal processing",

author = "Nong Ye and Toni Farley and Deepak Lakshminarasimhan",

note = "Funding Information: Acknowledgments This material is based upon work supported in part by the Air force Research Laboratory (AFRL) and Advanced Research and Development Activity (ARDA) under Contract No. F30602-03-C-0233, the Air Force Office of Scientific Research (AFOSR) under Grant No. F49620-03-1-0109, and a gift from Symantec Corporation. Any opinions, findings and conclusions or recommendations expressed in this material are those of the author(s) and do not necessarily reflect the views of AFRL, ARDA, AFOSR, or Symantec Corporation. The authors would also like to acknowledge contributions made by Patrick Kelley for the execution and data collection of attacks used in our study.",

year = "2006",

month = jul,

doi = "10.1007/s10796-006-8731-y",

language = "English (US)",

volume = "8",

pages = "163--177",

journal = "Information Systems Frontiers",

issn = "1387-3326",

publisher = "Springer Netherlands",

number = "3",

}

TY - JOUR

T1 - An attack-norm separation approach for detecting cyber attacks

AU - Ye, Nong

AU - Farley, Toni

AU - Lakshminarasimhan, Deepak

N1 - Funding Information: Acknowledgments This material is based upon work supported in part by the Air force Research Laboratory (AFRL) and Advanced Research and Development Activity (ARDA) under Contract No. F30602-03-C-0233, the Air Force Office of Scientific Research (AFOSR) under Grant No. F49620-03-1-0109, and a gift from Symantec Corporation. Any opinions, findings and conclusions or recommendations expressed in this material are those of the author(s) and do not necessarily reflect the views of AFRL, ARDA, AFOSR, or Symantec Corporation. The authors would also like to acknowledge contributions made by Patrick Kelley for the execution and data collection of attacks used in our study.

PY - 2006/7

Y1 - 2006/7

N2 - The two existing approaches to detecting cyber attacks on computers and networks, signature recognition and anomaly detection, have shortcomings related to the accuracy and efficiency of detection. This paper describes a new approach to cyber attack (intrusion) detection that aims to overcome these shortcomings through several innovations. We call our approach attack-norm separation. The attack-norm separation approach engages in the scientific discovery of data, features and characteristics for cyber signal (attack data) and noise (normal data). We use attack profiling and analytical discovery techniques to generalize the data, features and characteristics that exist in cyber attack and norm data. We also leverage well-established signal detection models in the physical space (e.g., radar signal detection), and verify them in the cyberspace. With this foundation of information, we build attack-norm separation models that incorporate both attack and norm characteristics. This enables us to take the least amount of relevant data necessary to achieve detection accuracy and efficiency. The attack-norm separation approach considers not only activity data, but also state and performance data along the cause-effect chains of cyber attacks on computers and networks. This enables us to achieve some detection adequacy lacking in existing intrusion detection systems.

AB - The two existing approaches to detecting cyber attacks on computers and networks, signature recognition and anomaly detection, have shortcomings related to the accuracy and efficiency of detection. This paper describes a new approach to cyber attack (intrusion) detection that aims to overcome these shortcomings through several innovations. We call our approach attack-norm separation. The attack-norm separation approach engages in the scientific discovery of data, features and characteristics for cyber signal (attack data) and noise (normal data). We use attack profiling and analytical discovery techniques to generalize the data, features and characteristics that exist in cyber attack and norm data. We also leverage well-established signal detection models in the physical space (e.g., radar signal detection), and verify them in the cyberspace. With this foundation of information, we build attack-norm separation models that incorporate both attack and norm characteristics. This enables us to take the least amount of relevant data necessary to achieve detection accuracy and efficiency. The attack-norm separation approach considers not only activity data, but also state and performance data along the cause-effect chains of cyber attacks on computers and networks. This enables us to achieve some detection adequacy lacking in existing intrusion detection systems.

KW - Computer and network security

KW - Cyber attacks

KW - Intrusion detection

KW - Signal detection

KW - Signal processing

UR - http://www.scopus.com/inward/record.url?scp=33745925265&partnerID=8YFLogxK

UR - http://www.scopus.com/inward/citedby.url?scp=33745925265&partnerID=8YFLogxK

U2 - 10.1007/s10796-006-8731-y

DO - 10.1007/s10796-006-8731-y

M3 - Article

AN - SCOPUS:33745925265

SN - 1387-3326

VL - 8

SP - 163

EP - 177

JO - Information Systems Frontiers

JF - Information Systems Frontiers

IS - 3

ER -

An attack-norm separation approach for detecting cyber attacks

Abstract

Keywords

ASJC Scopus subject areas

Access to Document

Other files and links

Fingerprint

Cite this