Utilizing network science and honeynets for software induced cyber incident analysis

Napoleon C. Paxton, Dae Il Jang, Stephen Russell, Gail-Joon Ahn, Ira S. Moskowitz, Paul Hyden

Research output: Chapter in Book/Report/Conference proceedingConference contribution

2 Citations (Scopus)

Abstract

Increasing situational awareness and investigating the cause of a software-induced cyber attack continues to be one of the most difficult yet important endeavors faced by network security professionals. Traditionally, these forensic pursuits are carried out by manually analyzing the malicious software agents at the heart of the incident, and then observing their interactions in a controlled environment. Both these steps are time consuming and difficult to maintain due to the ever changing nature of malicious software. In this paper we introduce a network science based framework which conducts incident analysis on a dataset by constructing and analyzing relational communities. Construction of these communities is based on the connections of topological features formed when actors communicate with each other. We evaluate our framework using a network trace of the Black Energy malware network, captured by our honey net. We have found that our approach is accurate, efficient, and could prove as a viable alternative to the current status quo.

Original languageEnglish (US)
Title of host publicationProceedings of the Annual Hawaii International Conference on System Sciences
PublisherIEEE Computer Society
Pages5244-5252
Number of pages9
Volume2015-March
ISBN (Print)9781479973675
DOIs
StatePublished - Mar 26 2015
Event48th Annual Hawaii International Conference on System Sciences, HICSS 2015 - Kauai, United States
Duration: Jan 5 2015Jan 8 2015

Other

Other48th Annual Hawaii International Conference on System Sciences, HICSS 2015
CountryUnited States
CityKauai
Period1/5/151/8/15

Fingerprint

Software agents
Network security
Malware

Keywords

  • Community detection
  • Honeynets
  • Network forensics

ASJC Scopus subject areas

  • Engineering(all)

Cite this

Paxton, N. C., Jang, D. I., Russell, S., Ahn, G-J., Moskowitz, I. S., & Hyden, P. (2015). Utilizing network science and honeynets for software induced cyber incident analysis. In Proceedings of the Annual Hawaii International Conference on System Sciences (Vol. 2015-March, pp. 5244-5252). [7070445] IEEE Computer Society. https://doi.org/10.1109/HICSS.2015.619

Utilizing network science and honeynets for software induced cyber incident analysis. / Paxton, Napoleon C.; Jang, Dae Il; Russell, Stephen; Ahn, Gail-Joon; Moskowitz, Ira S.; Hyden, Paul.

Proceedings of the Annual Hawaii International Conference on System Sciences. Vol. 2015-March IEEE Computer Society, 2015. p. 5244-5252 7070445.

Research output: Chapter in Book/Report/Conference proceedingConference contribution

Paxton, NC, Jang, DI, Russell, S, Ahn, G-J, Moskowitz, IS & Hyden, P 2015, Utilizing network science and honeynets for software induced cyber incident analysis. in Proceedings of the Annual Hawaii International Conference on System Sciences. vol. 2015-March, 7070445, IEEE Computer Society, pp. 5244-5252, 48th Annual Hawaii International Conference on System Sciences, HICSS 2015, Kauai, United States, 1/5/15. https://doi.org/10.1109/HICSS.2015.619
Paxton NC, Jang DI, Russell S, Ahn G-J, Moskowitz IS, Hyden P. Utilizing network science and honeynets for software induced cyber incident analysis. In Proceedings of the Annual Hawaii International Conference on System Sciences. Vol. 2015-March. IEEE Computer Society. 2015. p. 5244-5252. 7070445 https://doi.org/10.1109/HICSS.2015.619
Paxton, Napoleon C. ; Jang, Dae Il ; Russell, Stephen ; Ahn, Gail-Joon ; Moskowitz, Ira S. ; Hyden, Paul. / Utilizing network science and honeynets for software induced cyber incident analysis. Proceedings of the Annual Hawaii International Conference on System Sciences. Vol. 2015-March IEEE Computer Society, 2015. pp. 5244-5252
@inproceedings{de7c46514dc24d43859beb4b26194d64,
title = "Utilizing network science and honeynets for software induced cyber incident analysis",
abstract = "Increasing situational awareness and investigating the cause of a software-induced cyber attack continues to be one of the most difficult yet important endeavors faced by network security professionals. Traditionally, these forensic pursuits are carried out by manually analyzing the malicious software agents at the heart of the incident, and then observing their interactions in a controlled environment. Both these steps are time consuming and difficult to maintain due to the ever changing nature of malicious software. In this paper we introduce a network science based framework which conducts incident analysis on a dataset by constructing and analyzing relational communities. Construction of these communities is based on the connections of topological features formed when actors communicate with each other. We evaluate our framework using a network trace of the Black Energy malware network, captured by our honey net. We have found that our approach is accurate, efficient, and could prove as a viable alternative to the current status quo.",
keywords = "Community detection, Honeynets, Network forensics",
author = "Paxton, {Napoleon C.} and Jang, {Dae Il} and Stephen Russell and Gail-Joon Ahn and Moskowitz, {Ira S.} and Paul Hyden",
year = "2015",
month = "3",
day = "26",
doi = "10.1109/HICSS.2015.619",
language = "English (US)",
isbn = "9781479973675",
volume = "2015-March",
pages = "5244--5252",
booktitle = "Proceedings of the Annual Hawaii International Conference on System Sciences",
publisher = "IEEE Computer Society",

}

TY - GEN

T1 - Utilizing network science and honeynets for software induced cyber incident analysis

AU - Paxton, Napoleon C.

AU - Jang, Dae Il

AU - Russell, Stephen

AU - Ahn, Gail-Joon

AU - Moskowitz, Ira S.

AU - Hyden, Paul

PY - 2015/3/26

Y1 - 2015/3/26

N2 - Increasing situational awareness and investigating the cause of a software-induced cyber attack continues to be one of the most difficult yet important endeavors faced by network security professionals. Traditionally, these forensic pursuits are carried out by manually analyzing the malicious software agents at the heart of the incident, and then observing their interactions in a controlled environment. Both these steps are time consuming and difficult to maintain due to the ever changing nature of malicious software. In this paper we introduce a network science based framework which conducts incident analysis on a dataset by constructing and analyzing relational communities. Construction of these communities is based on the connections of topological features formed when actors communicate with each other. We evaluate our framework using a network trace of the Black Energy malware network, captured by our honey net. We have found that our approach is accurate, efficient, and could prove as a viable alternative to the current status quo.

AB - Increasing situational awareness and investigating the cause of a software-induced cyber attack continues to be one of the most difficult yet important endeavors faced by network security professionals. Traditionally, these forensic pursuits are carried out by manually analyzing the malicious software agents at the heart of the incident, and then observing their interactions in a controlled environment. Both these steps are time consuming and difficult to maintain due to the ever changing nature of malicious software. In this paper we introduce a network science based framework which conducts incident analysis on a dataset by constructing and analyzing relational communities. Construction of these communities is based on the connections of topological features formed when actors communicate with each other. We evaluate our framework using a network trace of the Black Energy malware network, captured by our honey net. We have found that our approach is accurate, efficient, and could prove as a viable alternative to the current status quo.

KW - Community detection

KW - Honeynets

KW - Network forensics

UR - http://www.scopus.com/inward/record.url?scp=84944213478&partnerID=8YFLogxK

UR - http://www.scopus.com/inward/citedby.url?scp=84944213478&partnerID=8YFLogxK

U2 - 10.1109/HICSS.2015.619

DO - 10.1109/HICSS.2015.619

M3 - Conference contribution

SN - 9781479973675

VL - 2015-March

SP - 5244

EP - 5252

BT - Proceedings of the Annual Hawaii International Conference on System Sciences

PB - IEEE Computer Society

ER -