A Collaborative Approach to Situational Awareness for CyberSecurity
Monday, April 29, 2013, 10:30am - Tuesday, November 30, 1999, 0:00am
Traditional intrusion detection and prevention systems (IDPSs) have well known limitations that decrease their utility against many kinds of attacks. Current state-of-the-art IDPSs are point based solutions that perform a simple analysis of host or network data and then flag an alert. Only known attacks whose signatures have been identified and stored in some form can be discovered by most of these systems. They cannot detect attacks that use low-and-slow vectors. Many times an attack is only revealed by post facto forensics after some damage has already been done.
To address these issues, we are developing a semantic approach to intrusion detection that uses traditional as well nontraditional sensors collaboratively. Traditional sensors include hardware or software such as network scanners, host scanners, and IDPSs like Snort and Norton AntiVirus. Potential nontraditional sensors include sources such as online forums, blogs, and vulnerability databases which contain textual descriptions of proposed attacks or discovered exploits. After analyzing the data streams from these sensors, the information extracted is added as facts to a knowledge base using a W3C standards based ontology that our group has developed. One of the attacks I am focusing on is botnet attacks which work by having bots perform various malicious activities while under the control of a botmaster. Different botnets have different architectures and communication protocols. I am analyzing the packet capture files of individual botnets looking for patterns that emerge that can be used to identify botnet behavior.