Training eective cyber operatives requires realistic network environments that incorporate the structural and
social complexities representative of the real world. Network trac generators facilitate repeatable experiments
for the development, training and testing of cyber operations. However, current network trac generators, ranging from simple load testers to complex frameworks, fail to capture the realism inherent in actual environments.
In order to improve the realism of network trac generated by these systems, it is necessary to quantitatively
measure the level of realism in generated trac with respect to the environment being mimicked. We categorize
realism measures into statistical, content, and behavioral measurements, and propose various metrics that can
be applied at each level to indicate how eectively the generated trac mimics the real world.
This work presents a collection of methods that is used to effectively identify users of computers systems based on their
particular usage of the software and the network. Not only are we able to identify individual computer users by their
behavioral patterns, we are also able to detect significant deviations in their typical computer usage over time, or compared
to a group of their peers. For instance, most people have a small, and relatively unique selection of regularly visited
websites, certain email services, daily work hours, and typical preferred applications for mandated tasks. We argue that
these habitual patterns are sufficiently specific to identify fully anonymized network users.
We demonstrate that with only a modest data collection capability, profiles of individual computer users can be constructed
so as to uniquely identify a profiled user from among their peers. As time progresses and habits or circumstances
change, the methods presented update each profile so that changes in user behavior can be reliably detected over both
abrupt and gradual time frames, without losing the ability to identify the profiled user.
The primary benefit of our methodology allows one to efficiently detect deviant behaviors, such as subverted user
accounts, or organizational policy violations. Thanks to the relative robustness, these techniques can be used in scenarios
with very diverse data collection capabilities, and data privacy requirements. In addition to behavioral change detection,
the generated profiles can also be compared against pre-defined examples of known adversarial patterns.
This work addresses new approaches to behavioral analysis of networks and hosts for the purposes of security
monitoring and anomaly detection. Most commonly used approaches simply implement anomaly detectors for
one, or a few, simple metrics and those metrics can exhibit unacceptable false alarm rates. For instance, the
anomaly score of network communication is defined as the reciprocal of the likelihood that a given host uses a
particular protocol (or destination);this definition may result in an unrealistically high threshold for alerting to
avoid being flooded by false positives.
We demonstrate that selecting and adapting the metrics and thresholds, on a host-by-host or protocol-by-protocol
basis can be done by established multivariate analyses such as PCA. We will show how to determine
one or more metrics, for each network host, that records the highest available amount of information regarding
the baseline behavior, and shows relevant deviances reliably. We describe the methodology used to pick from a
large selection of available metrics, and illustrate a method for comparing the resulting classifiers.
Using our approach we are able to reduce the resources required to properly identify misbehaving hosts,
protocols, or networks, by dedicating system resources to only those metrics that actually matter in detecting
One of the significant problems in visual tracking of objects is the requirement for a human analyst to post-process and interpret the data. For instance, consider the task of tracking a target, in this case a moving person, using video imagery. When this person hides behind an obstruction, and is therefore no longer visible by the camera, conventional tracking systems quickly lose track of the target and are no longer able to indicate where the target is or where it was headed. A human interpreter is then needed to conclude that the person is hiding, and probably (with certain probability) is still there.
A Process Query System (PQS) is able to track and predict the path of arbitrary objects, based only on a description of their dynamic behavior, thus eliminating the need for precise identification of each object in every frame. The PQS is therefore able to draw human-like conclusions, allowing the system to track the person even when he/she is out of view. Additionally, using dynamic descriptions of tracked objects allows for low-quality video signals, or even infrared video, to be used for tracking.
In this paper we introduce a novel way of implementing a video-based tracking system using a Process Query System to predict the position of objects in the environment, even after they have disappeared from view. Although the image processing pipeline is trivial, tracking accuracy is remarkably high, suggesting that overall performance can be improved even further with the use of more sophisticated video processing and image recognition technology.
Within an organization, the possibility of a confidential information leak ranks among the highest fears of any executive. Detecting information leaks is a challenging problem, since most organizations depend on a broad and diverse communications network. It is not always straightforward to conclude which information is leaving the organization legitimately, and which communications are malicious data exfiltrations. Sometimes it is not even possible to tell that a communication is occurring at all. The set of all possible exfiltration methods contains, at a minimum, the set of all possible information communication methods, and possibly more. This article cannot possibly cover all such methods; however, several notable examples are given, and a taxonomy of data exfiltration is developed. Such a taxonomy cannot ever be exhaustive, but at the very least can offer a framework for organizing methods and developing defenses.
One significant drawback to currently available security products is their inabilty to correlate diverse sensor input. For
instance, by only using network intrusion detection data, a root kit installed through a weak username-password combination
may go unnoticed. Similarly, an administrator may never make the link between deteriorating response times from the
database server and an attacker exfiltrating trusted data, if these facts aren't presented together.
Current Security Information Management Systems (SIMS) can collect and represent diverse data but lack sufficient
correlation algorithms. By using a Process Query System, we were able to quickly bring together data flowing from many
sources, including NIDS, HIDS, server logs, CPU load and memory usage, etc. We constructed PQS models that describe
dynamic behavior of complicated attacks and failures, allowing us to detect and differentiate simultaneous sophisticated
attacks on a target network.
In this paper, we discuss the benefits of implementing such a multistage cyber attack detection system using PQS. We
focus on how data from multiple sources can be combined and used to detect and track comprehensive network security
events that go unnoticed using conventional tools.
Process detection is a fundamental problem arising in a variety of
homeland security, national defense and commercial applications,
including network security, sensor network data fusion, dynamic
social network analysis and video tracking of kinematic objects.
Our approach to process detection is based on a generic
algorithmic approach called Process Query Systems which has been
developed at Dartmouth over the past 3 years. This paper surveys
the general area of process detection, its applications and recent
progress made in various implementations.
In this paper we present the architecture of our network security monitoring infrastructure based on a Process Query System (PQS). PQS offers a new and powerful way of efficiently processing data streams, based on process
descriptions that are submitted as queries. In this case the data streams
are familiar network sensors, such as Snort, Netfilter, and Tripwire.
The process queries describe the dynamics of network attacks and failures,
such as worms, multistage attacks, and router failures. Using PQS the
task of monitoring enterprise class networks is simplified, offering a
priority-based GUI to the security administrator that clearly outlines
events that require immediate attention. The PQS-Net system is deployed on an unsecured production network; the system has successfully detected many diverse attacks and failures.
Process Query Systems (PQS) are a new kind of information retrieval technology in which user queries are expressed as process descriptions. The goal of a PQS is to detect the processes using a datastream or database of events that are correlated with the processes' states. This is in contrast with most traditional database query processing, information retrieval systems and web search engines in which user queries are typically formulated as Boolean expressions. In this paper, we outline the main features of Process Query Systems and the technical challenges that process detection entails. Furthermore, we describe several importance application areas that can benefit from PQS technology. Our working prototype of a PQS, called TRAFEN (for TRAcking and Fusion ENgine) is described as well.
Identification of an active Internet worm is a manual process where security analysts must observe and analyze unusual activity on multiple firewalls, intrusion-detection systems or hosts. A worm might not be positively identified until it already has spread to most of the Internet, eliminating many defensive options. In previous work, we developed an automated system that can identify active worms seconds or minutes after they first begin to spread,
a necessary precursor to halting the spread of the worm rather than simply cleaning up afterward. The system collects ICMP Destination Unreachable messages from instrumented network routers, identifies those patterns of unreachable messages that indicate malicious
scanning activity, and then searches for patterns of scanning activity that indicate a propagating worm. In this paper, we compare the performance of two different detection strategies, our previous threshold approach and a new line-fit approach, for different worm-propagation techniques, noise environments, and system parameters.
These techniques work for worms that generate at least some of their
target addresses through a random process, a feature of most recent worms. Although both being powerful methods for fast worm identification, the new line-fit approach proves to be significantly more noise resistant.
Identification of an Internet worm is a manual process where security analysts must observe and analyze unusual activity on multiple firewalls, intrusion-detection systems or hosts. A worm might not be positively identified until it already has spread to most of the Internet, eliminating many defensive options. In this paper, we present an automated system that can identify active worms seconds or minutes after they first begin to spread, a necessary precursor to halting the spread of a worm, rather than simply cleaning up afterward. Our implemented system collects ICMP Unreachable messages from instrumented network routers, identifies those patterns of unreachable messages that indicate malicious scanning activity, and then searches for patterns of scanning activity that indicate a propagating worm. In this paper, we examine the problem of active worms, describe our ICMP-based detection system, and present simulation results that illustrate the speed with which it can detect a worm.
Early warning of active worm propagation over the Internet is of vital importance to first responders. Knowing an active worms characteristics very early in its propagation can significantly reduce the damage it may cause. In this paper we propose an early warning system that uses ICMP Destination Unreachable (ICMP-T3) messages to identify the random scanning behavior of worms. Participating routers across the Internet send Blind Carbon Copies of all their locally generated ICMP-T3 messages to a central collection point. There all the incoming messages are compared for similarities. Incoming messages are abstracted and patterns identified. Using the methods discussed in this paper we identify 'blooms' of activity that are a clear signature of worm propagation. Preliminary test results have shown that actively spreading worms can be identified in the first few minutes after they are launched. By using the characteristics gathered in those early stages, action can be taken and widespread damage might be avoided.