TY - JOUR
T1 - An attack-norm separation approach for detecting cyber attacks
AU - Ye, Nong
AU - Farley, Toni
AU - Lakshminarasimhan, Deepak
N1 - Funding Information:
Acknowledgments This material is based upon work supported in part by the Air force Research Laboratory (AFRL) and Advanced Research and Development Activity (ARDA) under Contract No. F30602-03-C-0233, the Air Force Office of Scientific Research (AFOSR) under Grant No. F49620-03-1-0109, and a gift from Symantec Corporation. Any opinions, findings and conclusions or recommendations expressed in this material are those of the author(s) and do not necessarily reflect the views of AFRL, ARDA, AFOSR, or Symantec Corporation. The authors would also like to acknowledge contributions made by Patrick Kelley for the execution and data collection of attacks used in our study.
PY - 2006/7
Y1 - 2006/7
N2 - The two existing approaches to detecting cyber attacks on computers and networks, signature recognition and anomaly detection, have shortcomings related to the accuracy and efficiency of detection. This paper describes a new approach to cyber attack (intrusion) detection that aims to overcome these shortcomings through several innovations. We call our approach attack-norm separation. The attack-norm separation approach engages in the scientific discovery of data, features and characteristics for cyber signal (attack data) and noise (normal data). We use attack profiling and analytical discovery techniques to generalize the data, features and characteristics that exist in cyber attack and norm data. We also leverage well-established signal detection models in the physical space (e.g., radar signal detection), and verify them in the cyberspace. With this foundation of information, we build attack-norm separation models that incorporate both attack and norm characteristics. This enables us to take the least amount of relevant data necessary to achieve detection accuracy and efficiency. The attack-norm separation approach considers not only activity data, but also state and performance data along the cause-effect chains of cyber attacks on computers and networks. This enables us to achieve some detection adequacy lacking in existing intrusion detection systems.
AB - The two existing approaches to detecting cyber attacks on computers and networks, signature recognition and anomaly detection, have shortcomings related to the accuracy and efficiency of detection. This paper describes a new approach to cyber attack (intrusion) detection that aims to overcome these shortcomings through several innovations. We call our approach attack-norm separation. The attack-norm separation approach engages in the scientific discovery of data, features and characteristics for cyber signal (attack data) and noise (normal data). We use attack profiling and analytical discovery techniques to generalize the data, features and characteristics that exist in cyber attack and norm data. We also leverage well-established signal detection models in the physical space (e.g., radar signal detection), and verify them in the cyberspace. With this foundation of information, we build attack-norm separation models that incorporate both attack and norm characteristics. This enables us to take the least amount of relevant data necessary to achieve detection accuracy and efficiency. The attack-norm separation approach considers not only activity data, but also state and performance data along the cause-effect chains of cyber attacks on computers and networks. This enables us to achieve some detection adequacy lacking in existing intrusion detection systems.
KW - Computer and network security
KW - Cyber attacks
KW - Intrusion detection
KW - Signal detection
KW - Signal processing
UR - http://www.scopus.com/inward/record.url?scp=33745925265&partnerID=8YFLogxK
UR - http://www.scopus.com/inward/citedby.url?scp=33745925265&partnerID=8YFLogxK
U2 - 10.1007/s10796-006-8731-y
DO - 10.1007/s10796-006-8731-y
M3 - Article
AN - SCOPUS:33745925265
SN - 1387-3326
VL - 8
SP - 163
EP - 177
JO - Information Systems Frontiers
JF - Information Systems Frontiers
IS - 3
ER -