Commenced in January 2007
Frequency: Monthly
Edition: International
Paper Count: 1

Search results for: Time-series

1 Novel Two-Level Graph Causality Analysis and Mathematical Modeling for Cybersecurity Data

Authors: Van Trieu-Do, Shouhuai Xu, Yusheng Feng


Tracking attack trajectories can be difficult with limited information about the nature of the attack. Even more difficult as attack information is collected by Intrusion Detection Systems (IDSs), but the current IDSs have some limitations in identifying malicious and anomalous traffic. Moreover, IDSs only point out the suspicious events but do not show how the events relate to each other or which event cause the other event to happen. Because of this, it is important to investigate new methods that can perform the tracking attack trajectories task quickly with less attack information and dependency on IDSs, to prioritize actions during incident responds. This paper proposes a novel two-level graph causality framework for tracking attack trajectories in internet networks by leveraging observable malicious behaviors to detect what is the most probable attack event that can cause another event occurred in the system. Technically, given the timeseries of malicious events, the framework will filter events with useful features, such as attack time and port number, to apply into the conditional independent tests to detect the relationship between attack events. Using the two academic datasets collected by IDSs, experimental results show that the framework can quickly detect the causal pairs that offer meaningful insights into the nature of the internet network, given only reasonable restrictions on network size and structure. Without the framework’s guidance, these insights would not be able to discover by the existing tools, such as IDSs, and it would cost expert human analysts a significant time to find out. The computational results from the proposed two-level graph network model reveal the obvious pattern and trends. In fact, more than 80% of causal pairs have the average time difference between the caused events and the being caused events in both computed and observed data are equivalent. This result can be used as a preventive measure against future attacks. Although the forecast may be short, from 0.2 second to 4.5 seconds, it is long enough to design a prevention protocol to block those attacks.

Keywords: causality, multilevel graph, cybersecurity, mathematical modeling, visualization

Procedia PDF Downloads 61