Multi-stage attack detection using contextual information
conference contribution
posted on 31.07.2018, 12:31 by Kostas Kyriakopoulos, Francisco J. Aparicio-Navarro, Ibrahim Ghafir, Sangarapillai Lambotharan, Jonathon ChambersThe appearance of new forms of cyber-threats, such as Multi-Stage Attacks (MSAs), creates new challenges to which Intrusion Detection Systems (IDSs) need to adapt. An MSA is launched in multiple sequential stages, which may not be malicious when implemented individually, making the detection of MSAs extremely challenging for most current IDSs. In this paper, we present a novel IDS that exploits
contextual information in the form of Pattern-of-Life (PoL), and information related to expert judgment on the network
behaviour. This IDS focuses on detecting an MSA, in real-time, without previous training process. The main goal of the MSA
is to create a Point of Entry (PoE) to a target machine, which could be used as part of an APT like attack. Our results verify that the use of contextual information improves the efficiency of our IDS by enhancing the detection rate of MSAs
in real-time by 58%.
Funding
This work was supported by the Engineering and Physical Sciences Research Council (EPSRC) Grant number EP/K014307/2 and the MOD University Defence Research Collaboration in Signal Processing, and by the British Council UK-Gulf Institutional Link Grant and the EPSRC Grant numbers EP/R006385/1 and EP/R006377/1.
History
School
- Mechanical, Electrical and Manufacturing Engineering
CC BY-NC-ND 4.0