Modeling Cyber Attacks with Empirical Correlation (T-0003) (Old 8315)

Abstract

Cyber-attacks have been on the rise especially after the explosive widespread of social networking as it gives cyber criminals a way to break into other’s computers and manipulate personal and sensitive data. Many different techniques have been used in the past to minimize the occurrences of cyber-attacks. These techniques focused primarily on attack modeling by analyzing the incoming traffic in order to look for both malicious activity and attacker objectives. This research proposes a solution that makes use of the attack tree modeling (ATM) along with the development of a correlation engine that predicts coordinated attacks carried out on network servers. The correlation engine uses network flow features i.e. control information about the transmitting content and correlates them based on the previously learned labeling to see if the content is malicious or not. The correlation engine can predict Distributed Denial of Service (DDOS) and Brute-force attacks. These attack categories have been separately modeled using the highest real-time traffic performance algorithm out of Support Vector Machine (SVM), Gaussian Naive Bayes (GNB) and Random Forest Regression (RFR) techniques. The correlation engine tests real-time data and along with the prediction of attacks, it also updates the stored labeling based on system administrator feedback. Once deployed, the correlation engine can be used in realtime on any network or server to continuously monitor and detect zero-day attacks that undermine the integrity of the network or its data