• Corpus ID: 231547341

A Novel AI-based Methodology for Identifying Cyber Attacks in Honey Pots

@inproceedings{AbuOdeh2021ANA,
  title={A Novel AI-based Methodology for Identifying Cyber Attacks in Honey Pots},
  author={Muhammed AbuOdeh and Christian Adkins and Omid Setayeshfar and Prashant Doshi and Kyu Hyung Lee},
  booktitle={AAAI},
  year={2021}
}
We present a novel AI-based methodology that identifies phases of a host-level cyber attack simply from system call logs. System calls emanating from cyber attacks on hosts such as honey pots are often recorded in audit logs. Our methodology first involves efficiently loading, caching, processing, and querying system events contained in audit logs in support of computer forensics. Output of queries remains at the system call level and is difficult to process. The next step is to infer a sequence of… 
1 Citations

Figures and Tables from this paper

References

SHOWING 1-10 OF 27 REFERENCES
HOLMES: Real-Time APT Detection through Correlation of Suspicious Information Flows
TLDR
HOLMES aims to produce a detection signal that indicates the presence of a coordinated set of activities that are part of an APT campaign, and produces a high-level graph that summarizes the attacker’s actions in real-time.
SAQL: A Stream-based Query System for Real-Time Abnormal System Behavior Detection
TLDR
A novel stream-based query system that takes as input, a real-time event feed aggregated from multiple hosts in an enterprise, and provides an anomaly query engine that queries the event feed to identify abnormal behaviors based on the specified anomalies.
Analyzing Log Files for Postmortem Intrusion Detection
TLDR
This paper proposes a novel approach for postmortem intrusion detection, which factors out repetitive behavior, thus, speeding up the process of locating the execution of an exploit, if any.
DeepLog: Anomaly Detection and Diagnosis from System Logs through Deep Learning
TLDR
DeepLog, a deep neural network model utilizing Long Short-Term Memory (LSTM), is proposed, to model a system log as a natural language sequence, which allows DeepLog to automatically learn log patterns from normal execution, and detect anomalies when log patterns deviate from the model trained from log data under normal execution.
Modeling program behaviors by hidden Markov models for intrusion detection
  • Wei Wang, X. Guan, Xiangliang Zhang
  • Computer Science
    Proceedings of 2004 International Conference on Machine Learning and Cybernetics (IEEE Cat. No.04EX826)
  • 2004
TLDR
A new efficient intrusion detection method based on hidden Markov models (HMMs) is presented and experimental results show that the performance of the proposed method in intrusion detection is better than other methods.
Evaluating intrusion detection systems: the 1998 DARPA off-line intrusion detection evaluation
TLDR
An intrusion detection evaluation test bed was developed which generated normal traffic similar to that on a government site containing 100's of users on 1000's of hosts and the best systems failed to detect roughly half these new attacks which included damaging access to root-level privileges by remote users.
AIQL: Enabling Efficient Attack Investigation from System Monitoring Data
TLDR
A novel query system built on top of existing monitoring tools and databases, which is designed with novel types of optimizations to support timely attack investigation and surpasses existing systems in both efficiency and conciseness.
A Novel Similar Temporal System Call Pattern Mining for Efficient Intrusion Detection
TLDR
This paper applies a novel method which performs only a single database scan, reducing unnecessary extra overhead incurred when multiple scans are performed thus achieving space and time efficiency and aims at efficient dimensionality reduction.
Panacea: Automating Attack Classification for Anomaly-Based Network Intrusion Detection Systems
TLDR
This work presents a new approach, Panacea, to automatically and systematically classify attacks detected by an anomaly-based network intrusion detection system.
...
...