Improving intrusion detectors by crook-sourcing

  title={Improving intrusion detectors by crook-sourcing},
  author={Gbadebo Ayoade and Khaled Al-Naami and Y. Gao and Kevin W. Hamlen and Latifur Khan},
  journal={Proceedings of the 35th Annual Computer Security Applications Conference},
  • G. Ayoade, K. Al-Naami, L. Khan
  • Published 9 December 2019
  • Computer Science
  • Proceedings of the 35th Annual Computer Security Applications Conference
Conventional cyber defenses typically respond to detected attacks by rejecting them as quickly and decisively as possible; but aborted attacks are missed learning opportunities for intrusion detection. A method of reimagining cyber attacks as free sources of live training data for machine learning-based intrusion detection systems (IDSes) is proposed and evaluated. Rather than aborting attacks against legitimate services, adversarial interactions are selectively prolonged to maximize the… 

Figures and Tables from this paper

Crook-sourced intrusion detection as a service
Improving cybersecurity hygiene through JIT patching
A patch management model is proposed to facilitate the rapid injection of software patches into live, commodity applications without disruption of production workflows, and the transparent sandboxing of suspicious processes for counterreconnaissance and threat information gathering.
AI-Powered Honeypots for Enhanced IoT Botnet Detection
A novel hybrid Artificial Intelligence (AI)-powered honeynet for enhanced IoT botnet detection rate with the use of Cloud Computing (CC) and makes use of Machine Learning (ML) techniques like the Logistic Regression (LR) in order to predict potential botnet existence.
Evidential Cyber Threat Hunting
A formal cyber reasoning framework for automating the threat hunting process introduces an operational semantics that operates over three subspaces—knowledge, hypothesis, and action— to enable human-machine co-creation of threat hypotheses and protective recommendations.
Automating Cyberdeception Evaluation with Deep Learning
Results demonstrate that synthesizing adaptive web traffic laced with evasive attacks powered by ensemble learning, online adaptive metric learning, and novel class detection to simulate skillful adversaries constitutes a challenging and aggressive test of cyberdeceptive defenses.
Evolving Advanced Persistent Threat Detection using Provenance Graph and Metric Learning
This work leverages an approach that uses a provenance graph to obtain execution traces of host nodes in order to detect anomalous behavior and shows its method outperforms the baseline models by increasing detection accuracy on average and increases True positive rate (TPR) on average.


Service specific anomaly detection for network intrusion detection
This work presents an approach that utilizes application specific knowledge of the network services that should be protected and helps to extend current, simple network traffic models to form an application model that allows to detect malicious content hidden in single network packets.
An overview of anomaly detection techniques: Existing solutions and latest technological trends
From Patches to Honey-Patches: Lightweight Attacker Misdirection, Deception, and Disinformation
A methodology is proposed for reformulating a broad class of security patches into honey-patches - patches that offer equivalent security but that frustrate attackers' ability to determine whether their attacks have succeeded or failed.
Anomaly Detection as a Service: Challenges, Advances, and Opportunities
This book is focused on data-driven anomaly detection for software, systems, and networks against advanced exploits and attacks, but also on systematizing the body of existing knowledge on anomaly detection.
Optimized Invariant Representation of Network Traffic for Detecting Unseen Malware Variants
The proposed classification system was deployed on large corporate networks, where it detected 2,090 new and unseen variants of malware samples with 90% precision, which is a considerable improvement when compared to the current flow-based approaches or existing signature-based web security devices.
Combating imbalance in network intrusion datasets
This paper uses RIPPER as the underlying rule classifier and implements a combination of oversampling (both by replication and synthetic generation) and undersampling techniques and proposes a clustering based methodology for oversamplings by generating synthetic instances.
Bayesian event classification for intrusion detection
Experimental results show that the accuracy of the event classification process is significantly improved using the proposed Bayesian networks, which improve the aggregation of different model outputs and allow one to seamlessly incorporate additional information.
Outside the Closed World: On Using Machine Learning for Network Intrusion Detection
The main claim is that the task of finding attacks is fundamentally different from these other applications, making it significantly harder for the intrusion detection community to employ machine learning effectively.
Revolver: An Automated Approach to the Detection of Evasive Web-based Malware
Revolver, a novel approach to automatically detect evasive behavior in malicious JavaScript, is presented and its integration with existing web malware analysis systems can support the continuous improvement of detection techniques.