SLEUTH: Real-time Attack Scenario Reconstruction from COTS Audit Data
نویسندگان
چکیده
We present an approach and system for real-time reconstruction of attack scenarios on an enterprise host. To meet the scalability and real-time needs of the problem, we develop a platform-neutral, main-memory based, dependency graph abstraction of audit-log data. We then present efficient, tag-based techniques for attack detection and reconstruction, including source identification and impact analysis. We also develop methods to reveal the big picture of attacks by construction of compact, visual graphs of attack steps. Our system participated in a red team evaluation organized by DARPA and was able to successfully detect and reconstruct the details of the red team’s attacks on hosts running Windows, FreeBSD and Linux.
منابع مشابه
Real-Time intrusion detection alert correlation and attack scenario extraction based on the prerequisite consequence approach
Alert correlation systems attempt to discover the relations among alerts produced by one or more intrusion detection systems to determine the attack scenarios and their main motivations. In this paper a new IDS alert correlation method is proposed that can be used to detect attack scenarios in real-time. The proposed method is based on a causal approach due to the strength of causal methods in ...
متن کاملF-STONE: A Fast Real-Time DDOS Attack Detection Method Using an Improved Historical Memory Management
Distributed Denial of Service (DDoS) is a common attack in recent years that can deplete the bandwidth of victim nodes by flooding packets. Based on the type and quantity of traffic used for the attack and the exploited vulnerability of the target, DDoS attacks are grouped into three categories as Volumetric attacks, Protocol attacks and Application attacks. The volumetric attack, which the pro...
متن کاملUsing the Sleuth Urban Growth Model to Simulate the Impacts of Future Policy Scenarios on Urban Land Use in the Houston-Galveston-Brazoria CMSA
We used the SLEUTH urban growth model, closely coupled with a land transition model, to simulate future urban growth in the Houston metropolitan area, one of the fastest growing metropolises in the United States during the past three decades. The model was calibrated with historical data extracted from a time series of satellite images. Three specific scenarios are designed to simulate the spat...
متن کاملSLEUTH: Single-pubLisher attack dEtection Using correlaTion Hunting
Several data management challenges arise in the context of Internet advertising networks, where Internet advertisers pay Internet publishers to display advertisements on their Web sites and drive traffic to the advertisers from surfers’ clicks. Although advertisers can target appropriate market segments, the model allows dishonest publishers to defraud the advertisers by simulating fake traffic...
متن کاملThe Impact of Audit Quality on Earnings Management: An Experimental Study with Evidence from IPO
According to a method of earnings management activities that administrators can manage reported earnings from the definition of real activity. In particular they can be located across time and activities in a way that accounting period to achieve a certain revenue target. Conservative attitudes of auditors in presenting their views about the independence of the auditor can considered as a remar...
متن کامل