Attack Fingerprints based on the Activity and Event Network(AEN) Model

Files

Nie_Chenyang_MEng_2020.pdf (2.87 MB)

Date

2020-08-12

Authors

Nie, Chenyang

Journal Title

Journal ISSN

Volume Title

Publisher

Abstract

The Activity and Event (AEN) graph is a new framework that enables capturing ongoing security-relevant activity and events occurring at a given organization using a large random time-varying graph model. The graph is generated by processing various network security logs, such as network packets, system logs, and intrusion detection alerts. In this report, we show how known attack methods can be captured generically using attack fingerprints based on the AEN graph. The fingerprints are constructed by identifying attack idiosyncrasies under the form of subgraphs that represent indicators of compromise (IOCs), and then encoded using PGQL queries. Among the many attack types, three main categories are implemented in our model: Probing, Denial of Service(DoS), and authentication breaches; Each category contains its common variations. The experimental evaluation of the fingerprints was carried using a combination of intrusion detection datasets and yielded very encouraging results.

Description

Keywords

Network Attack, Intrusion Detection, Port Scan, Graph Database, DDoS

Citation

URI

http://hdl.handle.net/1828/11986

Collections

Master's Projects
 
University of Victoria Libraries

We acknowledge and respect the Lək̓ʷəŋən (Songhees and Esquimalt) Peoples on whose territory the university stands, and the Lək̓ʷəŋən and W̱SÁNEĆ Peoples whose historical relationships with the land continue to this day.