Addressing the attack attribution problem using knowledge discovery and multi-criteria fuzzy decision-making

Olivier Thonnard, Wim Mees, Marc Dacier

Research output: Chapter in Book/Report/Conference proceedingConference contribution

9 Citations (Scopus)

Abstract

In network traffic monitoring, and more particularly in the realm of threat intelligence, the problem of "attack attribution" refers to the process of effectively attributing new attack events to (un)-known phenomena, based on some evidence or traces left on one or several monitoring platforms. Real-world attack phenomena are often largely distributed on the Internet, or can sometimes evolve quite rapidly. This makes them inherently complex and thus di cult to analyze. In general, an analyst must consider many different attack features (or criteria) in order to decide about the plausible root cause of a given attack, or to attribute it to some given phenomenon. In this paper, we introduce a global analysis method to address this problem in a systematic way. Our approach is based on a novel combination of a knowledge discovery technique with a fuzzy inference system, which somehow mimics the reasoning of an expert by implementing a multi-criteria decision-making process built on top of the previously extracted knowledge. By applying this method on attack traces, we are able to identify large-scale attack phenomena with a high degree of confidence. In most cases, the observed phenomena can be attributed to so-called zombie armies - or botnets, i.e. groups of compromised machines controlled remotely by a same entity. By means of experiments with real-world attack traces, we show how this method can effectively help us to perform a behavioral analysis of those zombie armies from a long-term, strategic viewpoint.

Original languageEnglish
Title of host publicationProceedings of the ACM SIGKDD Workshop on CyberSecurity and Intelligence Informatics, CSI-KDD in Conjunction with SIGKDD'09
Pages11-21
Number of pages11
DOIs
Publication statusPublished - 2009
Externally publishedYes
EventACM SIGKDD Workshop on CyberSecurity and Intelligence Informatics, CSI-KDD in Conjunction with SIGKDD'09 - Paris
Duration: 28 Jun 200928 Jun 2009

Other

OtherACM SIGKDD Workshop on CyberSecurity and Intelligence Informatics, CSI-KDD in Conjunction with SIGKDD'09
CityParis
Period28/6/0928/6/09

Fingerprint

Data mining
Decision making
Monitoring
Fuzzy inference
Internet
Experiments
Botnet

Keywords

  • Attack attribution
  • Intelligence monitoring and analysis

ASJC Scopus subject areas

  • Artificial Intelligence
  • Computer Science Applications
  • Information Systems
  • Software

Cite this

Thonnard, O., Mees, W., & Dacier, M. (2009). Addressing the attack attribution problem using knowledge discovery and multi-criteria fuzzy decision-making. In Proceedings of the ACM SIGKDD Workshop on CyberSecurity and Intelligence Informatics, CSI-KDD in Conjunction with SIGKDD'09 (pp. 11-21). [1599277] https://doi.org/10.1145/1599272.1599277

Addressing the attack attribution problem using knowledge discovery and multi-criteria fuzzy decision-making. / Thonnard, Olivier; Mees, Wim; Dacier, Marc.

Proceedings of the ACM SIGKDD Workshop on CyberSecurity and Intelligence Informatics, CSI-KDD in Conjunction with SIGKDD'09. 2009. p. 11-21 1599277.

Research output: Chapter in Book/Report/Conference proceedingConference contribution

Thonnard, O, Mees, W & Dacier, M 2009, Addressing the attack attribution problem using knowledge discovery and multi-criteria fuzzy decision-making. in Proceedings of the ACM SIGKDD Workshop on CyberSecurity and Intelligence Informatics, CSI-KDD in Conjunction with SIGKDD'09., 1599277, pp. 11-21, ACM SIGKDD Workshop on CyberSecurity and Intelligence Informatics, CSI-KDD in Conjunction with SIGKDD'09, Paris, 28/6/09. https://doi.org/10.1145/1599272.1599277
Thonnard O, Mees W, Dacier M. Addressing the attack attribution problem using knowledge discovery and multi-criteria fuzzy decision-making. In Proceedings of the ACM SIGKDD Workshop on CyberSecurity and Intelligence Informatics, CSI-KDD in Conjunction with SIGKDD'09. 2009. p. 11-21. 1599277 https://doi.org/10.1145/1599272.1599277
Thonnard, Olivier ; Mees, Wim ; Dacier, Marc. / Addressing the attack attribution problem using knowledge discovery and multi-criteria fuzzy decision-making. Proceedings of the ACM SIGKDD Workshop on CyberSecurity and Intelligence Informatics, CSI-KDD in Conjunction with SIGKDD'09. 2009. pp. 11-21
@inproceedings{b7ccee49518d4377a96330ad8e74a670,
title = "Addressing the attack attribution problem using knowledge discovery and multi-criteria fuzzy decision-making",
abstract = "In network traffic monitoring, and more particularly in the realm of threat intelligence, the problem of {"}attack attribution{"} refers to the process of effectively attributing new attack events to (un)-known phenomena, based on some evidence or traces left on one or several monitoring platforms. Real-world attack phenomena are often largely distributed on the Internet, or can sometimes evolve quite rapidly. This makes them inherently complex and thus di cult to analyze. In general, an analyst must consider many different attack features (or criteria) in order to decide about the plausible root cause of a given attack, or to attribute it to some given phenomenon. In this paper, we introduce a global analysis method to address this problem in a systematic way. Our approach is based on a novel combination of a knowledge discovery technique with a fuzzy inference system, which somehow mimics the reasoning of an expert by implementing a multi-criteria decision-making process built on top of the previously extracted knowledge. By applying this method on attack traces, we are able to identify large-scale attack phenomena with a high degree of confidence. In most cases, the observed phenomena can be attributed to so-called zombie armies - or botnets, i.e. groups of compromised machines controlled remotely by a same entity. By means of experiments with real-world attack traces, we show how this method can effectively help us to perform a behavioral analysis of those zombie armies from a long-term, strategic viewpoint.",
keywords = "Attack attribution, Intelligence monitoring and analysis",
author = "Olivier Thonnard and Wim Mees and Marc Dacier",
year = "2009",
doi = "10.1145/1599272.1599277",
language = "English",
isbn = "9781605586694",
pages = "11--21",
booktitle = "Proceedings of the ACM SIGKDD Workshop on CyberSecurity and Intelligence Informatics, CSI-KDD in Conjunction with SIGKDD'09",

}

TY - GEN

T1 - Addressing the attack attribution problem using knowledge discovery and multi-criteria fuzzy decision-making

AU - Thonnard, Olivier

AU - Mees, Wim

AU - Dacier, Marc

PY - 2009

Y1 - 2009

N2 - In network traffic monitoring, and more particularly in the realm of threat intelligence, the problem of "attack attribution" refers to the process of effectively attributing new attack events to (un)-known phenomena, based on some evidence or traces left on one or several monitoring platforms. Real-world attack phenomena are often largely distributed on the Internet, or can sometimes evolve quite rapidly. This makes them inherently complex and thus di cult to analyze. In general, an analyst must consider many different attack features (or criteria) in order to decide about the plausible root cause of a given attack, or to attribute it to some given phenomenon. In this paper, we introduce a global analysis method to address this problem in a systematic way. Our approach is based on a novel combination of a knowledge discovery technique with a fuzzy inference system, which somehow mimics the reasoning of an expert by implementing a multi-criteria decision-making process built on top of the previously extracted knowledge. By applying this method on attack traces, we are able to identify large-scale attack phenomena with a high degree of confidence. In most cases, the observed phenomena can be attributed to so-called zombie armies - or botnets, i.e. groups of compromised machines controlled remotely by a same entity. By means of experiments with real-world attack traces, we show how this method can effectively help us to perform a behavioral analysis of those zombie armies from a long-term, strategic viewpoint.

AB - In network traffic monitoring, and more particularly in the realm of threat intelligence, the problem of "attack attribution" refers to the process of effectively attributing new attack events to (un)-known phenomena, based on some evidence or traces left on one or several monitoring platforms. Real-world attack phenomena are often largely distributed on the Internet, or can sometimes evolve quite rapidly. This makes them inherently complex and thus di cult to analyze. In general, an analyst must consider many different attack features (or criteria) in order to decide about the plausible root cause of a given attack, or to attribute it to some given phenomenon. In this paper, we introduce a global analysis method to address this problem in a systematic way. Our approach is based on a novel combination of a knowledge discovery technique with a fuzzy inference system, which somehow mimics the reasoning of an expert by implementing a multi-criteria decision-making process built on top of the previously extracted knowledge. By applying this method on attack traces, we are able to identify large-scale attack phenomena with a high degree of confidence. In most cases, the observed phenomena can be attributed to so-called zombie armies - or botnets, i.e. groups of compromised machines controlled remotely by a same entity. By means of experiments with real-world attack traces, we show how this method can effectively help us to perform a behavioral analysis of those zombie armies from a long-term, strategic viewpoint.

KW - Attack attribution

KW - Intelligence monitoring and analysis

UR - http://www.scopus.com/inward/record.url?scp=70449629710&partnerID=8YFLogxK

UR - http://www.scopus.com/inward/citedby.url?scp=70449629710&partnerID=8YFLogxK

U2 - 10.1145/1599272.1599277

DO - 10.1145/1599272.1599277

M3 - Conference contribution

SN - 9781605586694

SP - 11

EP - 21

BT - Proceedings of the ACM SIGKDD Workshop on CyberSecurity and Intelligence Informatics, CSI-KDD in Conjunction with SIGKDD'09

ER -