Files in this item

FilesDescriptionFormat

application/pdf

application/pdfBOHARA-DISSERTATION-2020.pdf (2MB)Restricted to U of Illinois
(no description provided)PDF

Description

Title:Information-fusion-based methods to improve the detection of advanced cyber threats
Author(s):Bohara, Atul
Director of Research:Sanders, William H.
Doctoral Committee Chair(s):Sanders, William H.
Doctoral Committee Member(s):Nahrstedt, Klara; Caesar, Matthew; Ros-Giralt, Jordi
Department / Program:Computer Science
Discipline:Computer Science
Degree Granting Institution:University of Illinois at Urbana-Champaign
Degree:Ph.D.
Genre:Dissertation
Subject(s):cybersecurity
intrusion detection
information fusion
advanced persistent threats
lateral movement
IEC 61850 substation security
GOOSE security
anomaly detection
Abstract:The increasing adoption of information and communication technologies in every aspect of modern life has made the security of networked systems more crucial. Their growing size and complexity have provided adversaries with a larger attack surface leading to numerous breaches in recent years that have undermined the confidentiality and availability of such systems. Thus, it is essential to improve security solutions to protect systems against malicious threats. Intrusion detection is an essential strategy that, together with intrusion prevention and response, make systems more resilient against malicious access. The challenges that are faced while developing intrusion detection systems (IDSes) are manifold. First, the malicious actors are continuously revising their tactics in using the victim's infrastructure against itself. Next, to address the threats, organizations need to employ many layers of security products. The information generated by these products poses significant technical and processing overheads. Finally, security systems need to adapt according to the nature of the target network and constraints of the services delivered. In this dissertation, we improve the detection of advanced cyber threats that use intelligent planning and persistent actions in compromising large networked systems. In particular, we design and implement threat detection methods that utilize information fusion. Information fusion guides the analysis and incremental refinement of monitoring information to obtain more accurate detections and smaller volumes of alerts. The general framework of the presented methods is as follows. We collect security monitoring information by using a range of host- and network-level monitors. We then refine that monitoring information by identifying and extracting useful features. The features then drive anomaly-based and specification-based detection of attacks to provide alerts and improve visibility into the target network. We develop techniques that apply to general networked systems. However, to make the discussion concrete and reason about our design decisions, we have adopted two types of target systems: an enterprise IT network and a power grid substation network. These systems offer different types of architectures and security requirements, encompassing a wide variety of networked systems. Nevertheless, the possible types of attacks are similar. We set out to detect vectors of initial compromises, such as network scans, network-layer distributed denial-of-service, and malware presence on hosts. In our approach, we combine the host-level context, which is captured by monitors such as system logging deployed on individual hosts, with the network-level context captured by monitors such as firewalls, and we use the aggregated profile in detecting anomalous behavior. The detection of abnormal behavior uses unsupervised cluster analysis. We devise a method to order the anomalous clusters in terms of their likely maliciousness, which can help a security administrator prioritize the clusters to investigate manually. Our experiments using an enterprise network dataset demonstrate that our approach has higher accuracy of detection than any individual monitors alone. Further, our completely unsupervised approach detects more attacks and generates a smaller volume of alerts than a state-of-the-art rule-based IDS, Snort. We then introduce a novel technique to detect malicious lateral movement (LM). The LM attackers use the already compromised entities (e.g., hosts, accounts, and services) as stepping stones for reaching critical segments. The process of expansion usually happens in conjunction with command and control (C&C) to gather internal system structure information and carry out a damaging action. To effectively detect such attacks, we first build a graph-based model to represent the current state of the network. Guided by the model, we identify the essential features of C&C and LM activities and extract them from internal and external communication traffic. Driven by the analysis of the features, we propose to use an ensemble of multiple anomaly detection techniques to identify compromised hosts. Our experiments using enterprise network traces show that our approach can detect the attacks with high accuracy and a low false-alarm rate even when the attacker's behavior is similar to benign behavior. We then study the advanced attack detection when it is in the last stage before launching a harmful action. With false data injection on IEC 61850-compliant substations as our use case, we design and implement a system to detect the attack within the strict timing constraints. We first develop an algorithm to identify poisoning attacks on GOOSE protocol. The algorithm performs a highly-stateful analysis of traffic to reason about ongoing communication's properties in the context of protocol specifications. We then use a novel combination of whitelisting, specification-based analysis, and physical behavior attributes to detect with high accuracy a broad class of false data injection attacks. Our experiments using substation network traces show that the system can identify attacker-injected messages even if they resemble benign communication patterns. We discuss software and hardware bottlenecks, devise a systematic approach to improve our IDS's performance, and demonstrate its applicability to high-speed protection-related communication.
Issue Date:2020-07-15
Type:Thesis
URI:http://hdl.handle.net/2142/108614
Rights Information:Copyright 2020 Atul Bohara
Date Available in IDEALS:2020-10-07
Date Deposited:2020-08


This item appears in the following Collection(s)

Item Statistics