KEYWORDS: Printing, Computer security, Computing systems, Taxonomy, Data communications, Internet, Network security, Digital video discs, Defense and security, Computer networks
Within an organization, the possibility of a confidential information leak ranks among the highest fears of any executive. Detecting information leaks is a challenging problem, since most organizations depend on a broad and diverse communications network. It is not always straightforward to conclude which information is leaving the organization legitimately, and which communications are malicious data exfiltrations. Sometimes it is not even possible to tell that a communication is occurring at all. The set of all possible exfiltration methods contains, at a minimum, the set of all possible information communication methods, and possibly more. This article cannot possibly cover all such methods; however, several notable examples are given, and a taxonomy of data exfiltration is developed. Such a taxonomy cannot ever be exhaustive, but at the very least can offer a framework for organizing methods and developing defenses.
KEYWORDS: Sensors, Network security, Information security, Process modeling, Data modeling, Computer security, Systems modeling, Internet, Homeland security, Radar
One significant drawback to currently available security products is their inabilty to correlate diverse sensor input. For
instance, by only using network intrusion detection data, a root kit installed through a weak username-password combination
may go unnoticed. Similarly, an administrator may never make the link between deteriorating response times from the
database server and an attacker exfiltrating trusted data, if these facts aren't presented together.
Current Security Information Management Systems (SIMS) can collect and represent diverse data but lack sufficient
correlation algorithms. By using a Process Query System, we were able to quickly bring together data flowing from many
sources, including NIDS, HIDS, server logs, CPU load and memory usage, etc. We constructed PQS models that describe
dynamic behavior of complicated attacks and failures, allowing us to detect and differentiate simultaneous sophisticated
attacks on a target network.
In this paper, we discuss the benefits of implementing such a multistage cyber attack detection system using PQS. We
focus on how data from multiple sources can be combined and used to detect and track comprehensive network security
events that go unnoticed using conventional tools.
Hidden Discrete Event Systems Models (HDESM) are discrete event dynamical system models whose underlying internal state spaces are not directly observable. Observations on such systems are artifacts of the hidden, internal states and are not deterministically or uniquely associated with the hidden states. The distribution of an observation of a HDESM is typically given by a probability distribution conditioned on the hidden state of the system. Classical linear systems, Hidden Markov Models (HMM) and certain types of Petri Net models are examples of HDESM's.
A major challenge in working with this type of model is the
estimation of an HDESM's hidden states based on a sequence of
observations. In some cases, well-known algorithms can be used to
solve this problem. In many cases of practical interest, however,
the complexity of those algorithms is too high to be practical.
New ideas and algorithms are therefore needed for effective
solutions to the state estimation problem.
In this paper we will investigate sub-classes of HDESM's whose
structure would allow efficient state estimation algorithms to
exist. Such structures could be related to the sparsity and/or
equivalence class structure of transition dynamics within the
underlying discrete event system. Efficient algorithms that
compute approximate solutions will be investigated with the goal
of understanding the trade-offs between computational efficiency
and estimation accuracy. Ideas on how to implement such trade-offs
also are proposed.
Access to the requested content is limited to institutions that have purchased or subscribe to SPIE eBooks.
You are receiving this notice because your organization may not have SPIE eBooks access.*
*Shibboleth/Open Athens users─please
sign in
to access your institution's subscriptions.
To obtain this item, you may purchase the complete book in print or electronic format on
SPIE.org.
INSTITUTIONAL Select your institution to access the SPIE Digital Library.
PERSONAL Sign in with your SPIE account to access your personal subscriptions or to use specific features such as save to my library, sign up for alerts, save searches, etc.