Attack-Test and Verification Systems, Steps Towards Verifiable Anomaly Detection - Prof. Dr. Norbert Pohlmann
Attack-Test and Verification Systems, Steps Towards Verifiable Anomaly Detection
M. Fourné, D. Petersen, N. Pohlmann:,
Botnet, network malware and anomaly detection algorithms are hard toevaluate and compare against each other due to different data sets. In some cases over specialization on known malware gives high detection rates due to unknown artifactsin the training data set. This may lead to new malware being unnoticed on a network, because the detection algorithm has not been optimized for this case.Our proposal is a new and work-in-progress approach to generate parametricizedand randomized testing data sets on the fly. We plan to couple this with the an automatic verification system to assess the quality of detection algorithms without internal knowledge of their working. We hope to encourage discussion to enhance the draft of our idea and especially togo into more detail on our work in progress.
The research field of Network Anomaly Detection (NAD) and more specifically networkmalware – mainly botnet – detection is a hot field with many approaches to find ever new algorithms. Many events can be classified as network anomalies, but to qualify as an attack, there has to be some form of intent. There is a semantic gap between anomaliesand attacks, since the intent of attacks must be understood to build a good model, which then builds the basis for pattern detection of network activities related to an attack. If thescope of detection lies only in the network, intent is hard to quantify, but can be concluded from abnormal statistics created by events impeding the functions of benign network ac-tivities. A denial of service attack can be found quite easily, but algorithms which findsmall anomalies predating targeted attacks are harder to develop. Algorithms to find botnet activity which predates attacks from botnets are in the class of NAD algorithms, but have correlation criteria for anomalies related to botnet spreading — or, more general: attack preparation. These have been optimized to almost perfection in finding the anomalieswhich were known during their creation. Other algorithms have been built which needcontinuous training, but no clear statements to the quality of their detection ratio can bemade for unforeseen network events.
Glossareintrag: “Cyber-Sicherheits-Frühwarn- und Lagebildsystem”
Informationen über das Lehrbuch: „Cyber-Sicherheit“