Crook-sourced intrusion detection as a service. (September 2021)
- Record Type:
- Journal Article
- Title:
- Crook-sourced intrusion detection as a service. (September 2021)
- Main Title:
- Crook-sourced intrusion detection as a service
- Authors:
- Araujo, Frederico
Ayoade, Gbadebo
Al-Naami, Khaled
Gao, Yang
Hamlen, Kevin W.
Khan, Latifur - Abstract:
- Abstract: Most conventional cyber defenses strive to reject detected attacks as quickly and decisively as possible; however, this instinctive approach has the disadvantage of depriving intrusion detection systems (IDSes) of learning experiences and threat data that might otherwise be gleaned from deeper interactions with adversaries. For IDS technology to improve, a next-generation cyber defense is proposed in which cyber attacks are unconventionally reimagined as free sources of live IDS training data. Rather than aborting attacks against legitimate services, adversarial interactions are selectively prolonged to maximize the defender's harvest of useful threat intelligence. Enhancing web services with deceptive attack-responses in this way is shown to be a powerful and practical strategy for improved detection, addressing several perennial challenges for machine learning-based IDS in the literature, including scarcity of training data, the high labeling burden for (semi-)supervised learning, encryption opacity, and concept differences between honeypot attacks and those against genuine services. By reconceptualizing software security patches as feature extraction engines, the approach conscripts attackers as free penetration testers, and coordinates multiple levels of the software stack to achieve fast, automatic, and accurate labeling of live web streams. Prototype implementations are showcased for two feature set models to extract security-relevant network- andAbstract: Most conventional cyber defenses strive to reject detected attacks as quickly and decisively as possible; however, this instinctive approach has the disadvantage of depriving intrusion detection systems (IDSes) of learning experiences and threat data that might otherwise be gleaned from deeper interactions with adversaries. For IDS technology to improve, a next-generation cyber defense is proposed in which cyber attacks are unconventionally reimagined as free sources of live IDS training data. Rather than aborting attacks against legitimate services, adversarial interactions are selectively prolonged to maximize the defender's harvest of useful threat intelligence. Enhancing web services with deceptive attack-responses in this way is shown to be a powerful and practical strategy for improved detection, addressing several perennial challenges for machine learning-based IDS in the literature, including scarcity of training data, the high labeling burden for (semi-)supervised learning, encryption opacity, and concept differences between honeypot attacks and those against genuine services. By reconceptualizing software security patches as feature extraction engines, the approach conscripts attackers as free penetration testers, and coordinates multiple levels of the software stack to achieve fast, automatic, and accurate labeling of live web streams. Prototype implementations are showcased for two feature set models to extract security-relevant network- and system-level features from cloud services hosting enterprise-grade web applications. The evaluation demonstrates that the extracted data can be fed back into a network-level IDS for exceptionally accurate, yet lightweight attack detection. … (more)
- Is Part Of:
- Journal of information security and applications. Volume 61(2021)
- Journal:
- Journal of information security and applications
- Issue:
- Volume 61(2021)
- Issue Display:
- Volume 61, Issue 2021 (2021)
- Year:
- 2021
- Volume:
- 61
- Issue:
- 2021
- Issue Sort Value:
- 2021-0061-2021-0000
- Page Start:
- Page End:
- Publication Date:
- 2021-09
- Subjects:
- Intrusion detection -- Datasets -- Neural networks -- Honeypots -- Cyberdeception -- Cloud computing -- Software-as-a-service
Computer security -- Periodicals
Information technology -- Security measures -- Periodicals
005.805 - Journal URLs:
- http://www.sciencedirect.com/ ↗
- DOI:
- 10.1016/j.jisa.2021.102880 ↗
- Languages:
- English
- ISSNs:
- 2214-2126
- Deposit Type:
- Legaldeposit
- View Content:
- Available online (eLD content is only available in our Reading Rooms) ↗
- Physical Locations:
- British Library DSC - BLDSS-3PM
British Library STI - ELD Digital store - Ingest File:
- 18512.xml