A Methodology for Runtime Detection and Extraction of Threat Patterns
- PDF / 1,572,433 Bytes
- 13 Pages / 595.276 x 790.866 pts Page_size
- 69 Downloads / 355 Views
ORIGINAL RESEARCH
A Methodology for Runtime Detection and Extraction of Threat Patterns Christos Bellas1 · Athanasios Naskos1 · Georgia Kougka1 · George Vlahavas1 · Anastasios Gounaris1 · Athena Vakali1 · Apostolos Papadopoulos1 · Evmorfia Biliri2 · Nefeli Bountouni2 · Gustavo Gonzalez Granadillo3 Received: 9 March 2020 / Accepted: 10 June 2020 © The Author(s) 2020
Abstract As the confidentiality and integrity of modern health infrastructures is threatened by intrusions and real-time attacks related to privacy and cyber-security, there is a need for proposing novel methodologies to predict future incidents and identify new threat patterns. The main scope of this article is to propose an advanced extension to current Intrusion Detection System (IDS) solutions, which (i) harvests the knowledge out of health data sources or network monitoring to construct models for new threat patterns and (ii) encompasses methods for detecting threat patterns utilizing also advanced unsupervised machine learning data analytic methodologies. Although the work is motivated by the health sector, it is developed in a manner that is directly applicable to other domains. Keywords IDS · Complex event processing · SIEM · Machine learning · Outlier detection
Introduction The landscape of cyber-attacks is wide and extremely diverse, since attacks differ in multiple dimensions, such as their source [18, 26], the technique details and actor [19, 32, 33], the affected Open System Interconnection (OSI) layer [18] and the system infrastructure targeted [33]. The protection of any computing system encompasses the integrity, confidentiality and availability of its resources [17]; when these three security conditions are met, the system is considered safeguarded against intrusions.
To this end, organisations typically set up preventative infrastructures, with Intrusion Detection Systems (IDS) and Intrusion Prevention Systems (IPS) lying at their core. An IDS comes as a hardware or/and software-based solution responsible for the prompt detection of real-time attacks and notification of the system or administrators about the attempted intrusion [24]. IPSs are server- or appliance equipment-based products that initiate the appropriate prevention responses to block the detected attack [24]. The real activity of an IPS starts when the role of an IDS finishes, that is, upon the detection of an intrusion, although some IPSs may
* Georgia Kougka [email protected]
Evmorfia Biliri [email protected]
Christos Bellas [email protected]
Nefeli Bountouni [email protected]
Athanasios Naskos [email protected]
Gustavo Gonzalez Granadillo [email protected]
George Vlahavas [email protected]
1
Anastasios Gounaris [email protected]
Department of Informatics, Aristotle University of Thessaloniki, Thessaloniki, Greece
2
Suite5, Limassol, Cyprus
3
Atos Research and Innovation, Barcelona, Spain
Athena Vakali [email protected] Apostolos Papadopoulos [email protected]
SN Computer Science Vol.:(0123456789)
238
Data Loading...