The cyber world is a complex domain, with digital systems mediating a wide spectrum of human and machine behaviors. While this is enabling a revolution in the way humans interact with each other and data, it also is exposing previously unreachable infrastructure to a worldwide set of actors. Existing solutions for intrusion detection and prevention that are signature-focused typically seek to detect anomalous and/or malicious activity for the sake of preventing or mitigating negative impacts. But a growing interest in behavior-based detection is driving new forms of analysis that move the emphasis from static indicators (e.g. rule-based alarms or tripwires) to behavioral indicators that accommodate a wider contextual perspective. Similar to cyber systems, biosystems have always existed in resource-constrained hostile environments where behaviors are tuned by context. So we look to biosystems as an inspiration for addressing behavior-based cyber challenges. In this paper, we introduce LINEBACKER, a behavior-model based approach to recognizing anomalous events in network traffic and present the design of this approach of bio-inspired and statistical models working in tandem to produce individualized alerting for a collection of systems. Preliminary results of these models operating on historic data are presented along with a plugin to support real-world cyber operations.
Revised: December 2, 2016 |
Published: August 4, 2016
Citation
Oehmen C.S., P.J. Bruillard, B.D. Matzke, A.R. Phillips, K.T. Star, J.L. Jensen, and D.J. Nordwall, et al. 2016.LINEBACKER: LINE-speed Bio-inspired Analysis and Characterization for Event Recognition. In IEEE Symposium on Security and Privacy Workshops, May 23-25, 2016, San Jose, California, 88-95. Palo Alto, California:IEEE Computer Society.PNNL-SA-115629.doi:10.1109/SPW.2016.44