Visible to the public A Feasibility Study of Autonomically Detecting In-Process Cyber-Attacks

TitleA Feasibility Study of Autonomically Detecting In-Process Cyber-Attacks
Publication TypeConference Paper
Year of Publication2017
AuthorsSun, F., Zhang, P., White, J., Schmidt, D., Staples, J., Krause, L.
Conference Name2017 3rd IEEE International Conference on Cybernetics (CYBCONF)
Keywordsapplication execution, application-agnostic cyber-attack detection system, attack vectors, attacker, autonomic alert system, autonomic cyber-attack detection system, Autonomic Security, call graph, control flow, exemplar Web-based applications, feature extraction, features extraction, heterogeneous software systems, in-process cyber-attacks, Instruments, Java, learning (artificial intelligence), learning strategies, lightweight structures, machine learning techniques, Metrics, Monitoring, normal application behavior, off-line models, on-line models, perturbed applications, program transformation, pubcrawl, QoS requirements, quality-of-service requirements, Resiliency, Runtime, Scalability, security, security of data, Software, software development process, software vulnerabilities, supervised training, Trusted Computing, trusted software application, unsafe actions, Web applications

A cyber-attack detection system issues alerts when an attacker attempts to coerce a trusted software application to perform unsafe actions on the attacker's behalf. One way of issuing such alerts is to create an application-agnostic cyber- attack detection system that responds to prevalent software vulnerabilities. The creation of such an autonomic alert system, however, is impeded by the disparity between implementation language, function, quality-of-service (QoS) requirements, and architectural patterns present in applications, all of which contribute to the rapidly changing threat landscape presented by modern heterogeneous software systems. This paper evaluates the feasibility of creating an autonomic cyber-attack detection system and applying it to several exemplar web-based applications using program transformation and machine learning techniques. Specifically, we examine whether it is possible to detect cyber-attacks (1) online, i.e., as they occur using lightweight structures derived from a call graph and (2) offline, i.e., using machine learning techniques trained with features extracted from a trace of application execution. In both cases, we first characterize normal application behavior using supervised training with the test suites created for an application as part of the software development process. We then intentionally perturb our test applications so they are vulnerable to common attack vectors and then evaluate the effectiveness of various feature extraction and learning strategies on the perturbed applications. Our results show that both lightweight on-line models based on control flow of execution path and application specific off-line models can successfully and efficiently detect in-process cyber-attacks against web applications.

Citation Keysun_feasibility_2017