Graduate students create a prize-winning network threat correlation system

Kivas Satvat and Sutanu Ghosh

Graduate students Sutanu Ghosh and Kiavash Satvat, along with CS faculty members Rigel Gjomemo and V. N. (Venkat) Venkatakrishnan, received the best practice paper award at the 18th International Conference on Information Systems Security (ICISS 2022), for their work on improving security threat detection in computer networks.

Their work, detailed in their paper “OSTINATO: Cross-host Attack Correlation through Attack Activity Similarity Detection,” introduces a more robust threat intrusion framework for keeping networks secure than those that are commercially available. Their framework was able to detect more threats, especially across a network, and ferret out potentially compromised computers. It also issues fewer false alarms, which can help those tasked with maintaining network security remain focused on real threats.

The team found a common theme: whenever large cyberattacks happen, the attackers generally try to leverage similar attack tools across multiple hosts to achieve their objectives, such as stealing files and importing them to their own private servers. They can attack multiple companies or multiple machines within a company. In these targeted cyberattacks, also known as advanced persistent threats, the attackers try to breach as many machines inside the organization as possible without being caught, maintain a stealthy presence across the network, and withdraw crucial data.

“Approaches that deal with this challenge are often network-based, but modern attacks are increasingly stealthy, and usually have a small footprint on network logs characterized as ‘slow and low,’” Ghosh said. “Today’s attacks, like scanning internal hosts, or gaining access to new hosts, happen over a long period of time.”

In contrast to the single host-based approach, their framework, OSTINATO, assembles all the alerts generated by an intrusion detection system, and correlates them into a meaningful picture of whether the same attacker is performing malicious operations on different hosts within the same organization.

The team trained their tool on two different datasets collected from several red team engagements organized by the U.S. Defense Advanced Research Projects Agency (DARPA), which creates breakthrough technologies and capabilities for national security. These ”red team” engagements are simulations of attacks that challenge participants to detect threats to the system used in each scenario.

Using the DARPA data set, the red teams performed various attacker activities across a network of 500 Microsoft Windows-based hosts, resembling modern advanced persistent threat scenarios. The single-host detection system either missed attacker activities having small footprints that evaded the detection threshold or produce many false positives at lower thresholds.

The OSTINATO framework was able to detect three times as many attacker activities in the datasets–they found 21 compromised hosts that exhibited similar attacker behavior, compared with the underlying single-host detection system, which found attacker activities in just seven of the hosts.

And since the system processed lateral host-to-host activities, they eliminated multiple false alarms that would occur under a single-host system but be ignored since a larger picture of the entire system wasn’t available.

“We provide a global view of the network, correlating alerts and painting a larger picture,” Ghosh said.

The team won an award, and prize money at the conference, which was held in India in December 2022.