Probabilistically Inferring Attack Ramifications Using Temporal Dependence Network

Document Type


Publication Date



There is an increasing need of assessing and mitigating the effects of successful attacks. Uncovering malicious and contaminated objects in an attacked computing system is referred to as identification of attack ramifications. Previous methods identify the attack ramifications by directly tracking information flows (or dependences) from the intrusion root (i.e., the entry point of an attack). They face challenges such as undetermined intrusion root and dependence explosion. In this paper, we present a novel, light-weight method capable of identifying attack ramifications without the knowledge of intrusion root and less subject to dependency explosion. The method utilizes a probabilistic reasoning approach to fuse evidence derived from a subset of objects whose security states are known. It first splits the lifetime of an object into consecutive time slices (object-slices) to profile how the security state of this object changes over time. Then, a temporal dependence network (TDN) is constructed from system call traces to correlate object-slices according to information flows between them. Based on that, a Bayesian network (BN) model is built to characterize the uncertainties of infection propagations in the TDN. Finally, the method adopts loopy belief propagation on the BN model to infer the security state of an object. We evaluate the proposed method using a large data set of 389 attacks launched by the real-world malware samples including sophisticated ones such as Stuxnet. Extensive experiments demonstrate that our method is able to identify attack ramifications with a 97.47% precision at 97.21% recall without the knowledge of intrusion root.



Find in your library

Off-Campus WSU Users