Using the knowledge-based temporal-abstraction (KBTA) method for detection of electronic threats

Asaf Shabtai, Yuval Shahar, Yuval Elovici

5th European Conference on Information Warfare and Security 2006, ECIW 2006 …, 2006

One of the goals of terrorist organizations is to attack critical infrastructures such as power plants, telecommunication companies etc. Since many critical infrastructures employ various Information and Communication Technologies (ICTs), such an attack may be carried out by using dedicated Electronic Threats (eThreats) such as worms, viruses, Trojans, and spywares. The goal of the attack is to interrupt the normal operation of the critical infrastructure in order to cause economic damages and social chaos. Current state-of–the-art technologies, such as antivirus and intrusion detection systems, are aimed at coping with known eThreats that were encountered before. However, terrorists may write dedicated eThreats that will not be identified by the existing tools. Thus, there is a need to develop generic technologies to identify eThreats based on their behavior, especially over time, and not only based on their unique signature. In many cases, identifying that the computer is infected may be sufficient to stop the attack. In this article, we propose a new approach for early detection of the presence of unknown eThreats, based on their behavior within the target computer. First, an agent extracts various time-stamped data, such as number of active processes at each time-point, from the target computer. Then, by using the Knowledge-Based Temporal Abstraction (KBTA) method, we integrate the continuously measured data (eg, the number of running processes) and events (eg, installation) with a security-domain temporal-abstraction knowledge base (ie, a security ontology specialized for abstraction of meaningful patterns from time-oriented security data …