Multi-observable reputation scoring system for flagging suspicious user sessions

Thumbnail Image

Files

COMNET_2020_Accepted (1).pdf (2.87 MB)

Links to Files

https://www.sciencedirect.com/science/article/abs/pii/S1389128620311506#!

Permanent Link

https://doi.org/10.1016/j.comnet.2020.107474
 http://hdl.handle.net/11603/19643

Collections

UMBC Computer Science and Electrical Engineering Department
UMBC Faculty Collection
UMBC Student Collection

Author/Creator

Author/Creator ORCID

Date

2020-08-08

Type of Work

journal articles postprints
Text

Department

Program

Citation of Original Publication

Wassila Lalouani and Mohamed Younis, Multi-observable reputation scoring system for flagging suspicious user sessions, Computer Networks Volume 182, 107474 (2020), doi: https://doi.org/10.1016/j.comnet.2020.107474

Rights

This item is likely protected under Title 17 of the U.S. Copyright Law. Unless on a Creative Commons license, for uses protected by Copyright Law, contact the copyright holder or the author.
Attribution-NonCommercial-NoDerivatives 4.0 International
Access to this item will begin on 9/12/2022

Subjects

Abstract

Conventionally, network and cloud infrastructure security is handled by firewalls which monitor traffic and block malicious access by matching certain observables, e.g., IP, and DNS, to blacklisted entries in intelligence databases. Therefore, such an approach fails to deal with emerging threats that utilize unclassified observables, and to report suspicious activities of individual users. In this paper we propose MuSeR, a novel approach to assign reputation scores for observables, even when no prior information is available, and flag suspicious sessions by conducting inter-observable analysis of user requests. In essence, MuSeR opts to assist network and cloud administrators mitigate attacks while avoiding unwarranted blocking of benign access. MuSeR achieves such an objective by associating session reputation scores based on the trustworthiness of the user navigation pattern, and conducting dynamic analysis of individual observables involved within requests. Specifically, MuSeR employs a new machine learning model for classifying observables using features specifically chosen to factor in evidence provided by blacklists, and access patterns of known attacks. To determine a request score, MuSeR maps the classifier probabilities to adaptive subjective logic and then uses multinomial fusion to leverage evidence from the different observables. Given the request scores, MuSeR further promotes a novel session reputation scoring model that uses three-valued subjective logic to handle trust propagation and aggregation over user requests. The effectiveness ofMuSeR is validated using a large dataset obtained from popular databases such as WHOIS, CYMUS, and passive DNS databases.