Multi-observable reputation scoring system for flagging suspicious user sessions
| dc.contributor.author | Lalouani, Wassila | |
| dc.contributor.author | Younis, Mohamed | |
| dc.date.accessioned | 2020-09-11T17:28:13Z | |
| dc.date.available | 2020-09-11T17:28:13Z | |
| dc.date.issued | 2020-08-08 | |
| dc.description.abstract | Conventionally, network and cloud infrastructure security is handled by firewalls which monitor traffic and block malicious access by matching certain observables, e.g., IP, and DNS, to blacklisted entries in intelligence databases. Therefore, such an approach fails to deal with emerging threats that utilize unclassified observables, and to report suspicious activities of individual users. In this paper we propose MuSeR, a novel approach to assign reputation scores for observables, even when no prior information is available, and flag suspicious sessions by conducting inter-observable analysis of user requests. In essence, MuSeR opts to assist network and cloud administrators mitigate attacks while avoiding unwarranted blocking of benign access. MuSeR achieves such an objective by associating session reputation scores based on the trustworthiness of the user navigation pattern, and conducting dynamic analysis of individual observables involved within requests. Specifically, MuSeR employs a new machine learning model for classifying observables using features specifically chosen to factor in evidence provided by blacklists, and access patterns of known attacks. To determine a request score, MuSeR maps the classifier probabilities to adaptive subjective logic and then uses multinomial fusion to leverage evidence from the different observables. Given the request scores, MuSeR further promotes a novel session reputation scoring model that uses three-valued subjective logic to handle trust propagation and aggregation over user requests. The effectiveness ofMuSeR is validated using a large dataset obtained from popular databases such as WHOIS, CYMUS, and passive DNS databases. | en_US |
| dc.description.sponsorship | This work is supported by Cisco under contract # 12430. The authors like to thank Dr. Yatish Joshi, Mr. Pramod Chandrashekar of Cisco, as well as Dr. Karuna Joshi, and Dr. Vandana Janeja of UMBC for their feedback and fruitful discussion. | en_US |
| dc.description.uri | https://www.sciencedirect.com/science/article/abs/pii/S1389128620311506#! | en_US |
| dc.format.extent | 15 pages | en_US |
| dc.genre | journal articles postprints | en_US |
| dc.identifier | doi:10.13016/m2cxpj-2xrp | |
| dc.identifier.citation | Wassila Lalouani and Mohamed Younis, Multi-observable reputation scoring system for flagging suspicious user sessions, Computer Networks Volume 182, 107474 (2020), doi: https://doi.org/10.1016/j.comnet.2020.107474 | en_US |
| dc.identifier.uri | https://doi.org/10.1016/j.comnet.2020.107474 | |
| dc.identifier.uri | http://hdl.handle.net/11603/19643 | |
| dc.language.iso | en_US | en_US |
| dc.publisher | Elsevier | en_US |
| dc.relation.isAvailableAt | The University of Maryland, Baltimore County (UMBC) | |
| dc.relation.ispartof | UMBC Computer Science and Electrical Engineering Department Collection | |
| dc.relation.ispartof | UMBC Faculty Collection | |
| dc.relation.ispartof | UMBC Student Collection | |
| dc.rights | This item is likely protected under Title 17 of the U.S. Copyright Law. Unless on a Creative Commons license, for uses protected by Copyright Law, contact the copyright holder or the author. | |
| dc.rights | Attribution-NonCommercial-NoDerivatives 4.0 International | * |
| dc.rights | Access to this item will begin on 9/12/2022 | |
| dc.rights.uri | https://creativecommons.org/licenses/by-nc-nd/4.0/ | * |
| dc.title | Multi-observable reputation scoring system for flagging suspicious user sessions | en_US |
| dc.type | Text | en_US |