Classification of computer attacks using a self organizing map

Abstract

As computer technology evolves and the threat of computer crimes increases, the apprehension and preemption of such violations become more and more difficult and challenging. To date, it appears that completely preventing breaches of security is unrealistic. Therefore, we must try to detect and classify these intrusions as they occur so that immediate actions may be taken to repair the damage and prevent further harm. One attempt at classifying these intrusions is MITRE's Common Vulnerabilities and Exposures (CVE) list that provides a common name for all publicly known security weaknesses. The CVE dictionary, however, is not taxonomy. The CVE list is organized in simple numerical order by date of acceptance. Each entry in the dictionary includes a unique CVE identification number, a text description of the vulnerability and any pertinent references. Creating a self-organizing map (SOM) using the text description allows us to order attack profiles with common features in the same general area of the output space. Attacks in the general neighborhood of one another should be able to be mitigated by similar means. Plotting attacks on a SOM also enables us to visually examine the placement of an attack relative to the four common classes of attacks (Denial of Service, Deception, Reconnaissance, and Unauthorized Access). Many attacks have features in common with more than one of these classes rather than corresponding directly to a single class. We have developed an effective technique to classify new attacks using a unique taxonomy, which breaks down threats into the four general categories, and the SOM created by the baseline CVE descriptions.