Global Monitor using SpatioTemporally Correlated Local Monitors

Abstract

An exponential increase in the IIoT network leads to complex interdependencies between the network devices. These network devices are designed to perform a fixed set of tasks and log their activities as system logs. These logs act as an excellent source of information to understand a system state. The device networks are prone to sophisticated Multi-host Multistep (MhMs) attacks, which may not be detected using machine learning-based isolated system security solutions and need a large amount of attack data for training. This led to the development of Central Monitoring Systems (CMSs) that need centralized system log collection, hence suffer from latency, network bandwidth and data loss due to network congestion. It leads to the requirement for a global monitoring system to detect ongoing MhMs attacks in real-time with low false positives and low network overhead. In this direction, we propose GLoM: a global monitor using spatio-temporally correlated local monitors to detect ongoing MhMs attacks. It leverages deep learning-based algorithms to detect anomalies with high accuracy and attack graphs to map various anomalous behavior to detect MhMs attacks. GLoM is a two-stage hybrid model, where the workload is divided between Local Monitors (LM) and Global Monitor (GM). LMs use LSTM to detect the abnormal activities of a system leveraging syslogs and forward anomalous logs to the GM. At the same time, GM discovers possible vulnerabilities on the devices followed by generating Possible Attack Graphs (PAG) by mapping the prerequisites and post-conditions required to exploit a vulnerability. GM is responsible for further analysis of the anomalous logs to find whether the logs in the current window resemble to vulnerability (CVE) exploit logs using a rule-based attack pattern repository. We track all the successful CVE exploits observed using anomalous logs followed by the generation of Evidence List (EL)) for each system. The similarity index between attack-paths and EL identifies the most probable attack scenario an adversary may be following. Using LMs, network communication overhead decreased by 88% on the publicly available dataset OpenStack (Loghub). LSTM based anomaly detection shows 99% accuracy in detecting the anomalous logs with an average anomalous log prediction overhead of 0.6 msec. We achieved 98% and 97% accuracy to generate the pre-requisites and post-conditions of a vulnerability. We evaluate GLoM's efficiency to detect MhMs attacks using a case study evaluation on a local testbed.