Multi-observable reputation scoring system for flagging suspicious user sessions

Abstract

Conventionally, network and cloud infrastructure security is handled by firewalls which monitor traffic and block malicious access by matching certain observables, e.g., IP, and DNS, to blacklisted entries in intelligence databases. Therefore, such an approach fails to deal with emerging threats that utilize unclassified observables, and to report suspicious activities of individual users. In this paper we propose MuSeR, a novel approach to assign reputation scores for observables, even when no prior information is available, and flag suspicious sessions by conducting inter-observable analysis of user requests. In essence, MuSeR opts to assist network and cloud administrators mitigate attacks while avoiding unwarranted blocking of benign access. MuSeR achieves such an objective by associating session reputation scores based on the trustworthiness of the user navigation pattern, and conducting dynamic analysis of individual observables involved within requests. Specifically, MuSeR employs a new machine learning model for classifying observables using features specifically chosen to factor in evidence provided by blacklists, and access patterns of known attacks. To determine a request score, MuSeR maps the classifier probabilities to adaptive subjective logic and then uses multinomial fusion to leverage evidence from the different observables. Given the request scores, MuSeR further promotes a novel session reputation scoring model that uses three-valued subjective logic to handle trust propagation and aggregation over user requests. The effectiveness ofMuSeR is validated using a large dataset obtained from popular databases such as WHOIS, CYMUS, and passive DNS databases.