Skip to main content
SpringerLink
Log in

An approach for detecting multi-institution attacks

  • Published:
Annals of Telecommunications Aims and scope Submit manuscript

Abstract

We present Soteria, a data processing pipeline for detecting multi-institution attacks. Soteria uses a set of machine learning techniques to detect future attacks, predict their future targets, and rank attacks based on their predicted severity. Our evaluation with real data from Canada-wide academic institution networks shows that Soteria can predict future attacks with 95% recall rate, predict the next targets of an attack with 97% recall rate, and detect attacks in the first 20% of their life span. Soteria is deployed in production and is in use by tens of Canadian academic institutions that are part of the CANARIE IDS project.

This is a preview of subscription content, log in via an institution to check access.

Access this article

Log in via an institution

Price excludes VAT (USA)
Tax calculation will be finalised during checkout.

Instant access to the full article PDF.

Institutional subscriptions

Fig. 1
Fig. 2
Fig. 3
Fig. 4
Fig. 5
Fig. 6
Fig. 7
Fig. 8
Fig. 9
Fig. 10
Fig. 11
Fig. 12
Fig. 13

Similar content being viewed by others

References

  1. Government Accountability Office (2021). Cyber Insurance-Insurers and policyholders face challenges in an evolving market, from https://www.gao.gov/assets/gao-21-477.pdf. Accessed Jan 2023

  2. Akbanov M, Vassilakis V (2019) WannaCry ransomware: analysis of infection, persistence, recovery prevention and propagation mechanisms. J Telecommun Inf Tech 1:113–124

    Google Scholar 

  3. Accenture Security (2021). Ninth Annual cost of cybercrime study, from https://www.digitalmarketingcommunity.com/researches/ninth-annual-cost-of-cybercrime-research-2019. Accessed Jan 2023

  4. Bilodeau H, Lari M, Uhrbach M (2019) Cyber security and cybercrime challenges of Canadian businesses in 2017, from https://www150.statcan.gc.ca/n1/pub/85-002-x/2019001/article/00006-eng.htm. Accessed Jan 2023

  5. Dunning T, Friedman E (2014) In: Practical Machine Learning: Innovations in Recommendation. O’Reilly

  6. CANARIE (2022). Canarie.ca, from https://www.canarie.ca/. Accessed Jan 2023

  7. Zabarah S, Naman O, Salahuddin MA, Boutaba R, Al-Kiswany S (2023) Soteria: an approach for detecting multi-institution attacks. In: 2023 26th Conference on innovation in clouds, internet and networks and workshops (ICIN), pp 113–120. https://doi.org/10.1109/ICIN56760.2023.10073491

  8. Udhayan J, Prabu M, Krishnan V, Anitha R (2009) Reconnaissance scan detection heuristics to disrupt the preattack information gathering. In: International conference on network and service security

  9. Allen WH, Marin GA, Rivera LA (2005) Automated detection of malicious reconnaissance to enhance network security. Proceedings. IEEE SoutheastCon 2005:450–454. https://doi.org/10.1109/SECON.2005.1423286

    Article  Google Scholar 

  10. Cao J, Jin Y, Chen A, Bu T, Zhang Z-L (2009) Identifying high cardinality internet hosts. In: IEEE INFOCOM 2009. https://doi.org/10.1109/INFCOM.2009.5061990

  11. Kamiyama N, Mori T, Kawahara R (2007) Simple and adaptive identification of superspreaders by flow sampling. In: IEEE INFOCOM. https://doi.org/10.1109/INFCOM.2007.305

  12. Liu Y, Chen W, Guan Y (2016) Identifying high-cardinality hosts from network-wide traffic measurements. IEEE Trans Dependable and Secure Comput 13(5):547–558. https://doi.org/10.1109/TDSC.2015.2423675

    Article  Google Scholar 

  13. The Zeek Project (2022). conn.log - Book of ZEEK, from https://docs.zeek.org/en/master/logs/conn.html. Accessed Jan 2023

  14. Cisco: networking, cloud, and cybersecurity solutions (2022). Snort, from https://www.snort.org. Accessed Jan 2023

  15. The Open Information Security Foundation (OISF) (2022). Suricata, from https://www.suricata.io/. Accessed Jan 2023

  16. Feng B (2021) Threat intelligence sharing: what kind of intelligence to share? Concordia, from https://www.concordia-h2020.eu/blog-post/threat-intelligence-sharing/. Accessed Jan 2023

  17. Marathon Studios Inc (2016). AbuseIPDB - IP address abuse reports, from https://www.abuseipdb.com/. Accessed Jan 2023

  18. Hispasec Sistemas (2004). virustotal.com, from https://www.virustotal.com/. Accessed Jan 2023

  19. The MITRE Corporation (1999). CVE - common vulnerabilities and exposures, from https://cve.mitre.org/. Accessed Jan 2023

  20. The MITRE Corporation (2006). CWE - common weakness enumeration, from https://cwe.mitre.org/. Accessed Jan 2023

  21. Solarwinds (2023). Intrusion Detection Software, from https://www.solarwinds.com/security-event-manager/use-cases/intrusion-detection-software. Accessed Jan 2023

  22. Skopik F, Settanni G, Fiedler R (2016) A problem shared is a problem halved: a survey on the dimensions of collective cyber defense through security information sharing. Comput Secur 60:154–176. https://doi.org/10.1016/j.cose.2016.04.003

    Article  Google Scholar 

  23. Settanni G, Skopik F, Shovgenya Y, Fiedler R, Carolan M, Conroy D, Boettinger K, Gall M, Brost G, Ponchel C, Haustein M, Kaufmann H, Theuerkauf K, Olli P (2017) A collaborative cyber incident management system for European interconnected critical infrastructures. J Inf Secur Appl 34:166–182. https://doi.org/10.1016/j.jisa.2016.05.005

    Article  Google Scholar 

  24. Hochreiter S, Schmidhuber J (1997) Long short-term memory. Neural Comput 9:1735–80. https://doi.org/10.1162/neco.1997.9.8.1735

    Article  Google Scholar 

  25. Chollet F et al (2015) Keras. https://keras.io

  26. Kingma DP, Ba J (2017) Adam: a method for stochastic optimization

Download references

Author information

Authors and Affiliations

  1. Computer Science, University of Waterloo, Waterloo, Ontario, Canada

    Saif Zabarah, Omar Naman, Mohammad A. Salahuddin, Raouf Boutaba & Samer Al-Kiswany

  2. Acronis Research, Waterloo, Ontario, Canada

    Samer Al-Kiswany

Authors
  1. Saif Zabarah
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Omar Naman
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Mohammad A. Salahuddin
    View author publications

    You can also search for this author in PubMed Google Scholar

  4. Raouf Boutaba
    View author publications

    You can also search for this author in PubMed Google Scholar

  5. Samer Al-Kiswany
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Saif Zabarah.

Ethics declarations

Conflict of interest

The authors declare no competing interests.

Additional information

Publisher's Note

Springer Nature remains neutral with regard to jurisdictional claims in published maps and institutional affiliations.

Rights and permissions

Springer Nature or its licensor (e.g. a society or other partner) holds exclusive rights to this article under a publishing agreement with the author(s) or other rightsholder(s); author self-archiving of the accepted manuscript version of this article is solely governed by the terms of such publishing agreement and applicable law.

Reprints and permissions

About this article

Check for updates. Verify currency and authenticity via CrossMark

Cite this article

Zabarah, S., Naman, O., Salahuddin, M.A. et al. An approach for detecting multi-institution attacks. Ann. Telecommun. 79, 257–270 (2024). https://doi.org/10.1007/s12243-023-00993-4

Download citation

  • Received:

  • Accepted:

  • Published:

  • Issue Date:

  • DOI: https://doi.org/10.1007/s12243-023-00993-4

Keywords

Search

Navigation