Your browser is unsupported

We recommend using the latest version of IE11, Edge, Chrome, Firefox or Safari.

Prize-winning network threat correlation system

COE students Kiavash Satvat (L) and Sutanu Ghosh (R)
College of Engineering/Jim Young

Graduate students Sutanu Ghosh and Kiavash Satvat, along with CS faculty members Rigel Gjomemo and V. N. (Venkat) Venkatakrishnan, received the best practice paper award at the 18th International Conference on Information Systems Security (ICISS 2022), for their work on improving security threat detection in computer networks.

Their work, detailed in their paper “OSTINATO: Cross-host Attack Correlation through Attack Activity Similarity Detection,” introduces a more robust threat intrusion framework for keeping networks secure than those that are commercially available. Their framework was able to detect more threats, especially across a network, and ferret out potentially compromised computers. It also issues fewer false alarms, which can help those tasked with maintaining network security remain focused on real threats.

The team found a common theme: whenever large cyberattacks happen, the attackers generally try to leverage similar attack tools across multiple hosts to achieve their objectives, such as stealing files and importing them to their own private servers. They can attack multiple companies or multiple machines within a company. In these targeted cyberattacks, also known as advanced persistent threats, the attackers try to breach as many machines inside the organization as possible without being caught, maintain a stealthy presence across the network, and withdraw crucial data.

“Approaches that deal with this challenge are often network-based, but modern attacks are increasingly stealthy, and usually have a small footprint on network logs characterized as ‘slow and low,’” Ghosh said. “Today’s attacks, like scanning internal hosts, or gaining access to new hosts, happen over a long period of time.”

In contrast to the single host-based approach, their framework, OSTINATO, assembles all the alerts generated by an intrusion detection system, and correlates them into a meaningful picture of whether the same attacker is performing malicious operations on different hosts within the same organization.