Content uploaded by Daniel Harris
Author content
All content in this area was uploaded by Daniel Harris on Sep 13, 2023
Content may be subject to copyright.
1
Optimising Cyber Attack Detection:
A Systematic Analysis of Attack Vectors and Data Sources
Daniel Harris1* Marius Miknis1† Connor Smith2‡ Ian Wilson1§
1) University of South Wales 2) ITSUS Consulting
August 2023
*e-mail: daniel.harris@southwales.ac.uk
†e-mail: marius.miknis@southwales.ac.uk
‡e-mail: connor@itsusconsulting.com
§e-mail: ian.wilson@southwales.ac.uk
Total Word Count: 5,358
2
Abstract
Traces of cyber-attacks appear in various locations (such as network traffic and application logs) depending on the
type of attack used. The locations attacks appear in are known as data sources. Attacks can appear in one or more
data sources and often leave little evidence, by design, to avoid detection. Individual threat actors may increase
attack coverage by using a range of data sources. A gap exists for a systematic analysis of the relationship between
these attacks and the data sources they leave traces in. This body of work addresses this gap and facilitates the
optimal use of data sources to enhance attack coverage detection, minimise resource allocation per attack vector,
and improve detection strategies. Existing research into identifying attacks either considers a limited scope of
attack vectors and data sources or does not consider data sources at all. This paper proposes a solution to these
issues by surveying, categorizing and synergizing attack vectors and data sources. The findings show which attack
vectors can be detected by which data sources. Threat protection applications were found to provide the best
coverage of the threat landscape while insider attacks and supply chain attacks were found to be identifiable by the
least amount of data sources. These findings can allow for improved attack coverage, better resource management,
ability to provide focused attack searches by attack type, and give insight into future work directions to better
identify attacks with low coverage.
Key Words: Attack Coverage, Attack Vector, Cyber Security, Data Analysis, Data Collection, Data Source, Threat
Detection
2
1 Introduction
Cybercrime causes £12.5 million worth of damage each year in the UK despite recent advances in cyber security [1].
Mandiant [2] show that 53% of attacks go undetected with the average time to detect data breaches between 341
and 223 days [3]. Existing cyber-attack detection strategies gather data from a wide range of data sources with the
goal of improving attack coverage. However, these data sources are chosen without fully understanding their
relationship with attack vectors causing the following issues [4], [5]:
• Optimising selection of data sources will enhance attack coverage detection.
• Better understanding synergies will help minimise resource allocation per attack vector.
• Similarly, better understanding attack vector and data source intersections will result in improved detection
strategies.
The following systematic analysis of attack vectors and data sources will assist with optimisation of cyber-attack
detection, help minimise resources used per attack vector and contribute to improved detection strategies.
2 Definition of Terms
For a better understanding of this paper, the following terms are defined in the context of this research:
• Attack Vector. A path or method an attacker can use to gain unauthorized access to a system.
• Data Source. A set of data that may contain indications of an attack.
• Threat Landscape. All potential attack vectors that can be used.
• Attack Coverage. The number of attack vectors within a threat landscape that can be detected
3 Problem Statement
Cyber-attacks are identified by analysing data sources to detect attack signatures and unusual activities. This data is
collected from a range of sources to improve attack coverage as each source can detect a separate set of attack vectors.
However, data sources are currently chosen arbitrarily as the relationship between all attack vectors and all potential
data sources is not yet documented [4], [5]. This presents the following questions that are not answered by existing
literature or attack detection strategies:
• Which attack vectors are detectable/undetectable in each data source?
• How likely is it to detect specific attack vectors in each data source?
• How much attack coverage is provided by each data source?
These unanswered questions create the following issues:
• Inability to identify which data sources different attack vectors appear in
• Unknown likelihood of detecting specific attack vectors in different data sources
• Unknown threat coverage of different data sources
The authors propose answers to these questions by researching, categorizing, synergizing, and analysing the relationship
between data sources and attack vectors.
4 Related Work
To reliably detect attacks data sources must be chosen that provide full coverage of the threat landscape.
Taxonomies of existing attack vectors have already been produced [6]–[10]. These combined with the “Common
Attack Pattern Enumeration and Classification” database [11] provide a comprehensive list of cyber security attack
vectors. However, there is a disconnect between attack vectors and the data sources used to identify them. Existing
3
techniques choose data sources arbitrarily and do not consider the attack vectors identifiable in specific data
sources. This leads to higher false positives and missed attacks.
Although there has already been research into the relationship between data sources and attack vectors, they
either consider a limited set of data sources [12], limited set of attack vectors [4], [13], [14], or a combination of
both [15]. None consider the relationships between all attack vectors and all data sources. This paper supplies this
missing information by researching and synergizing a range of attack vectors with data sources and analyses their
correlation.
5 Methods
Attack vectors and data sources were separately researched and categorized into related groups. Each data source
category was investigated to identify the attack vector categories it can detect. The methods used to locate,
categorize, and find identifiable attacks are discussed in this section.
5.1 Search Method
The data sources and the attack vectors were surveyed from three separate locations. A variety of locations were
used to provide a diverse set of data sources and attack vectors that more accurately represent real world usage.
The locations are listed below:
• Academic Literature and Media
• Business Literature and Media
• Commercial Cyber Security Applications
5.2 Attack Vectors
This article covers eleven attack vector categories (see Table 1) derived from five taxonomies and taxonomy
evaluation articles [6]–[10] and CAPEC [11]. It is worth noting that these categories are not necessarily mutually
exclusive and that attacks may involve multiple vectors or techniques. Additionally, new attack vectors are
constantly emerging as technology evolves and attackers develop new tactics.
Table 1 Attack Vector Categories
Category
Examples
Category
Examples
Physical Attacks
Hardware theft or
tampering, physical
access, physical theft of
data
Denial of service
Denial of service,
distributed denial of
service, Slowloris
Reconnaissance
Network scanning, port
scanning, ping sweeps,
website foot-printing,
social engineering,
dumpster diving
Misconfiguration
Open port, weak
password, unpatched
software, default
configurations,
permissions & privileges,
firewall, DNS, cloud
misconfiguration
Social Engineering
Phishing, identity
spoofing, pretexting,
baiting, spear phishing,
watering hole attacks,
scareware, vishing
Software Vulnerabilities
Buffer overflow, injection,
authentication bypass,
privilege escalation, code
injection, zero-day, cross-
site scripting, drive-by
download
Insider Attacks
Data theft, sabotage,
fraud, malicious software
installation, password
Malware
Viruses, trojan horses,
worms, ransomware,
spyware, adware, rootkit,
4
theft, social engineering,
privilege escalation,
physical security breaches
bootkit
Supply Chain Attacks
Third-party software
vulnerabilities, firmware
backdoors, hardware
trojans
Password Attacks
Brute-force attack,
dictionary attack,
phishing, shoulder surfing,
password cracking
Man in the
Middle/Interception
Wi-Fi eavesdropping,
DNS spoofing,
ARP spoofing, SSL/TLS
spoofing, email
interception
5.3 Data Sources
Data sources were identified from eight varied locations [16]–[23]. Seventeen data sources were grouped into five
novel categories and sub-categories encompassing all data that can be used to detect cyber security attacks. The
data sources categories were divided into two types:
• Fundamental Data Sources. A low-level data source made of basic data types such as textual log files and
network packet captures.
• Derivative Data Sources. A more complex data source formed of fundamental data sources and external
information.
The five data sources are categorized and listed in Table 2 and Table 3.
Table 2 Fundamental Data Sources
Network Logs
Application Logs
System Event Logs
DNS Logs
Authentication
Windows
OSI Layers
Authorization
MacOS
BGP Logs
Data Access
Linux
Exceptions
Table 3 Derivative Data Sources
Geolocation
Threat Protection Applications
Country of Origin
Anti-Virus Logs
Internet Service Provider
Vulnerability Scanners
Latitude & Longitude
Intrusion Prevention Systems
Intrusion Detection Systems
6 Findings
Five data source categories were reviewed and the attack vectors each can detect were researched. Each data
source contains a description and table presenting the attack vectors it can be used to identify. The detectability of
an attack is categorised into three tiers: full, partial, or none (Table 4). Security attacks and data sources have a
many-to-many relationship as attacks can be identified from one or more source and vice versa. References
explicitly discussing the detectability of attack vectors using specific data sources were used where available.
However, implicit references were included due to a lack of literature on the topic (Section 4).
5
Table 4 Data Source Detectability Term Definitions
Term
Definition
Full
The data source can be reliably used to
identify this attack.
Partial
The data source can partially identify this
attack. But requires additional information
from external sources to reliably be
identified.
None
The data source cannot be used to identify
this attack.
6.1 Fundamental Data Sources
Fundamental data sources are low-level data sources made of basic data types such as textual log files and network
packet captures. This section presents the three fundamental data sources and the attack vectors detectable by
each. Descriptions, examples, and caveats for each data source are given.
6.1.1 Network Logs
Network logs are created by network devices such as firewalls, switches, and routers that record network traffic
passing through them [24]. Network logs contain low-level information about how data should be transmitted
across a network (e.g., source and destination IP addresses) as well as the data itself (which is regularly encrypted).
Skilled threat actors can hide their communications in any form of network traffic [25]. Analysing network data
allows for the detection of incoming attacks and outgoing data exfiltration. However, network data alone cannot
provide complete visibility into a computer system as attacks can circumvent networks to avoid detection. For
example, a threat actor can use a physical interface (USB port) to attack a system without a network [26]. Due to
being able to be carried out remotely network-based attacks make up most attacks observed today [27]–[29]. Table
4 illustrates and references the attack vectors detectable using network logs.
Table 5 - Attack vectors identifiable by network logs (references)
Detectable
Attack vector
Reference
None
Physical Attacks
N/A
Full
Reconnaissance
[14], [30], [31]
Full
Social Engineering
[14]
Partial
Insider Attacks
[13], [32], [33]
Partial
Supply Chain Attacks
[34], [35]
Full
Man in the Middle/Interception
[36]
Full
Denial of Service
[4], [12]–[14], [17], [36], [37]
Partial
Misconfiguration
[36]
Partial
Software Vulnerabilities
[12]
Full
Malware
[4], [32]
6
Full
Password Attacks
[5], [38]
6.1.2 Application Logs
Application logs are created by applications and services running on a system. The logs differ depending on the
application’s functionality. However, typical application logs contain information about notable events that have
occurred such as failed authentication attempts, data being altered, and attempts to access restricted content [21],
[22], [39]. Application logs can detect attacks as they attempt to access an application’s resources (data, other
systems, etc.) rather than detecting the incoming commands or outgoing data as with network traffic. This allows
application logs to detect attacks that would otherwise avoid detection in network traffic. Table 5 illustrates and
references the attack vectors detectable using application logs.
Table 6 Attack vectors identifiable by application logs (references)
Detectable
Attack vector
Reference
None
Physical Attacks
N/A
Full
Reconnaissance
[31]
None
Social Engineering
N/A
Partial
Insider Attacks
[13], [39], [40]
Partial
Supply Chain Attacks
[39]
None
Man in the Middle/Interception
N/A
Full
Denial of Service
[37], [41], [42]
Partial
Misconfiguration
[43], [44]
Full
Software Vulnerabilities
[45]
None
Malware
N/A
Full
Password Attacks
[41]
6.1.3 System Event Logs
System event logs are created by operating systems to record notable events and activities occurring on a device.
The exact events recorded, and the log formats differ depending on the operating system. However, they all record
critical events such as sign in/out events, configuration events (network and device settings), and operating system
errors (such as program or service crashes and file system corruptions). Applications can also create entries in
system event logs. However, this category only considers events created by the operating system. Application logs
are defined in their own category in section VI, A, 1. System event logs are the only fundamental data source that
can identify physical attacks. When an attack is conducted using a physical interface (such as a USB port) it can
bypass detection by directly accessing the system without using an application or network connection. Table 6
illustrates and references the attack vectors detectable using system event logs.
Table 7 Attack vectors identifiable by system event logs (references)
Detectable
Attack vector
Reference
Full
Physical Attacks
[46]
None
Reconnaissance
N/A
None
Social Engineering
N/A
7
Partial
Insider Attacks
[32], [33]
Partial
Supply Chain Attacks
[47]
None
Man in the Middle/Interception
N/A
None
Denial of Service
N/A
Partial
Misconfiguration
[44]
Full
Software Vulnerabilities
[12]
Full
Malware
[32]
Full
Password Attacks
[48]
6.2 Derivative Data Sources
Derivative data sources are more complex and are comprised of fundamental data sources and external
information. This section presents the two derivative data sources and the attack vectors detectable by each.
Descriptions, examples, and caveats for each data source are given.
6.2.1 Geolocation
Geolocation information is found from combining IP addresses in network traffic with IP location lookup tables
known as “IP geolocation databases” [50]. These databases contain IP address metadata such as the internet
service provider (ISP), country of origin, and an estimation of source latitude and longitude [51], [52]. Geolocation
can detect the location of physical devices to ensure they are in an expected location. If a user connects from a
country they have never been before, this could indicate that the user’s credentials have been compromised and
are being used by a threat actor. Additionally, geolocation can be used to correlate attacks by grouping them by
location and/or ISP to help understand attack trends and patterns. The location of an IP address is accurate when
assessing the country of origin. However, accuracy decreases as location granularity increases and becomes
unreliable beyond council/state regions [51], [52]. Attack actors can avoid geolocation using network proxies to
appear as if they are in a different location from where they are [53]. Table 7 illustrates and references the attack
vectors detectable using geolocation.
Table 8 Attack vectors identifiable by geolocation (references)
Detectable
Attack vector
Reference
None
Physical Attacks
N/A
Full
Reconnaissance
[49]
Full
Social Engineering
[50], [51]
None
Insider Attacks
N/A
None
Supply Chain Attacks
N/A
Full
Man in the Middle/Interception
[52], [53]
Full
Denial of Service
[54]
None
Misconfiguration
N/A
None
Software Vulnerabilities
N/A
Full
Malware
[55]
Full
Password Attacks
[56]
8
6.2.2 Thread Protection Applications (TPAs)
TPAs analyse network and system event logs to detect attacks [62]. They are any system or software designed to
identify or prevent security attacks. They include anti-virus software, vulnerability scanners and intrusion detection
& prevention systems. Logs vairy depending on the purpose of the software but typically contain high-level
information about the type of attack, source, impact, and actions taken to mitigate the attack [63]. TPAs give
additional insight compared to direct analysis of logs using two separate systems: signature-based and anomaly-
based detection. Signature-based detection matches system activity patterns with a database of known attacks
[64]. However, it is unable to detect unknown or new attacks. Anomaly-based detection compares system activity
with a baseline of expected activity [64]. Unusual activities are used to identify attacks. However, there are ways
threat actors can circumvent TPAs. Signature-based detection can be evaded using polymorphic code that mutates
and obfuscates itself to produce a different signature and avoid detection [65], [66]. Anomaly-based detection is
unable to detect attacks that predate the implementation of the TPA as they will be defined as normal activities
[64]. Additionally, some attacks can blend in with the baseline by mimicking normal activities or having a small
impact on the system such as the ping of death or living-off-the-land attacks [67-69]. Table 8 illustrates and
references the attack vectors detectable using threat protection applications.
Table 9 Attack vectors identifiable by threat protection applications (references)
Detectable
Attack vector
Reference
Full
Physical Attacks
[57]
Full
Reconnaissance
[58]
Full
Social Engineering
[59]
Partial
Insider Attacks
[60]
Partial
Supply Chain Attacks
[47]
Full
Man in the Middle/Interception
[61]
Partial
Denial of Service
[37]
Full
Misconfiguration
[62]
Full
Software Vulnerabilities
[12]
Full
Malware
[63]
Partial
Password Attacks
[41]
7 Discussion
This section investigates the insights derived from the findings in section VI. The attack coverage of each data
source and of each attack vector are discussed as well as the most optimal selection of data sources.
7.1 Data Source Coverage
The findings summarized in Table 9 show that threat protection applications (TPAs) provide the best coverage of
the threat landscape with 64% full coverage. This higher coverage is due to the combination of two fundamental
data sources (network and system event logs) and thereby using a wider variety of distinct data sources that cover
more attack vectors. TPAs also cover 100% of detectable attack vectors. However, 36% of attack vectors are only
partially covered by TPAs and may avoid detection if TPAs were used in isolation.
9
Table 10 Data source attack coverage (ordered by full coverage and rounded to whole number)
#
Data Source
Full
Partial
None
Total
1
Threat Protection Applications
64%
36%
0%
100%
2
Network Logs
55%
36%
9%
91%
3
Geolocation
55%
0%
45%
56%
4
Application Logs
36%
27%
36%
64%
5
System Event Logs
36%
27%
36%
64%
These findings show that resources should be distributed towards TPAs to detect cyber-attacks more effectively.
However, this information also shows that no single data source (fundamental nor derivative) can give full coverage
of all attack vectors and that a range of data sources must be used to provide full coverage of the threat landscape.
7.2 Attack Vector Coverage
Viewing the data by attack vectors (Table 10) shows password attacks are detectable by the largest amount of data
sources with coverage from all five data sources (four full and one partial). This shows that password attacks are the
most likely attack to be detected as there are more opportunities to detect them. Insider attacks have the lowest
overall detection with no full detection data sources and two partial detection data sources (undetectable by three
data sources). This shows that insider attacks are the least likely to be detected as there are no data sources that
can reliably detect them.
Table 11 Summarised attack detection coverage (ordered by full coverage)
#
Attack vector
Full
Partial
None
Total
1
Password Attacks
4
1
0
5
2
Malware
4
0
1
4
3
Reconnaissance
4
0
1
4
4
Software Vulnerabilities
3
1
1
4
5
Social Engineering
3
0
2
3
6
Man in the Middle/Interception
3
0
2
3
7
Denial of Service
3
0
2
3
8
Physical Attacks
2
0
3
2
9
Misconfiguration
1
3
0
4
10
Supply Chain Attacks
0
5
2
3
11
Insider Attacks
0
2
3
2
These findings show that future work and attack detection strategies should focus more heavily on insider attacks
and supply chain attacks as they are the least likely attack vectors to be detected.
7.3 Optimal Data Source Usage
As there is no single data source that gives full coverage of insider attacks or supply chain attacks it is impossible to
provide full and reliable detection of all attack vectors. However, it is possible to provide at least partial coverage of
all attack vectors. TPAs combined with Network Logs provide the most optimal coverage with full coverage of 82%
10
of attack vectors, with 18% partial coverage of the remaining attack vectors (as shown in Table 11) and should be
prioritised when working with limited resources.
Table 12 Attack vectors identifiable by data sources
Attack vector
Network
Logs
Application
Logs
System Event
Logs
Geolocation
Threat Protection
Applications
Physical Attacks
None
None
Full
None
Full
Reconnaissance
Full
Full
None
Full
Full
Social Engineering
Full
None
None
Full
Full
Insider Attacks
Partial
Partial
Partial
None
Partial
Supply Chain Attacks
Partial
Partial
Partial
None
Partial
Man in the
Middle/Interception
Full
None
None
Full
Full
Denial of Service
Full
Full
None
Full
Partial
Misconfiguration
Partial
Partial
Partial
None
Full
Software Vulnerabilities
Partial
Full
Full
None
Full
Malware
Full
None
Full
Full
Full
Password Attacks
Full
Full
Full
Full
Partial
Although all attack vectors can be covered (partially or fully) using just two data sources, it is still recommended
that all available data sources are used where possible to further improve detection.
8 Conclusion and Future Work
Although cyber security is a highly researched area there are still a considerable number of attacks that go
undetected using existing detection strategies. The authors argue that threat coverage can be improved by better
understanding which data sources can be used to detect specific threats. Forty-three attack vectors and seventeen
data sources were surveyed, categorized and analysed to understand the relationship between them. The attack
vectors detectable by each data source was researched and documented in section VI. Analysis of the relationship
between attack vectors and data sources identified threats that are underrepresented in the data and are more
likely to go undetected. The findings show that insider attacks and supply chain attacks are the least likely attacks to
be identified. Additionally, the findings show that threat protection applications provide the best coverage of the
threat landscape, although optimal coverage can only be achieved using multiple data sources.
Future work could compare the findings presented in this paper with real-world threat detection statistics to
identify differences between the theoretical and practical threat coverage of different data sources. Additional
work could also investigate the creation of additional data sources to improve the detection of insider attacks and
supply chain attacks, as these were shown to be the least likely threats to be identified.
Funding
This work was supported by the KESS 2 programme. Knowledge Economy Skills Scholarships (KESS) is a pan-Wales
higher-level skills initiative led by Bangor University on behalf of the HE sector in Wales. It is part funded by the
Welsh Government’s European Social Fund (ESF) programme for East Wales.
This work was additionally supported by ITSUS Consulting. ITSUS is a network security consultancy specializing in
defense, government, finance, and critical infrastructure.
11
9 References
[1] City of London Police, “NFIB Fraud and Cyber Crime Dashboard,” 2021.
https://colpolice.maps.arcgis.com/apps/opsdashboard/index.html#/60499304565045b0bce05d2ca7e1e56c
(accessed Jan. 18, 2022).
[2] Mandiant, “Security Effectiveness 2020: Deep Dive Into Cyber Security Reality,” 2020, Accessed: Jan. 17,
2022. [Online]. Available: https://content.fireeye.com/security-effectiveness/rpt-security-effectiveness-
2020-deep-dive-into-cyber-reality.
[3] IBM, “Cost of a Data Breach Report 2021,” 2021.
[4] X. Jing, Z. Yan, and W. Pedrycz, “Security data collection and data analytics in the internet: A survey,” IEEE
Commun. Surv. Tutorials, vol. 21, no. 1, pp. 586–618, Jan. 2019, doi: 10.1109/COMST.2018.2863942.
[5] A. Z. Agghey, L. J. Mwinuka, S. M. Pandhare, M. A. Dida, and J. D. Ndibwile, “Detection of Username
Enumeration Attack on SSH Protocol: Machine Learning Approach,” Symmetry 2021, Vol. 13, Page 2192, vol.
13, no. 11, p. 2192, Nov. 2021, doi: 10.3390/SYM13112192.
[6] J. M. Biju, N. Gopal, and A. J. Prakash, “CYBER ATTACKS AND ITS DIFFERENT TYPES,” Int. Res. J. Eng. Technol.,
2008, Accessed: Nov. 19, 2021. [Online]. Available: www.irjet.net.
[7] R. Prasad and V. Rohokale, “Cyber Threats and Attack Overview,” pp. 15–31, 2020, doi: 10.1007/978-3-030-
31703-4_2.
[8] C. Simmons, C. Ellis, S. Shiva, D. Dasgupta, and Q. Wu, “AVOIDIT: A Cyber Attack Taxonomy,” 2009.
[9] R. Derbyshire, B. Green, D. Prince, A. Mauthe, and D. Hutchison, “An Analysis of Cyber Security Attack
Taxonomies,” Proc. - 3rd IEEE Eur. Symp. Secur. Priv. Work. EURO S PW 2018, pp. 153–161, Jul. 2018, doi:
10.1109/EUROSPW.2018.00028.
[10] M. I. Mahaini, S. Li, and R. B. Sağlam, “Building taxonomies based on human-machine teaming: Cyber
security as an example,” PervasiveHealth Pervasive Comput. Technol. Healthc., Aug. 2019, doi:
10.1145/3339252.3339282.
[11] CAPEC, “CAPEC-3000: Domains of Attack,” 2021. https://capec.mitre.org/data/definitions/3000.html
(accessed Nov. 25, 2021).
[12] S. Sridhar, A. Hahn, and M. Govindarasu, “Cyber-Physical System Security for the Electric Power Grid,” 2011,
doi: 10.1109/JPROC.2011.2165269.
[13] A. Kim, J. Oh, J. Ryu, and K. Lee, “A review of insider threat detection approaches with IoT perspective,” IEEE
Access, vol. 8, pp. 78847–78867, 2020, doi: 10.1109/ACCESS.2020.2990195.
[14] M. Bailey, E. Cooke, F. Jahanian, Y. Xu, and M. Karir, “Al survey of botnet technology and defenses,” Proc. -
Cybersecurity Appl. Technol. Conf. Homel. Secur. CATCH 2009, pp. 299–304, 2009, doi:
10.1109/CATCH.2009.40.
[15] G. Conti, J. Grizzard, M. Ahamad, and H. Owen, “Visual exploration of malicious network objects using
semantic zoom, interactive encoding and dynamic queries,” IEEE Work. Vis. Comput. Secur. 2005, VizSEC 05,
Proc., pp. 83–90, 2005, doi: 10.1109/VIZSEC.2005.1532069.
[16] A. D. Kent, “Cyber security data sources for dynamic network research,” in Dynamic Networks and Cyber-
Security, vol. 1, World Scientific Publishing Co. Pte. Ltd., 2016, pp. 37–65.
[17] Cisco Systems, “NetFlow Version 9 Flow-Record Format,” 2011.
https://www.cisco.com/en/US/technologies/tk648/tk362/technologies_white_paper09186a00800a3db9.ht
ml (accessed Jan. 04, 2022).
[18] T. Ryan, “The Detection Value of Cybersecurity Data.” https://www.cysiv.com/company/blog/detection-
12
value-cybersecurity-data (accessed Sep. 08, 2021).
[19] K. Grahn, M. Westerlund, and G. Pulkkis, “Analytics for Network Security: A Survey and Taxonomy,” Stud.
Comput. Intell., vol. 691, pp. 175–193, Jan. 2017, doi: 10.1007/978-3-319-44257-0_8.
[20] T. Talaei Khoei, H. Ould Slimane, N. Kaabouch, T. Talaei Khoei, H. Ould Slimane, and N. Kaabouch, “A
Comprehensive Survey on the Cyber-Security of Smart Grids: Cyber-Attacks, Detection, Countermeasure
Techniques, and Future Directions,” arXiv, p. arXiv:2207.07738, Jun. 2022, Accessed: Aug. 16, 2022. [Online].
Available: https://ui.adsabs.harvard.edu/abs/2022arXiv220707738T/abstract.
[21] Z. Yuling, “A Research on Problems and Countermeasures of Computer Network Security in the Era of Big
Data,” ACM Int. Conf. Proceeding Ser., pp. 32–36, May 2021, doi: 10.1145/3472349.3472354.
[22] Florida State University, “IT Log Collection, Analysis and Retention Standard.”
https://its.fsu.edu/ispo/standards/it-log-collection-analysis-and-retention-standard (accessed Aug. 16,
2022).
[23] A. Ulmer, M. Schufrin, D. Sessler, and J. Kohlhammer, “Visual-Interactive Identification of Anomalous IP-
Block Behavior Using Geo-IP Data,” May 2018, doi: 10.1109/VIZSEC.2018.8709182.
[24] J. Lu et al., “Integrating Traffics with Network Device Logs for Anomaly Detection,” 2019, doi:
10.1155/2019/5695021.
[25] J. Goverman and A. Tekeoglu, “Stealthy Data Exfiltration via TCP Sequence Numbers based Covert Channel,”
Proc. Int. Conf. Comput. Information, Telecommun. Syst. CITS 2021, 2021, doi:
10.1109/CITS52676.2021.9618137.
[26] M. Lechtik and G. Dedola, “Cycldek: Bridging the (air) gap,” 2020. https://securelist.com/cycldek-bridging-
the-air-gap/97157/ (accessed Aug. 16, 2022).
[27] K. Halouzka, L. Burita, and P. Kozak, “Overview of Cyber Threats in Central European Countries,” 2021
Commun. Inf. Technol. Conf. Proceedings, KIT 2021 - 11th Int. Sci. Conf., Oct. 2021, doi:
10.1109/KIT52904.2021.9583621.
[28] F. Richter, “The Most Common Types of Cyber Crime,” 2022. https://www.statista.com/chart/24593/most-
common-types-of-cyber-crime/ (accessed Aug. 17, 2022).
[29] CrowdStrike, “Top 14 Most Common Cyber Attacks Today,” 2021.
https://www.crowdstrike.com/cybersecurity-101/cyberattacks/most-common-cyberattacks/ (accessed Aug.
17, 2022).
[30] A. Ramachandran, N. Feamster, and D. Dagon, “Revealing Botnet Membership Using DNSBL Counter-
Intelligence,” 2006.
[31] J. Miller, “Why Log Monitoring Is Essential to Your Cybersecurity Plan,” 2020.
https://www.bitlyft.com/resources/why-log-monitoring-is-essential (accessed Jul. 14, 2022).
[32] L. Liu, O. De Vel, Q. L. Han, J. Zhang, and Y. Xiang, “Detecting and Preventing Cyber Insider Threats: A
Survey,” IEEE Communications Surveys and Tutorials, vol. 20, no. 2. Institute of Electrical and Electronics
Engineers Inc., pp. 1397–1418, Apr. 01, 2018, doi: 10.1109/COMST.2018.2800740.
[33] A. Ambre and N. Shekokar, “Insider Threat Detection Using Log Analysis and Event Correlation,” Procedia
Comput. Sci., vol. 45, no. C, pp. 436–445, Jan. 2015, doi: 10.1016/J.PROCS.2015.03.175.
[34] R. Maule, “Acquisition Data Analytics for Supply Chain Cybersecurity,” 2021.
[35] T. Neubert and C. Vielhauer, “Kill Chain Attack Modelling for Hidden Channel Attack Scenarios in Industrial
Control Systems,” IFAC-PapersOnLine, vol. 53, no. 2, pp. 11074–11080, Jan. 2020, doi:
10.1016/J.IFACOL.2020.12.246.
13
[36] A. Mitseva, A. Panchenko, and T. Engel, “The state of affairs in BGP security: A survey of attacks and
defenses,” Comput. Commun., vol. 124, pp. 45–60, Jun. 2018, doi: 10.1016/J.COMCOM.2018.04.013.
[37] M. Hashim and M. Alhamdi, “DETECTION OF DOSS ATTACKS AND ABNORMALITIES WITHIN THE NETWORK,”
2021.
[38] S. Jacob, Y. Qiao, Y. Ye, and B. Lee, “Anomalous distributed traffic: Detecting cyber security attacks amongst
microservices using graph convolutional networks,” Comput. Secur., vol. 118, p. 102728, Jul. 2022, doi:
10.1016/J.COSE.2022.102728.
[39] Z. WANG, “Real Time Detection Framework of Insider Threat Based Agent,” DEStech Trans. Comput. Sci.
Eng., no. cmee, Mar. 2018, doi: 10.12783/DTCSE/CMEE2017/20071.
[40] R. Gula, “Leveraging Logins and Login Failures to Track Insiders,” 2014.
https://www.tenable.com/blog/leveraging-logins-and-login-failures-to-track-insiders (accessed Jul. 18,
2022).
[41] J. Ng, D. Joshi, and S. M. Banik, “Applying data mining techniques to intrusion detection,” Proc. - 12th Int.
Conf. Inf. Technol. New Gener. ITNG 2015, pp. 800–801, May 2015, doi: 10.1109/ITNG.2015.146.
[42] M. Du, F. Li, G. Zheng, and V. Srikumar, “DeepLog: Anomaly Detection and Diagnosis from System Logs
through Deep Learning,” Proc. 2017 ACM SIGSAC Conf. Comput. Commun. Secur., 2017, doi:
10.1145/3133956.
[43] e2e, “Detecting backdoors in network equipment,” 2015. https://blog.e2e-assure.com/detecting-backdoors/
(accessed Jul. 19, 2022).
[44] T. Hulkkonen, “Implementing situational awareness,” 2016.
[45] R. Meyer, “Detecting Attacks on Web Applications from Log Files,” 2008.
[46] G. J. Silowash and T. B. Lewellen, “Insider Threat Control: Using Universal Serial Bus (USB) Device Auditing to
Detect Possible Data Exfiltration by Malicious Insiders,” 2013, Accessed: Jul. 19, 2022. [Online]. Available:
http://www.sei.cmu.edu.
[47] Q. Zou, A. Singhal, X. Sun, and P. Liu, “Automatic Recognition of Advanced Persistent Threat Tactics for
Enterprise Security,” Proc. Sixth Int. Work. Secur. Priv. Anal., p. 10, 2020, doi: 10.1145/3375708.
[48] C. D. Motero, J. R. B. Higuera, J. B. Higuera, J. A. S. Montalvo, and N. G. Gomez, “On Attacking Kerberos
Authentication Protocol in Windows Active Directory Services: A Practical Survey,” IEEE Access, vol. 9, pp.
109289–109319, 2021, doi: 10.1109/ACCESS.2021.3101446.
[49] R. van Heerden, M. M. Malan, F. Mouton, and B. Irwin, “Human Perception of the Measurement of a
Network Attack Taxonomy in Near Real-Time,” IFIP Adv. Inf. Commun. Technol., vol. 431, pp. 280–292, 2014,
doi: 10.1007/978-3-662-44208-1_23/COVER/.
[50] WhoisXML API, “How the Best IP Geolocation API Can Support Cybersecurity Efforts,” 2019.
https://circleid.com/posts/20190523_how_the_best_ip_geolocation_api_can_support_cybersecurity_effort
s (accessed Jul. 20, 2022).
[51] M. Atienza, “E-commerce Fraud 101: Account Takeover,” 2017. https://blog.maxmind.com/2017/08/e-
commerce-fraud-101-account-takeover/ (accessed Jul. 21, 2022).
[52] B. Scholarsarchive and M. T. Oneill, “The State of Man-in-the-Middle TLS Proxies: Prevalence and User
Attitudes,” 2016, Accessed: Jul. 21, 2022. [Online]. Available: https://scholarsarchive.byu.edu/etd.
[53] Z. Ling, J. Luo, Y. Xu, C. Gao, K. Wu, and X. Fu, “Security Vulnerabilities of Internet of Things: A Case Study of
the Smart Plug System,” IEEE Internet Things J., vol. 4, no. 6, pp. 1899–1909, Dec. 2017, doi:
10.1109/JIOT.2017.2707465.
14
[54] R. S. Devi and M. M. Kumar, “Testing for Security Weakness of Web Applications using Ethical Hacking,”
Proc. 4th Int. Conf. Trends Electron. Informatics, ICOEI 2020, pp. 354–361, Jun. 2020, doi:
10.1109/ICOEI48184.2020.9143018.
[55] S. Sivakorn et al., “Countering Malicious Processes with Process-DNS Association,” 2019, doi:
10.14722/ndss.2019.23012.
[56] H. A. Khan and A. Hutchison, “Advancing Security Information and Event Management Frameworks in
Managed Enterprises using GeoLocation,” 2014.
[57] F. Siciliano, “BadUSB: How To Do USB Device Detection with OSSEC HIDS and AlienVault USM | AT&T
Cybersecurity,” 2014. https://cybersecurity.att.com/blogs/security-essentials/badusb-how-to-do-usb-
device-detection-with-ossec-hids-and-alienvault-usm (accessed Jul. 25, 2022).
[58] Cisco, “Cisco Security Professional’s Guide to Secure Intrusion Detection Systems,” Cisco Secur. Prof. Guid. to
Secur. Intrusion Detect. Syst., 2003, doi: 10.1016/B978-1-932266-69-6.X5017-4.
[59] J. Nelson, X. Lin, C. Chen, J. Iglesias, and J. J. Li, “Social engineering for security attacks,” ACM Int. Conf.
Proceeding Ser., Aug. 2016, doi: 10.1145/2955129.2955158.
[60] G. Doss and G. Tejay, “Developing insider attack detection model: A grounded approach,” 2009 IEEE Int.
Conf. Intell. Secur. Informatics, ISI 2009, pp. 107–112, 2009, doi: 10.1109/ISI.2009.5137280.
[61] H. Mohapatra, S. Rath, S. Panda, and R. Kumar, “Handling of Man-In-The-Middle Attack in WSN Through
Intrusion Detection System,” Int. J. Emerg. Trends Eng. Res., vol. 8, no. 5, pp. 1503–1510, May 2020, doi:
10.30534/IJETER/2020/05852020.
[62] S. Sharma, R. Gandhi Proudhyogiki, R. K. Tiwari, and R. Kumar Gour, “Enhanced Architecture for
Misconfiguration and Intrusion Detection using Centralized Rule based System Ad-hoc Network Security
View project Use of Machine Learning with Data Mining View project Enhanced Architecture for
Misconfiguration and Intrusion Detection using Centralized Rule based System,” Artic. Int. J. Comput. Appl.,
vol. 59, no. 6, pp. 975–8887, 2012, doi: 10.5120/9552-4010.
[63] Y. Robiah, S. S. Rahayu, M. M. Zaki, S. Shahrin, M. A. Faizal, and R. Marliza, “A New Generic Taxonomy on
Hybrid Malware Detection Technique,” IJCSIS) Int. J. Comput. Sci. Inf. Secur., vol. 5, no. 1, Sep. 2009, doi:
10.48550/arxiv.0909.4860.
