Fronesis: Digital Forensics-Based Early Detection of Ongoing Cyber-Attacks

Athanasios Dimitriadis; Efstratios Lontzetidis; Boonserm Kulvatunyou; Nenad Ivezic; Dimitris Gritzalis; Ioannis Mavridis

doi:10.1109/ACCESS.2022.3233404

IEEE Access (Jan 2023)

Fronesis: Digital Forensics-Based Early Detection of Ongoing Cyber-Attacks

Athanasios Dimitriadis,
Efstratios Lontzetidis,
Boonserm Kulvatunyou,
Nenad Ivezic,
Dimitris Gritzalis,
Ioannis Mavridis

Affiliations

Athanasios Dimitriadis: ORCiD; Department of Applied Informatics, University of Macedonia, Thessaloniki, Greece
Efstratios Lontzetidis: ORCiD; Encode Centre of Excellence, Athens, Greece
Boonserm Kulvatunyou: Engineering Laboratory, National Institute of Standards and Technology, Gaithersburg, MD, USA
Nenad Ivezic: Engineering Laboratory, National Institute of Standards and Technology, Gaithersburg, MD, USA
Dimitris Gritzalis: ORCiD; Department of Informatics, Athens University of Economics and Business (AUEB), Athens, Greece
Ioannis Mavridis: ORCiD; Department of Applied Informatics, University of Macedonia, Thessaloniki, Greece

DOI: https://doi.org/10.1109/ACCESS.2022.3233404
Journal volume & issue: Vol. 11
pp. 728 – 743

Abstract

Read online

Traditional attack detection approaches utilize predefined databases of known signatures about already-seen tools and malicious activities observed in past cyber-attacks to detect future attacks. More sophisticated approaches apply machine learning to detect abnormal behavior. Nevertheless, a growing number of successful attacks and the increasing ingenuity of attackers prove that these approaches are insufficient. This paper introduces an approach for digital forensics-based early detection of ongoing cyber-attacks called Fronesis. The approach combines ontological reasoning with the MITRE ATT&CK framework, the Cyber Kill Chain model, and the digital artifacts acquired continuously from the monitored computer system. Fronesis examines the collected digital artifacts by applying rule-based reasoning on the Fronesis cyber-attack detection ontology to identify traces of adversarial techniques. The identified techniques are correlated to tactics, which are then mapped to corresponding phases of the Cyber Kill Chain model, resulting in the detection of an ongoing cyber-attack. Finally, the proposed approach is demonstrated through an email phishing attack scenario.

Published in IEEE Access

ISSN: 2169-3536 (Online)
Publisher: IEEE
Country of publisher: United States
LCC subjects: Technology: Electrical engineering. Electronics. Nuclear engineering
Website: https://ieeexplore.ieee.org/xpl/RecentIssue.jsp?punumber=6287639

About the journal

Abstract

Keywords