ADEPT: Detection and Identification of Correlated Attack Stages in IoT Networks

Sudheera, Kalupahana Liyanage Kushan; Divakaran, Dinil Mon; Singh, Rhishi Pratap; Gurusamy, Mohan

doi:10.1109/jiot.2021.3055937

Cited by 25 publications

(13 citation statements)

References 26 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…In detail, the proposed framework was designed with varying constraints, resulting in implementations with different degrees of complexity (in terms of classifiers, features, and reject options). Adept [19] is an attack detection and identification framework for identifying multi-stage distributed attacks on the Internet-of-ings (IoT). It is based on a hierarchical distributed framework, where local gateways monitor network traffic and generate alerts for any anomalous activity.…”

Section: Machine and Deepmentioning

confidence: 99%

Encrypted Packet Inspection Based on Oblivious Transfer

Zhang

2022

Security and Communication Networks

View full text Add to dashboard Cite

Deep packet inspection (DPI) is widely used in detecting abnormal traffic and suspicious activities in networks. With the growing popularity of secure hypertext transfer protocol (HyperText Transfer Protocol over Secure Socket Layer, HTTPS), inspecting the encrypted traffic is necessary. The traditional decryption-and-then-encryption method has the drawback of privacy leaking. Decrypting encrypted packets for inspection violates the confidentiality goal of HTTPS. Now, people are faced with a dilemma: choosing between the middlebox’s ability to perform detection functions and protecting the privacy of their communications. We propose OTEPI, a system that simultaneously provides both of those properties. The approach of OTEPI is to perform the deep packet inspection directly on the encrypted traffic. Unlike machine and deep learning methods that can only classify traffic, OTEPI is able to accurately identify which detection rule was matched by the encrypted packet. It can facilitate network managers to manage their networks at a finer granularity. OTEPI achieves the function through a new protocol and new encryption schemes. Compared with previous works, our approach achieves rule encryption with oblivious transfer (OT), which allows our work to achieve a better balance between communication traffic consumption and computational resource consumption. And our design of Oblivious Transfer and the use of Natural Language Processing tools make OTEPI outstanding in terms of computational consumption.

show abstract

Section: Machine and Deepmentioning

confidence: 99%

Encrypted Packet Inspection Based on Oblivious Transfer

Zhang

2022

Security and Communication Networks

View full text Add to dashboard Cite

show abstract

“…Then, the pattern extraction of anomalous traffic flows is equivalent to mining the anomalous association rules from flow-level data. A recent work [25] proposed an FIM-based framework for detecting attacks specifically in distributed IoT networks. They mined the patterns to identify spatial and temporal correlations from aggregated alerts generated by home networks; these mined patterns were then fed to a supervised classifier to detect different stages of attacks.…”

Section: Background and Related Workmentioning

confidence: 99%

APEX: Characterizing Attack Behaviors from Network Anomalies

Sudheera¹,

Tian²,

Divakaran³

et al. 2022

Preprint

Self Cite

View full text Add to dashboard Cite

<p>Networks regularly face various threats and attacks that manifest in their communication traffic. Recent works proposed unsupervised approaches, e.g., using a variational autoencoder, that are not only effective in detecting anomalies in network traffic, but also practical as they do not require ground truth or labeled data. However, the problem of characterizing anomalies into different attack behaviors is still less explored; in this work, we study this specific problem. We develop APEX, a framework that employs data mining approaches in a semi-supervised way to extract the attack patterns from anomalous traffic and links them to specific attack types. APEX comprises two levels of mining; the first level extracts patterns in anomalous network flows, and the second level characterizes behaviors in the extracted patterns into four different attack classes. We carry out extensive experiments on real network traces obtained from the MAWI traffic archive. The evaluations demonstrate that APEX is effective in extracting distinguishable behaviors of network attacks from anomalous traffic, which we believe, provides useful insights to security analysts investigating the anomalies.</p>

show abstract

“…Labeling in this phase means that the intrusion type or class labels are assigned to each cluster. According to [39], the assignment of clusters to corresponding attack stages still needs to be investigated.…”

Section: Alert Correlation For Outlier Detectionmentioning

confidence: 99%

“…A recent work [39] proposes Adept, a distributed framework, to detect individual attack stages in order to uncover a coordinated attack in the IoT security domain. Anomaly detection is performed on the network traffic of IoT devices, and potential anomalies are sent to a security manager.…”

Section: Alert Correlation For Outlier Detectionmentioning

confidence: 99%

Exploiting the Outcome of Outlier Detection for Novel Attack Pattern Recognition on Streaming Data

et al. 2021

View full text Add to dashboard Cite

Future-oriented networking infrastructures are characterized by highly dynamic Streaming Data (SD) whose volume, speed and number of dimensions increased significantly over the past couple of years, energized by trends such as Software-Defined Networking or Artificial Intelligence. As an essential core component of network security, Intrusion Detection Systems (IDS) help to uncover malicious activity. In particular, consecutively applied alert correlation methods can aid in mining attack patterns based on the alerts generated by IDS. However, most of the existing methods lack the functionality to deal with SD data affected by the phenomenon called concept drift and are mainly designed to operate on the output from signature-based IDS. Although unsupervised Outlier Detection (OD) methods have the ability to detect yet unknown attacks, most of the alert correlation methods cannot handle the outcome of such anomaly-based IDS. In this paper, we introduce a novel framework called Streaming Outlier Analysis and Attack Pattern Recognition, denoted as SOAAPR, which is able to process the output of various online unsupervised OD methods in a streaming fashion to extract information about novel attack patterns. Three different privacy-preserving, fingerprint-like signatures are computed from the clustered set of correlated alerts by SOAAPR, which characterizes and represents the potential attack scenarios with respect to their communication relations, their manifestation in the data's features and their temporal behavior. Beyond the recognition of known attacks, comparing derived signatures, they can be leveraged to find similarities between yet unknown and novel attack patterns. The evaluation, which is split into two parts, takes advantage of attack scenarios from the widely-used and popular CICIDS2017 and CSE‐CIC‐IDS2018 datasets. Firstly, the streaming alert correlation capability is evaluated on CICIDS2017 and compared to a state-of-the-art offline algorithm, called Graph-based Alert Correlation (GAC), which has the potential to deal with the outcome of anomaly-based IDS. Secondly, the three types of signatures are computed from attack scenarios in the datasets and compared to each other. The discussion of results, on the one hand, shows that SOAAPR can compete with GAC in terms of alert correlation capability leveraging four different metrics and outperforms it significantly in terms of processing time by an average factor of 70 in 11 attack scenarios. On the other hand, in most cases, all three types of signatures seem to reliably characterize attack scenarios such that similar ones are grouped together, with up to 99.05\% similarity between the FTP and SSH Patator attack.intrusion detection; alert analysis; alert correlation; outlier detection; attack scenario; streaming data; network security

show abstract

ADEPT: Detection and Identification of Correlated Attack Stages in IoT Networks

Cited by 25 publications

References 26 publications

Encrypted Packet Inspection Based on Oblivious Transfer

Encrypted Packet Inspection Based on Oblivious Transfer

APEX: Characterizing Attack Behaviors from Network Anomalies

Exploiting the Outcome of Outlier Detection for Novel Attack Pattern Recognition on Streaming Data

Contact Info

Product

Resources

About