Abstract:In order to understand the security level of an organization network, detection methods are important to tackle the probable risks of the attackers' malicious activities. Intrusion detection systems, as detection solutions of the defense in depth concept, are one of the main devices to record and analyze suspicious behaviors. Besides the benefits of these systems for security enhancement, they will bring some challenges and issues for security administrators. A large number of raw alerts generated by the intru… Show more
“…Cluster Correlation Analysis e clustering alert correlation method associates alert information with some identical or similar features, that is, clustering by the similarity between alert a ribute values, such as the same destination address, the same a ack source, a ack means, etc. Ahmadianramaki et al [1] proposed a three-layer processing framework that uses causal knowledge to correlate alerts, automatically extracts causal relationships between alerts, builds the a ack scenario using Bayesian networks. And further predict the most likely next a ack behavior.…”
Feint A ack", as a new type of APT a ack, has become the focus of a ention. It adopts a multi-stage a acks mode which can be concluded as a combination of virtual a acks and real a acks. Under the cover of virtual a acks, real a acks can achieve the real purpose of the a acker, as a result, it o en caused huge losses inadvertently. However, to our knowledge, all previous works use common methods such as Causal-Correlation or Cased-based to detect outdated multi-stage a acks. Few a entions have been paid to detect the "Feint A ack", because the di culty of detection lies in the diversi cation of the concept of "Feint A ack" and the lack of professional datasets, many detection methods ignore the semantic relationship in the a ack. Aiming at the existing challenge, this paper explores a new method to solve the problem. In the a ack scenario, the fuzzy clustering method based on a ribute similarity is used to mine multi-stage a ack chains. en we use a few-shot deep learning algorithm (SMOTE&CNN-SVM) and bidirectional Recurrent Neural Network model (Bi-RNN) to obtain the "Feint A ack" chains. "Feint A ack" is simulated by the real a ack inserted in the normal causal a ack chain, and the addition of the real a ack destroys the causal relationship of the original a ack chain. So we used Bi-RNN coding to obtain the hidden feature of "Feint A ack" chain. In the end, our method achieved the goal to detect the "Feint A ack" accurately by using the LLDoS1.0 and LLDoS2.0 of DARPA2000 and CICIDS2017 of Canadian Institute for Cybersecurity.
“…Cluster Correlation Analysis e clustering alert correlation method associates alert information with some identical or similar features, that is, clustering by the similarity between alert a ribute values, such as the same destination address, the same a ack source, a ack means, etc. Ahmadianramaki et al [1] proposed a three-layer processing framework that uses causal knowledge to correlate alerts, automatically extracts causal relationships between alerts, builds the a ack scenario using Bayesian networks. And further predict the most likely next a ack behavior.…”
Feint A ack", as a new type of APT a ack, has become the focus of a ention. It adopts a multi-stage a acks mode which can be concluded as a combination of virtual a acks and real a acks. Under the cover of virtual a acks, real a acks can achieve the real purpose of the a acker, as a result, it o en caused huge losses inadvertently. However, to our knowledge, all previous works use common methods such as Causal-Correlation or Cased-based to detect outdated multi-stage a acks. Few a entions have been paid to detect the "Feint A ack", because the di culty of detection lies in the diversi cation of the concept of "Feint A ack" and the lack of professional datasets, many detection methods ignore the semantic relationship in the a ack. Aiming at the existing challenge, this paper explores a new method to solve the problem. In the a ack scenario, the fuzzy clustering method based on a ribute similarity is used to mine multi-stage a ack chains. en we use a few-shot deep learning algorithm (SMOTE&CNN-SVM) and bidirectional Recurrent Neural Network model (Bi-RNN) to obtain the "Feint A ack" chains. "Feint A ack" is simulated by the real a ack inserted in the normal causal a ack chain, and the addition of the real a ack destroys the causal relationship of the original a ack chain. So we used Bi-RNN coding to obtain the hidden feature of "Feint A ack" chain. In the end, our method achieved the goal to detect the "Feint A ack" accurately by using the LLDoS1.0 and LLDoS2.0 of DARPA2000 and CICIDS2017 of Canadian Institute for Cybersecurity.
Summary
Protection of networked computing infrastructures (such as Internet of Things, Industrial Control Systems, and Edge computing) is dependent on the continuous monitoring of interaction between such devices and network/Cloud‐based hosts (especially in Industry 4.0 environments). This real‐time monitoring enables an analyst to quantify evolving and emerging threats to such network infrastructures. A framework for identifying patterns in observed cyberthreats and the use of these patterns for forecasting the growth of an emerging threat to network infrastructure is proposed. This framework enables predicting the maximum threat intensity and the time period over which this maximum intensity is likely to occur. The proposed framework integrates: (a) continuous monitoring of device/network activity, (b) forecasting behavior using exponentially weighted moving averages, (c) utilizing Fibonacci retracement for estimating the potential intensity of a cyberattack, and (d) linear regression for predicting response time for high risk thresholds and a machine learning strategy to predict potential risk over a pre‐defined time window. Using this approach, we can produce time intervals between the forecast and the actual attacks using real‐world network activity data. Our results show an average lead time of around 1.75 hours, providing a window of opportunity to limit the impact of an attack and counter it.
scite is a Brooklyn-based organization that helps researchers better discover and understand research articles through Smart Citations–citations that display the context of the citation and describe whether the article provides supporting or contrasting evidence. scite is used by students and researchers from around the world and is funded in part by the National Science Foundation and the National Institute on Drug Abuse of the National Institutes of Health.