CoreFlow: Enriching Bro security events using network traffic monitoring data

Koning, Ralph; Buraglio, Nick; Laat, Cees de; Grosso, Paola

doi:10.1016/j.future.2017.04.017

Cited by 13 publications

(10 citation statements)

References 14 publications

(23 reference statements)

Supporting

Mentioning

Contrasting

Order By: Relevance

“…Ultimately, we envision that a responsible Internet enables the real-time sharing of measurements across network operators, allowing them to collaboratively fend off security incidents as they occur (e.g., by dynamically moving scrubbing functionality to a specific part of their network using Network Function Virtualization (NFV) [19]) or even proactively before they can cause real harm. Network operators could share the actual measurements in various ways, such as directly from their own servers or through a shared platform in which multiple operators upload their measurements (e.g., DDoS fingerprints [20,21]).…”

Section: Enabling Cross-network Operator Incident Analysismentioning

confidence: 99%

See 1 more Smart Citation

A Responsible Internet to Increase Trust in the Digital World

et al. 2020

Self Cite

View full text Add to dashboard Cite

Policy makers in regions such as Europe are increasingly concerned about the trustworthiness and sovereignty of the foundations of their digital economy, because it often depends on systems operated or manufactured elsewhere. To help curb this problem, we propose the novel notion of a responsible Internet, which provides higher degrees of trust and sovereignty for critical service providers (e.g., power grids) and all kinds of other users by improving the transparency, accountability, and controllability of the Internet at the network-level. A responsible Internet accomplishes this through two new distributed and decentralized systems. The first is the Network Inspection Plane (NIP), which enables users to request measurement-based descriptions of the chains of network operators (e.g., ISPs and DNS and cloud providers) that handle their data flows or could potentially handle them, including the relationships between them and the properties of these operators. The second is the Network Control Plane (NCP), which allows users to specify how they expect the Internet infrastructure to handle their data (e.g., in terms of the security attributes that they expect chains of network operators to have) based on the insights they gained from the NIP. We discuss research directions and starting points to realize a responsible Internet by combining three currently largely disjoint research areas: large-scale measurements (for the NIP), open source-based programmable networks (for the NCP), and policy making (POL) based on the NIP and driving the NCP. We believe that a responsible Internet is the next stage in the evolution of the Internet and that the concept is useful for clean slate Internet systems as well.

show abstract

Section: Enabling Cross-network Operator Incident Analysismentioning

confidence: 99%

“…Similarly, network operators can proactively change their network (e.g., using VNF for fine-grained adaptations) because network descriptions of operators [ 20 , 50 ] provide them with a more comprehensive view on what is going on in the network (cf. Sect.…”

Section: More Internet Controllability Through the Network Configuratmentioning

confidence: 99%

A Responsible Internet to Increase Trust in the Digital World

et al. 2020

Self Cite

View full text Add to dashboard Cite

show abstract

“…The network data is stored in many multiple log files such as, HTTP log, DNS log, and SMTP log. 43 In our proposed framework, the BroIDS has been used to read the data sets from pcap files and retrieve the data in individual log files, which generates conventional real-time log files. This experiment has focused on HTTP log used to identify applications or services that perform HTTP requests.…”

Section: Broidsmentioning

confidence: 99%

“…BroIDS is an open source network security monitoring tool that helps to look into previously captured packet from captured files in real time. The network data is stored in many multiple log files such as, HTTP log, DNS log, and SMTP log 43 …”

Section: Proposed Frameworkmentioning

confidence: 99%

Clustering‐based real‐time anomaly detection—A breakthrough in big data technologies

Habeeb

Nasaruddin

Gani

et al. 2019

Trans Emerging Tel Tech

View full text Add to dashboard Cite

Off late, the ever increasing usage of a connected Internet‐of‐Things devices has consequently augmented the volume of real‐time network data with high velocity. At the same time, threats on networks become inevitable; hence, identifying anomalies in real time network data has become crucial. To date, most of the existing anomaly detection approaches focus mainly on machine learning techniques for batch processing. Meanwhile, detection approaches which focus on the real‐time analytics somehow deficient in its detection accuracy while consuming higher memory and longer execution time. As such, this paper proposes a novel framework which focuses on real‐time anomaly detection based on big data technologies. In addition, this paper has also developed streaming sliding window local outlier factor coreset clustering algorithms (SSWLOFCC), which was then implemented into the framework. The proposed framework that comprises BroIDS, Flume, Kafka, Spark streaming, SparkMLlib, Matplot and HBase was evaluated to substantiate its efficacy, particularly in terms of accuracy, memory consumption, and execution time. The evaluation is done by performing critical comparative analysis using existing approaches, such as K‐means, hierarchical density‐based spatial clustering of applications with noise (HDBSCAN), isolation forest, spectral clustering and agglomerative clustering. Moreover, Adjusted Rand Index and memory profiler package were used for the evaluation of the proposed framework against the existing approaches. The outcome of the evaluation has substantially proven the efficacy of the proposed framework with a much higher accuracy rate of 96.51% when compared to other algorithms. Besides, the proposed framework also outperformed the existing algorithms in terms of lesser memory consumption and execution time. Ultimately the proposed solution enable analysts to precisely track and detect anomalies in real time.

show abstract

“…In particular, it is believed that the more important limitations of the current techniques are that first, the detections are done per connection and not per user, second, the classifiers are trained and tested on -only normal‖ and -only infected‖ datasets and third, the types of attacks and infections evolve and make classifiers quickly less useful. Apart from the more traditional signaturebased intrusion detection system (IDS), such as snort [2] and bro [3], there has been extensive research on behavioral detection methods during the last decade. From these new methods, the most used is anomaly detection techniques (ADTs) due to its easy implementation and understandability.…”

Section: Motivation and Introductionmentioning

confidence: 99%

A Novel Network user Behaviors and Profile Testing based on Anomaly Detection Techniques

Tahir

Xiao

et al. 2019

IJACSA

View full text Add to dashboard Cite

The proliferation of smart devices and computer networks has led to a huge rise in internet traffic and network attacks that necessitate efficient network traffic monitoring. There have been many attempts to address these issues; however, agile detecting solutions are needed. This research work deals with the problem of malware infections or detection is one of the most challenging tasks in modern computer security. In recent years, anomaly detection has been the first detection approach followed by results from other classifiers. Anomaly detection methods are typically designed to new model normal user behaviors and then seek for deviations from this model. However, anomaly detection techniques may suffer from a variety of problems, including missing validations for verification and a large number of false positives. This work proposes and describes a new profile-based method for identifying anomalous changes in network user behaviors. Profiles describe user behaviors from different perspectives using different flags. Each profile is composed of information about what the user has done over a period of time. The symptoms extracted in the profile cover a wide range of user actions and try to analyze different actions. Compared to other symptom anomaly detectors, the profiles offer a higher level of user experience. It is assumed that it is possible to look for anomalies using high-level symptoms while producing less false positives while effectively finding real attacks. Also, the problem of obtaining truly tagged data for training anomaly detection algorithms has been addressed in this work. It has been designed and created datasets that contain real normal user actions while the user is infected with real malware. These datasets were used to train and evaluate anomaly detection algorithms. Among the investigated algorithms for example, local outlier factor (LOF) and one class support vector machine (SVM). The results show that the proposed anomaly-based and profile-based algorithm causes very few false positives and relatively high true positive detection. The two main contributions of this work are a new approaches based on network anomaly detection and datasets containing a combination of genuine malware and actual user traffic. Finally, the future directions will focus on applying the proposed approaches for protecting the internet of things (IOT) devices.

show abstract

CoreFlow: Enriching Bro security events using network traffic monitoring data

Cited by 13 publications

References 14 publications

A Responsible Internet to Increase Trust in the Digital World

A Responsible Internet to Increase Trust in the Digital World

Clustering‐based real‐time anomaly detection—A breakthrough in big data technologies

A Novel Network user Behaviors and Profile Testing based on Anomaly Detection Techniques

Contact Info

Product

Resources

About