Exploiting the Outcome of Outlier Detection for Novel Attack Pattern Recognition on Streaming Data

Heigl, Michael; Weigelt, Enrico; Urmann, Andreas; Fiala, Dalibor; Schramm, Martin

doi:10.3390/electronics10172160

“…Instead of using existing datasets, we will apply UFSSOD in a real world computer network (no labeled data available) in parallel to classifiers without feature selection to examine the differences in classification results. A recently proposed method [69] might be applied to exploit and evaluate the outcome of outlier detection for novel attack pattern recognition on streaming data with and without the application of UFSSOD's feature selection.…”

Section: Discussionmentioning

confidence: 99%

Unsupervised Feature Selection for Outlier Detection on Streaming Data to Enhance Network Security

Heigl

¹

,

Weigelt

²

,

Fiala

³

et al. 2021

Self Cite

View full text Add to dashboard Cite

Over the past couple of years, machine learning methods—especially the outlier detection ones—have anchored in the cybersecurity field to detect network-based anomalies rooted in novel attack patterns. However, the ubiquity of massive continuously generated data streams poses an enormous challenge to efficient detection schemes and demands fast, memory-constrained online algorithms that are capable to deal with concept drifts. Feature selection plays an important role when it comes to improve outlier detection in terms of identifying noisy data that contain irrelevant or redundant features. State-of-the-art work either focuses on unsupervised feature selection for data streams or (offline) outlier detection. Substantial requirements to combine both fields are derived and compared with existing approaches. The comprehensive review reveals a research gap in unsupervised feature selection for the improvement of outlier detection methods in data streams. Thus, a novel algorithm for Unsupervised Feature Selection for Streaming Outlier Detection, denoted as UFSSOD, will be proposed, which is able to perform unsupervised feature selection for the purpose of outlier detection on streaming data. Furthermore, it is able to determine the amount of top-performing features by clustering their score values. A generic concept that shows two application scenarios of UFSSOD in conjunction with off-the-shell online outlier detection algorithms has been derived. Extensive experiments have shown that a promising feature selection mechanism for streaming data is not applicable in the field of outlier detection. Moreover, UFSSOD, as an online capable algorithm, yields comparable results to a state-of-the-art offline method trimmed for outlier detection.

show abstract

“…Correlation can be based on the similarity of events by parameters (for example, source and destination IP addresses and ports), and the scenario can be represented as a graph (Haas and Fischer, 2019;Bajtoš et al, 2020). So SOAAPR (Heigl et al, 2021) (Streaming Outlier Analysis and Attack Pattern Recognition) matches and groups alerts in streaming mode, and the resulting clusters are converted into a graphical representation. The result is an attack signature that represents the attack scenario in terms of communication behavior, cause in data features, and time sequence of associated alerts.…”

Section: Hybrid Modelsmentioning

confidence: 99%

“…• Similarity-based (SB) methods are based on the idea that similar events can have the same root cause or the same type, and the found links depend on the inherent similarity between attributes of each event (Kotenko et al, 2018a;Heigl et al, 2021). • Causal-based (CB) methods focus on the causal structure of a event sequence, when previous steps determine the ones that follow (Zegeye et al, 2018;Hossain and Xie, 2020).…”

Section: Summary Of Ai-based Security Event Correlation Modelsmentioning

confidence: 99%

“…Causal-based correlation methods make it easy to interpret the results of correlation by the operator. Therefore, this category of methods is well suited for visualizing the sequence of events (Heigl et al, 2021;Wang et al, 2021a). The simplicity of implementing such models is reduced, and also requires more computing resources to process a large amount of data.…”

Section: Summary Of Ai-based Security Event Correlation Modelsmentioning

confidence: 99%

See 1 more Smart Citation

A survey on artificial intelligence techniques for security event correlation: models, challenges, and opportunities

Gaifulina

¹

,

Kotenko

²

2023

View full text Add to dashboard Cite

Information systems need to process a large amount of event monitoring data. The process of finding the relationships between events is called correlation, which creates a context between independent events and previously collected information in real time and normalizes it for subsequent processing. In cybersecurity, events can determine the steps of attackers and can be analyzed as part of a specific attack strategy. In this survey, we present the systematization of security event correlation models in terms of their representation in AI-based monitoring systems as: rule-based, semantic, graphical and machine learning based-models. We define the main directions of current research in the field of AI-based security event correlation and the methods used for the correlation of both single events and their sequences in attack scenarios. We also describe the prospects for the development of hybrid correlation models. In conclusion, we identify the existing problems in the field and possible ways to overcome them.

show abstract

A survey on artificial intelligence techniques for security event correlation: models, challenges, and opportunities

Gaifulina

¹

,

Kotenko

²

2022

Preprint

4

0

View full text Add to dashboard Cite

Information systems need to process a large amount of event monitoring data. The process of finding the relationships between events is called correlation, which creates a context between independent events and previously collected information in real time and normalizes it for subsequent processing. In cybersecurity, events can determine the steps of attackers and can be analyzed as part of a specific attack strategy. In this survey, we present the systematization of security event correlation models in terms of their representation in AI-based monitoring systems as: rule-based, semantic, graphical and machine learning based-models. We define the main directions of current research in the field of AI-based security event correlation and the methods used for the correlation of both single events and their sequences in attack scenarios. We also describe the prospects for the development of hybrid correlation models. In conclusion, we identify the existing problems in the field and possible ways to overcome them.

show abstract

Exploiting the Outcome of Outlier Detection for Novel Attack Pattern Recognition on Streaming Data

Cited by 6 publications

References 67 publications

Unsupervised Feature Selection for Outlier Detection on Streaming Data to Enhance Network Security

Unsupervised Feature Selection for Outlier Detection on Streaming Data to Enhance Network Security

A survey on artificial intelligence techniques for security event correlation: models, challenges, and opportunities

A survey on artificial intelligence techniques for security event correlation: models, challenges, and opportunities

Contact Info

Product

Resources

About