Extracting fuzzy attack patterns using an online fuzzy adaptive alert correlation framework

Daneshgar, Fatemeh Faraji; Abbaspour, Maghsoud

doi:10.1002/sec.1483

Cited by 21 publications

(7 citation statements)

References 26 publications

(47 reference statements)

Supporting

Mentioning

Contrasting

Order By: Relevance

“…Figure shows the island‐hopping attack graph. The generated attack graph is also comparable with the attack graphs of the first scenario that was reported in the previous research works such as .…”

Section: Discussionsupporting

confidence: 75%

“…For the other scenarios, we could not have all event types of them because of the problems in logging process, and (4) since being able to evaluate our proposed framework in detecting the complete attack scenario, we should compare our work with the previous works. Some existing works like reported only the results of this attack scenario .…”

Section: Discussionmentioning

confidence: 99%

“…Some trees related to alerts probable correlations are constructed in an offline manner, while the correlations of each received alert in real time with previously received alerts will be identified by performing a search only in the corresponding tree. Faraji and Abbaspour proposed an adaptive framework for a multi‐step attack scenario extraction based on fuzzy inference rules. Their model consists of two main components, namely, online fuzzy clustering and fuzzy inter‐event pattern matching.…”

Section: Related Workmentioning

confidence: 99%

See 2 more Smart Citations

Causal knowledge analysis for detecting and modeling multi‐step attacks

Ramaki

Rasoolzadegan

2016

Security Comm Networks

View full text Add to dashboard Cite

In order to understand the security level of an organization network, detection methods are important to tackle the probable risks of the attackers' malicious activities. Intrusion detection systems, as detection solutions of the defense in depth concept, are one of the main devices to record and analyze suspicious behaviors. Besides the benefits of these systems for security enhancement, they will bring some challenges and issues for security administrators. A large number of raw alerts generated by the intrusion detection systems clearly reflect the need for a novel proactive alert correlation framework to reduce redundant alerts, correlate security incidents, discover and model multi‐step attack scenarios, and track them. Several alert correlation frameworks have been proposed in the literature, but the majority of them address the alert correlation in the offline settings. In this paper, we propose a three‐phase alert correlation framework, which processes the generated alerts in real time, correlates the alerts with the aid of causal knowledge discovery to automatically extract causal relationships between alerts, constructs the attack scenarios using the Bayesian network concept, and predicts the next goal of the attacks using the creating attack prediction rules. Experimental results show that the scalable proposed framework is efficient enough in learning and detecting known and unknown multi‐step attack scenarios without using any predefined knowledge. The results also show that the proposed framework perfectly estimates complex attacks before they can damage the assets of the network. Copyright © 2017 John Wiley & Sons, Ltd.

show abstract

Section: Discussionsupporting

confidence: 75%

Section: Discussionmentioning

confidence: 99%

Section: Related Workmentioning

confidence: 99%

See 1 more Smart Citation

Causal knowledge analysis for detecting and modeling multi‐step attacks

Ramaki

Rasoolzadegan

2016

Security Comm Networks

View full text Add to dashboard Cite

show abstract

“…Utilizing an offline and online module too, Daneshgar et al in [47] proposed a method that clusters alerts as fuzzy events according to their similarities and historical events, which are obtained from the offline module, in an online manner. A fuzzy frequent pattern mining module in the offline phase mines for relations based on statistical characteristics between alerts to extract fuzzy patterns.…”

Section: Streaming Alert Correlationmentioning

confidence: 99%

Exploiting the Outcome of Outlier Detection for Novel Attack Pattern Recognition on Streaming Data

et al. 2021

View full text Add to dashboard Cite

Future-oriented networking infrastructures are characterized by highly dynamic Streaming Data (SD) whose volume, speed and number of dimensions increased significantly over the past couple of years, energized by trends such as Software-Defined Networking or Artificial Intelligence. As an essential core component of network security, Intrusion Detection Systems (IDS) help to uncover malicious activity. In particular, consecutively applied alert correlation methods can aid in mining attack patterns based on the alerts generated by IDS. However, most of the existing methods lack the functionality to deal with SD data affected by the phenomenon called concept drift and are mainly designed to operate on the output from signature-based IDS. Although unsupervised Outlier Detection (OD) methods have the ability to detect yet unknown attacks, most of the alert correlation methods cannot handle the outcome of such anomaly-based IDS. In this paper, we introduce a novel framework called Streaming Outlier Analysis and Attack Pattern Recognition, denoted as SOAAPR, which is able to process the output of various online unsupervised OD methods in a streaming fashion to extract information about novel attack patterns. Three different privacy-preserving, fingerprint-like signatures are computed from the clustered set of correlated alerts by SOAAPR, which characterizes and represents the potential attack scenarios with respect to their communication relations, their manifestation in the data's features and their temporal behavior. Beyond the recognition of known attacks, comparing derived signatures, they can be leveraged to find similarities between yet unknown and novel attack patterns. The evaluation, which is split into two parts, takes advantage of attack scenarios from the widely-used and popular CICIDS2017 and CSE‐CIC‐IDS2018 datasets. Firstly, the streaming alert correlation capability is evaluated on CICIDS2017 and compared to a state-of-the-art offline algorithm, called Graph-based Alert Correlation (GAC), which has the potential to deal with the outcome of anomaly-based IDS. Secondly, the three types of signatures are computed from attack scenarios in the datasets and compared to each other. The discussion of results, on the one hand, shows that SOAAPR can compete with GAC in terms of alert correlation capability leveraging four different metrics and outperforms it significantly in terms of processing time by an average factor of 70 in 11 attack scenarios. On the other hand, in most cases, all three types of signatures seem to reliably characterize attack scenarios such that similar ones are grouped together, with up to 99.05\% similarity between the FTP and SSH Patator attack.intrusion detection; alert analysis; alert correlation; outlier detection; attack scenario; streaming data; network security

show abstract

“…In the approximate semantic classification of words, similar words tend to appear in similar word neighbors [10]. Therefore, network packets belonging to the same class also have similar local neighbors, where the class consists of DDOS, HttpDos, normal, Brute Force SSH, Infiltrating [13][14][15]. That is, whether there are similar local neighbors has the ability to characterize the similarity between network packets.…”

Section: Introductionmentioning

confidence: 99%

A Graph Representation Learning Algorithm for Low-Order Proximity Feature Extraction to Enhance Unsupervised IDS Preprocessing

2019

View full text Add to dashboard Cite

Most existing studies on an unsupervised intrusion detection system (IDS) preprocessing ignore the relationship among packets. According to the homophily hypothesis, the local proximity structure in the similarity relational graph has similar embedding after preprocessing. To improve the performance of IDS by building a relationship among packets, we propose a packet2vec learning algorithm that extracts accurate local proximity features based on graph representation by adding penalty to node2vec. In this algorithm, we construct a relational graph G’ by using each packet as a node, calculate the cosine similarity between packets as edges, and then explore the low-order proximity of each packet via the penalty-based random walk in G’. We use the above algorithm as a preprocessing method to enhance the accuracy of unsupervised IDS by retaining the local proximity features of packets maximally. The original features of the packet are combined with the local proximity features as the input of a deep auto-encoder for IDS. Experiments based on ISCX2012 show that the proposal outperforms the state-of-the-art algorithms by 11.6% with respect to the accuracy of unsupervised IDS. It is the first time to introduce graph representation learning for packet-embedded preprocessing in the field of IDS.

show abstract

Extracting fuzzy attack patterns using an online fuzzy adaptive alert correlation framework

Cited by 21 publications

References 26 publications

Causal knowledge analysis for detecting and modeling multi‐step attacks

Causal knowledge analysis for detecting and modeling multi‐step attacks

Exploiting the Outcome of Outlier Detection for Novel Attack Pattern Recognition on Streaming Data

A Graph Representation Learning Algorithm for Low-Order Proximity Feature Extraction to Enhance Unsupervised IDS Preprocessing

Contact Info

Product

Resources

About