Host in Danger? Detecting Network Intrusions from Authentication Logs

Bian, Haibo; Bai, Tim; Salahuddin, Mohammad A.; Limam, Noura; Daya, Abbas Abou; Boutaba, Raouf

doi:10.23919/cnsm46954.2019.9012700

Cited by 12 publications

(14 citation statements)

References 18 publications

Supporting

Mentioning

Contrasting

Unclassified

Order By: Relevance

“…The host-based detection methods are mainly to detect whether there are malicious behaviours on independent hosts such as the execution of malicious software, the behaviour of applications trying to modify certain files. Bian et al 5 extracted graph-based features from authentication logs of the target host during the APT lateral movement stage and then used these features to train the machine learning model to detect APT. Bai et al 6 used machine learning methods to detect abnormal behaviours of Remote Desktop Protocol (RDP) event logs during the APT lateral movement stage to detect APT.…”

Section: Introductionmentioning

confidence: 99%

Exploring the vulnerability in the inference phase of advanced persistent threats

Guo

et al. 2022

International Journal of Distributed Sensor Networks

View full text Add to dashboard Cite

In recent years, the Internet of Things has been widely used in modern life. Advanced persistent threats are long-term network attacks on specific targets with attackers using advanced attack methods. The Internet of Things targets have also been threatened by advanced persistent threats with the widespread application of Internet of Things. The Internet of Things device such as sensors is weaker than host in security. In the field of advanced persistent threat detection, most works used machine learning methods whether host-based detection or network-based detection. However, models using machine learning methods lack robustness because it can be attacked easily by adversarial examples. In this article, we summarize the characteristics of advanced persistent threats traffic and propose the algorithm to make adversarial examples for the advanced persistent threat detection model. We first train advanced persistent threat detection models using different machine learning methods, among which the highest F1-score is 0.9791. Then, we use the algorithm proposed to grey-box attack one of models and the detection success rate of the model drop from 98.52% to 1.47%. We prove that advanced persistent threats adversarial examples are transitive and we successfully black-box attack other models according to this. The detection success rate of the attacked model with the best attacked effect dropped from 98.66% to 0.13%.

show abstract

Section: Introductionmentioning

confidence: 99%

Exploring the vulnerability in the inference phase of advanced persistent threats

Guo

et al. 2022

International Journal of Distributed Sensor Networks

View full text Add to dashboard Cite

show abstract

“…To better support the processes of attack mitigation, it is helpful to first understand how an attack transpires in practice. Recent work that analyzed the network logs or process logs for anomaly detection [3]- [7] and malicious authentication detection [8]- [10] have revealed useful insights to address attacks in networks. The time elapsed between the precursor event and an attack is defined as the lead time.…”

Section: Introductionmentioning

confidence: 99%

“…Analyzing attacks in any large-scale or complex network require awareness of the sequence of events that is encountered by the network components. While researchers have focused on specific components [7], [10] depending on their target problem, answering how attacks occur needs a more integrated approach towards correlation-based log-mining [13]. Our work is novel in that it considers the flow connection-specific events along with their inter-component relationships to increase the lead times to identification of an attack boosting network attack prediction schemes.…”

Section: Introductionmentioning

confidence: 99%

“…After the network attack detection techniques developed in [1], [2], [8]- [10], [15], this paper investigates how attacks occur with useful insights to their reasons. Specifically, while the use of attack signatures is well-known in intrusion detection, identification of multi-tiered attack signatures (and patterns leading to them) is not common.…”

Section: Introductionmentioning

confidence: 99%

See 1 more Smart Citation

Challenges in Identifying Network Attacks Using Netflow Data

Chuah

Suri

Jhumka

et al. 2021

2021 IEEE 20th International Symposium on Network Computing and Applications (NCA)

View full text Add to dashboard Cite

Large networks often encounter attacks that can affect the network availability. While multiple techniques exist to detect network attacks, a comprehensive understanding of how an attack occurs considering the various layers and components of the network software stack, can be an important element to help improve network security. By performing correlation analysis on contemporary unlabeled Netflow data, this paper conducts a comprehensive study of network flow events to identify communication patterns that may precede an attack, thereby providing potentially useful attack signatures to network administrators.Our work shows that, surprisingly, the Netflow data is not strongly correlated to network attacks. We observe that while spoof requests trigger reflection attacks, only a small percentage of the network packets are associated with the attack. Furthermore, lead time enhancements are feasible for reflection attacks that show long dwell times. Our study on network event correlations highlights empirical observations that could facilitate better attack handling in large networks.

show abstract

“…A extrac ¸ão de características do conjunto de dados é a etapa mais crítica da criac ¸ão de um algoritmo de aprendizado de máquina, pois as características afetam diretamente o ajuste dos parâmetros do modelo e o desempenho de classificac ¸ão. Entre os métodos para extrac ¸ão de características e representac ¸ão dos fluxos de rede existem os convencionais, que quantificam informac ¸ões dos pacotes, como número de bytes e quantidade de pacotes [Lobato et al 2017], ou representac ¸ões mais complexas através de grafos [Sanz et al 2018, Bian et al 2019] ou até por imagem [Liu et al 2019]. Entretanto, essas características não refletem a dependência temporal entre os pacotes, e nem comportamentos periódicos gerados pela automatizac ¸ão dos ataques.…”

Section: Introduc ¸ãOunclassified

Aprimorando a Detecção de Ataques Automáticos através de Decomposição Espectral de Pacotes de Rede

Souza

Camilo

Duarte

2021

Anais Do XXXIX Simpósio Brasileiro De Redes De Computadores E Sistemas Distribuídos (SBRC 2021)

View full text Add to dashboard Cite

A classiﬁcação de ﬂuxos para a identiﬁcação de ataques em redes de computadores por aprendizado de máquina utiliza características quantitativas que sintetizam as informações de pacotes pertencentes a um ﬂuxo. Entretanto, as características convencionais, como tamanho de pacote e número de bytes, geram redundâncias e não representam as correlações temporais entre os pacotes de um ﬂuxo. Ataques de rede automatizados geram padrões periódicos observáveis através da decomposição espectral, o que facilita a classiﬁcação. Este artigo propõe o FENED1, um método para extrair características de dados de rede considerando a ordem de chegada dos pacotes dentro de um mesmo ﬂuxo através da transformada rápida de Fourier para a classiﬁcação binária. O vetor de características proposto contém o módulo das componentes espectrais do ﬂuxo. Os resultados mostram que a proposta é melhor ou igual às propostas convencionais de extração de características que desconsideram a ordem de chegada dos pacotes em um ﬂuxo.

show abstract

Host in Danger? Detecting Network Intrusions from Authentication Logs

Cited by 12 publications

References 18 publications

Exploring the vulnerability in the inference phase of advanced persistent threats

Exploring the vulnerability in the inference phase of advanced persistent threats

Challenges in Identifying Network Attacks Using Netflow Data

Aprimorando a Detecção de Ataques Automáticos através de Decomposição Espectral de Pacotes de Rede

Contact Info

Product

Resources

About