Abstract:This is the accepted version of the paper.This version of the publication may differ from the final published version.Permanent repository link: http://openaccess.city.ac.uk/8680/ Link to published version: http://dx.
AbstractEvent Correlation used to be a widely used technique for interpreting alert logs and discovering network attacks. However, due to the scale and complexity of today's networks and attacks, alert logs produced by these modern networks are much larger in volume and difficult to analyse. In t… Show more
“…Clustering algorithms had been used in past to detect cyber attacks such as intrusion detection (Shittu, Healing, Ghanea-Hercock, Bloomfield, andRajarajan 2015, Casas, Mazel, andOwezarski 2012), anomaly detection (Akoglu, Tong, and Koutra 2015), and many more. The main idea behind the intrusion detection using a clustering algorithm is based on the main idea of clustering the attack nodes in the graph together.…”
Section: Community Discovering and Clustering Algorithmsmentioning
confidence: 99%
“…The main idea behind the intrusion detection using a clustering algorithm is based on the main idea of clustering the attack nodes in the graph together. Event correlation proposed by Shittu et al (Shittu, Healing, Ghanea-Hercock, Bloomfield, and Rajarajan 2015) use the post-correlation methods to cluster the correlated attacks together. Akoglu et al (Akoglu, Tong, and Koutra 2015) have summarized various applications of clustering approach to detect anomaly detection when the attacker is tampering sensitive data.…”
Section: Community Discovering and Clustering Algorithmsmentioning
The limited information on the cyberattacks available in the unclassified regime, hardens standardizing the analysis. We address the problem of modeling and analyzing cyberattacks using a multimodal graph approach. We formulate the stages, actors, and outcomes of cyberattacks as a multimodal graph. Multimodal graph nodes include cyberattack victims, adversaries, autonomous systems, and the observed cyber events. In multimodal graphs, single-modality graphs are interconnected according to their interaction. We apply community and centrality analysis on the graph to obtain in-depth insights into the attack. In community analysis, we cluster those nodes that exhibit "strong" intermodal ties. We further use centrality to rank the nodes according to their importance. Classifying nodes according to centrality provides the progression of the attack from the attacker to the targeted nodes. We apply our methods to two popular case studies, namely GhostNet and Putter Panda and demonstrate a clear distinction in the attack stages.
“…Clustering algorithms had been used in past to detect cyber attacks such as intrusion detection (Shittu, Healing, Ghanea-Hercock, Bloomfield, andRajarajan 2015, Casas, Mazel, andOwezarski 2012), anomaly detection (Akoglu, Tong, and Koutra 2015), and many more. The main idea behind the intrusion detection using a clustering algorithm is based on the main idea of clustering the attack nodes in the graph together.…”
Section: Community Discovering and Clustering Algorithmsmentioning
confidence: 99%
“…The main idea behind the intrusion detection using a clustering algorithm is based on the main idea of clustering the attack nodes in the graph together. Event correlation proposed by Shittu et al (Shittu, Healing, Ghanea-Hercock, Bloomfield, and Rajarajan 2015) use the post-correlation methods to cluster the correlated attacks together. Akoglu et al (Akoglu, Tong, and Koutra 2015) have summarized various applications of clustering approach to detect anomaly detection when the attacker is tampering sensitive data.…”
Section: Community Discovering and Clustering Algorithmsmentioning
The limited information on the cyberattacks available in the unclassified regime, hardens standardizing the analysis. We address the problem of modeling and analyzing cyberattacks using a multimodal graph approach. We formulate the stages, actors, and outcomes of cyberattacks as a multimodal graph. Multimodal graph nodes include cyberattack victims, adversaries, autonomous systems, and the observed cyber events. In multimodal graphs, single-modality graphs are interconnected according to their interaction. We apply community and centrality analysis on the graph to obtain in-depth insights into the attack. In community analysis, we cluster those nodes that exhibit "strong" intermodal ties. We further use centrality to rank the nodes according to their importance. Classifying nodes according to centrality provides the progression of the attack from the attacker to the targeted nodes. We apply our methods to two popular case studies, namely GhostNet and Putter Panda and demonstrate a clear distinction in the attack stages.
Grouping and clustering alerts for intrusion detection based on the similarity of features is referred to as structurally base alert correlation and can discover a list of attack steps. Previous researchers selected different features and data sources manually based on their knowledge and experience, which lead to the less accurate identification of attack steps and inconsistent performance of clustering accuracy. Furthermore, the existing alert correlation systems deal with a huge amount of data that contains null values, incomplete information, and irrelevant features causing the analysis of the alerts to be tedious, time-consuming and error-prone. Therefore, this paper focuses on selecting accurate and significant features of alerts that are appropriate to represent the attack steps, thus, enhancing the structural-based alert correlation model. A two-tier feature selection method is proposed to obtain the significant features. The first tier aims at ranking the subset of features based on high information gain entropy in decreasing order. The second tier extends additional features with a better discriminative ability than the initially ranked features. Performance analysis results show the significance of the selected features in terms of the clustering accuracy using 2000 DARPA intrusion detection scenario-specific dataset.
“…Intrusion detection system has been studied by means of machine learning, and the detection rate has got improvements [12][13][14][15][16][17][18][19]. In addition, intrusion detection has been performed by using feature association technique, and the data set has been used for analysis [20][21][22][23][24][25].…”
In big data era, the single detection techniques have already not met the demand of complex network attacks and advanced persistent threats, but there is no uniform standard to make different correlation analysis detection be performed efficiently and accurately. In this paper, we put forward a universal correlation analysis detection model and algorithm by introducing state transition diagram. Based on analyzing and comparing the current correlation detection modes, we formalize the correlation patterns and propose a framework according to data packet timing and behavior qualities and then design a new universal algorithm to implement the method. Finally, experiment, which sets up a lightweight intrusion detection system using KDD1999 dataset, shows that the correlation detection model and algorithm can improve the performance and guarantee high detection rates.
scite is a Brooklyn-based organization that helps researchers better discover and understand research articles through Smart Citations–citations that display the context of the citation and describe whether the article provides supporting or contrasting evidence. scite is used by students and researchers from around the world and is funded in part by the National Science Foundation and the National Institute on Drug Abuse of the National Institutes of Health.