Online Mining Intrusion Patterns from IDS Alerts

Zhang, Kai; Si, Luo; Yang, Xin; Zhu, Hongliang; Chen, Yuling

doi:10.3390/app10082983

Cited by 7 publications

(7 citation statements)

References 15 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…The technique, known as sequence pattern mining, decreases the exertion to advance pattern rules [20]. A historic attack sequence considered to be vulnerable several recent attack strategies, while making sure it utilizes the resultant database.…”

Section: Sequence Pattern Miningmentioning

confidence: 99%

Cyber-Attack Prediction Based on Network Intrusion Detection Systems for Alert Correlation Techniques: A Survey

Albasheer

Siraj

Mubarakali

et al. 2022

Sensors

View full text Add to dashboard Cite

Network Intrusion Detection Systems (NIDS) are designed to safeguard the security needs of enterprise networks against cyber-attacks. However, NIDS networks suffer from several limitations, such as generating a high volume of low-quality alerts. Moreover, 99% of the alerts produced by NIDSs are false positives. As well, the prediction of future actions of an attacker is one of the most important goals here. The study has reviewed the state-of-the-art cyber-attack prediction based on NIDS Intrusion Alert, its models, and limitations. The taxonomy of intrusion alert correlation (AC) is introduced, which includes similarity-based, statistical-based, knowledge-based, and hybrid-based approaches. Moreover, the classification of alert correlation components was also introduced. Alert Correlation Datasets and future research directions are highlighted. The AC receives raw alerts to identify the association between different alerts, linking each alert to its related contextual information and predicting a forthcoming alert/attack. It provides a timely, concise, and high-level view of the network security situation. This review can serve as a benchmark for researchers and industries for Network Intrusion Detection Systems’ future progress and development.

show abstract

Section: Sequence Pattern Miningmentioning

confidence: 99%

Cyber-Attack Prediction Based on Network Intrusion Detection Systems for Alert Correlation Techniques: A Survey

Albasheer

Siraj

Mubarakali

et al. 2022

Sensors

View full text Add to dashboard Cite

show abstract

“…In [25], K. Zhang et al introduce the Backward Influence Factor (BIF) algorithm capable of processing and mining intrusion patterns originating from a sequence of IDS alerts. The proposed algorithm handles efficiently the sequence data analysis issues like random noise, disordering and element missing.…”

Section: Related Workmentioning

confidence: 99%

“…The evaluation results demonstrate the efficacy of the proposed framework in terms of accuracy and scalability. K. Zhang et al in [28] provide an alert correlation framework called Intrusion Action Based Correlation Framework (IACF) presenting a similar architecture as in their previous work in [25]. The proposed framework enhances the aggregation of cybersecurity alerts, the intrusion actions association, the extraction of intrusion sessions and finally the intrusion scenarios identification.…”

Section: Related Workmentioning

confidence: 99%

SPEAR SIEM: A Security Information and Event Management system for the Smart Grid

et al. 2021

View full text Add to dashboard Cite

The technological leap of smart technologies has brought the conventional electrical grid in a new digital era called Smart Grid (SG), providing multiple benefits, such as two-way communication, pervasive control and self-healing. However, this new reality generates significant cybersecurity risks due to the heterogeneous and insecure nature of SG. In particular, SG relies on legacy communication protocols that have not been implemented having cybersecurity in mind. Moreover, the advent of the Internet of Things (IoT) creates severe cybersecurity challenges. The Security Information and Event Management (SIEM) systems constitute an emerging technology in the cybersecurity area, having the capability to detect, normalise and correlate a vast amount of security events. They can orchestrate the entire security of a smart ecosystem, such as SG. Nevertheless, the current SIEM systems do not take into account the unique SG peculiarities and characteristics like the legacy communication protocols. In this paper, we present the Secure and PrivatE smArt gRid (SPEAR) SIEM, which focuses on SG. The main contribution of our work is the design and implementation of a SIEM system capable of detecting, normalising and correlating cyberattacks and anomalies against a plethora of SG application-layer protocols. It is noteworthy that the detection performance of the SPEAR SIEM is demonstrated with real data originating from four real SG use case (a) hydropower plant, (b) substation, (c) power plant and (d) smart home.

show abstract

“…Training data of high quality is necessary to achieve the most outstanding performance of machine learning IDS; thus it must contain a mixture of abnormal and normal patterns [113,114]. Features refer to the vital information that is extracted from raw data; they are essential for classification purposes as well as detection, and they influence the effectiveness of a machine learning IDS.…”

Section: Feature Reduction (Feature Selection) Techniques For Ids On Iotmentioning

confidence: 99%

Classifier Performance Evaluation for Lightweight IDS Using Fog Computing in IoT Security

et al. 2021

View full text Add to dashboard Cite

In this article, a Host-Based Intrusion Detection System (HIDS) using a Modified Vector Space Representation (MVSR) N-gram and Multilayer Perceptron (MLP) model for securing the Internet of Things (IoT), based on lightweight techniques and using Fog Computing devices, is proposed. The Australian Defence Force Academy Linux Dataset (ADFA-LD), which contains exploits and attacks on various applications, is employed for the analysis. The proposed method is divided into the feature extraction stage, the feature selection stage, and classification modeling. To maintain the lightweight criteria, the feature extraction stage considers a combination of 1-gram and 2-gram for the system call encoding. In addition, a Sparse Matrix is used to reduce the space by keeping only the weight of the features that appear in the trace, thus ignoring the zero weights. Subsequently, Linear Correlation Coefficient (LCC) is utilized to compensate for any missing N-gram in the test data. In the feature selection stage, the Mutual Information (MI) method and Principle Component Analysis (PCA) are utilized and then compared to reduce the number of input features. Following the feature selection stage, the modeling and performance evaluation of various Machine Learning classifiers are conducted using a Raspberry Pi IoT device. Further analysis of the effect of MLP parameters, such as the number of nodes, number of features, activation, solver, and regularization parameters, is also conducted. From the simulation, it can be seen that different parameters affect the accuracy and lightweight evaluation. By using a single hidden layer and four nodes, the proposed method with MI can achieve 96% accuracy, 97% recall, 96% F1-Measure, 5% False Positive Rate (FPR), highest curve of Receiver Operating Characteristic (ROC), and 96% Area Under the Curve (AUC). It also achieved low CPU time usage of 4.404 (ms) milliseconds and low energy consumption of 8.809 (mj) millijoules.

show abstract

Online Mining Intrusion Patterns from IDS Alerts

Cited by 7 publications

References 15 publications

Cyber-Attack Prediction Based on Network Intrusion Detection Systems for Alert Correlation Techniques: A Survey

Cyber-Attack Prediction Based on Network Intrusion Detection Systems for Alert Correlation Techniques: A Survey

SPEAR SIEM: A Security Information and Event Management system for the Smart Grid

Classifier Performance Evaluation for Lightweight IDS Using Fog Computing in IoT Security

Contact Info

Product

Resources

About