Sisi Huang,Zhitang Li,Li Wang

DOI: https://doi.org/10.1007/978-3-540-73345-4_72

2007-01-01

Abstract:Nowadays, one very complicated problem bothering network analysts too much is the redundant data generated by IDS. The objective of our system SATA (Security Alert & Threat Analysis) is trying to solve this problem. Several novel methods using data mining technologies to reconstruct attack scenarios were proposed to predict the next stage of attacks according to the recognition the attackers' high level strategies. The main idea of this paper is to propose a novel idea of mining "complicated" attack scenarios based on multi-agent systems without the limitation of necessity of clear attack specifications and precise rule definitions. We propose SAMP and CAST to mine frequent attack behavior sequences and construct attack scenarios. We perform a series of experiments to validate our method on practical attack network environments of CERNET. The results of experiments show that our approach is valid in multi-agent attack scenario construction and correlation analysis.

Rui Ren,Xiaoyu Fu,Jianfeng Zhan,Wei Zhou

DOI: https://doi.org/10.48550/arXiv.1003.0951

2013-01-15

Abstract:This paper presents a methodology and a system, named LogMaster, for mining correlations of events that have multiple attributions, i.e., node ID, application ID, event type, and event severity, in logs of large-scale cluster systems. Different from traditional transactional data, e.g., supermarket purchases, system logs have their unique characteristic, and hence we propose several innovative approaches to mine their correlations. We present a simple metrics to measure correlations of events that may happen interleavedly. On the basis of the measurement of correlations, we propose two approaches to mine event correlations; meanwhile, we propose an innovative abstraction: event correlation graphs (ECGs) to represent event correlations, and present an ECGs based algorithm for predicting events. For two system logs of a production Hadoop-based cloud computing system at Research Institution of China Mobile and a production HPC cluster system at Los Alamos National Lab (LANL), we evaluate our approaches in three scenarios: (a) predicting all events on the basis of both failure and non-failure events; (b) predicting only failure events on the basis of both failure and non-failure events; (c) predicting failure events after removing non-failure events.

Distributed, Parallel, and Cluster Computing

Sheng Yan,Yu Chen,Yan Song,Minjie Zhu

DOI: https://doi.org/10.1088/1742-6596/1176/3/032052

2019-01-01

Journal of Physics Conference Series

Abstract:As an important part of modern IT infrastructure, network provides great convenience for people to exchange information and share resources. However, network still faces with many threats such as network virus, hacker attacks, data theft and tampering and so on. Network logs includes a lot of valuable information about all behaviours happened in the network. How to analyse these network log to enhance the security of network becomes consequently the focus of many researchers. In this paper, we first design three similarity functions between two network attack records to create the network attack sequences, and then present a PrefixSpan-based frequent attack sequence mining algorithm to identify all frequent attack sequences in network log. The experimental results show that the PrefixSpan-based frequent attack sequence mining algorithm has shorter executing time and less running space than the Apriori algorithm. The PrefixSpan-based frequent attack sequence mining algorithm provides a network log analysing method for intrusion detection.

Yong-Zheng Zhang,Xiao-Chun Yun,Bin-Xing Fang,Tao Zhang

2005-01-01

Abstract:With the development of computer software system, computer vulnerabilities are continually increasing. These vulnerabilities have severe impacts on confidentiality, authenticity and availability of computer system and network. In the field of host system vulnerability assessment, the traditional method is only to consider the threats of isolated vulnerability to software systems. However, through analyzing multistage attacks and vulnerabilities on Internet, we find that attackers often synthetically exploit several correlative vulnerabilities to badly compromise the systems. Therefore, study on vulnerability correlation is important for improving the accuracy and validity of security assessment. This paper firstly gives the definition, expression and significance of vulnerability correlation. Then a mining method for vulnerability correlation is proposed. Finally, an experiment is conducted to verify the efficiency of the new approach.

Wu Ping,Zhu Donglai

DOI: https://doi.org/10.3969/j.issn.1000-386X.2008.03.066

2008-01-01

Abstract:Fault diagnosis and location is the vital core of network management.Data mining provides a new approach to knowledge update during the analysis of alarm correlation.Based on the research on network weighted alarm association rules,the network alarm correlation mining system is designed and implemented.The system is valuable and useful to the alarm correlation analysis and fault diagnosis and location in networks.

Bo Yang,Jiming Liu,Jianfeng Feng

DOI: https://doi.org/10.1109/tkde.2010.233

IF: 9.235

2012-01-01

IEEE Transactions on Knowledge and Data Engineering

Abstract:Network communities refer to groups of vertices within which their connecting links are dense but between which they are sparse. A network community mining problem (or NCMP for short) is concerned with the problem of finding all such communities from a given network. A wide variety of applications can be formulated as NCMPs, ranging from social and/or biological network analysis to web mining and searching. So far, many algorithms addressing NCMPs have been developed and most of them fall into the categories of either optimization based or heuristic methods. Distinct from the existing studies, the work presented in this paper explores the notion of network communities and their properties based on the dynamics of a stochastic model naturally introduced. In the paper, a relationship between the hierarchical community structure of a network and the local mixing properties of such a stochastic model has been established with the large-deviation theory. Topological information regarding to the community structures hidden in networks can be inferred from their spectral signatures. Based on the above-mentioned relationship, this work proposes a general framework for characterizing, analyzing, and mining network communities. Utilizing the two basic properties of metastability, i.e., being locally uniform and temporarily fixed, an efficient implementation of the framework, called the LM algorithm, has been developed that can scalably mine communities hidden in large-scale networks. The effectiveness and efficiency of the LM algorithm have been theoretically analyzed as well as experimentally validated.

LIU Zuo-da,XU Jing-fang,CHEN Mao-ke,LI Xing

DOI: https://doi.org/10.3321/j.issn:0438-0479.2007.z2.044

2007-01-01

Abstract:The rapid development of campus network has brought a vast quantity of web information to us.In order to improve the efficiency of information spreading via campus network,this paper presents a way to analyze the distribution of campus network users based on web log analyzing.A system using this method is designed and implemented in our campus network which shows our solution is valuable.This paper also proposes a classification of campus network information based on the characteristic of users accessing to certain websites.And practical experiment results show the rationality of the proposed method.

Wu Jian,Li Xing Ming

DOI: https://doi.org/10.1109/COMSWA.2008.4554520

2008-01-01

Abstract:Nowadays, communication network turns to be more complex, once there occurs a failure, there will result in multi-alarm-events which require relevant transactions. This paper describes the alarm correlation in communication networks based on data mining. The association rules from self-adaptation for dynamic net-work resource and service that build new rule by fully utilizing and maintaining rules formed before while transactions grow/delete or minimum support changes which enables the framework is easily updated and new discovery methods be readily incorporated within it. Both theoretical analysis and computer simulations illustrate outstanding performance of the proposed models, which can be further optimized by experiments for specific environment.

Rixin Xue,Peng Tang,Shudong Fang

DOI: https://doi.org/10.1155/2022/2794889

2022-02-09

Wireless Communications and Mobile Computing

Abstract:Traditional NSSA (network security situational awareness) systems have significant equipment limitations, poor data fusion capabilities, and a low level of analysis and evaluation, making them difficult to adapt to large-scale and complex network environments. This paper proposes the study of computer NSS (network security situation) prediction technology based on AR (association rules) mining to solve this problem. The support-confidence framework is improved by introducing an interest evaluation standard, and the value of AR is re-evaluated, based on a discussion of traditional concepts and algorithms related to AR mining. The MFP-interest algorithm proposed in this paper is a combination of alarm AR template and interest degree. The MFP-interest algorithm was put to the test. We discovered that the MFP-interest algorithm can effectively predict NSS and indicate its development trend when run in a real-world network environment. Most time points have a relative error range of less than 0.035.

computer science, information systems,telecommunications,engineering, electrical & electronic

Xin-Ling Guo,Zhe-Ming Lu,Yi-Jia Zhang

DOI: https://doi.org/10.1587/transinf.2020edl8163

2021-01-01

IEICE Transactions on Information and Systems

Abstract:Robustness of complex networks is an essential subject for improving their performance when vertices or links are removed due to potential threats. In recent years, significant advancements have been achieved in this field by many researchers. In this paper we show an overview from a novel statistic perspective. We present a brief review about complex networks at first including 2 primary network models, 12 popular attack strategies and the most convincing network robustness metrics. Then, we focus on the correlations of 12 attack strategies with each other, and the difference of the correlations from one network model to the other. We are also curious about the robustness of networks when vertices are removed according to different attack strategies and the difference of robustness from one network model to the other. Our aim is to observe the correlation mechanism of centralities for distinct network models, and compare the network robustness when different centralities are applied as attacking directors to distinct network models. What inspires us is that maybe we can find a paradigm that combines several high-destructive attack strategies to find the optimal strategy based on the deep learning framework.

Zhemin Zhu,Chen Wang,Li Ma,Yue Pan,Zhiming Ding

DOI: https://doi.org/10.1109/waim.2008.13

2008-01-01

Abstract:Over the past decade, community structure, a statistical property of networked systems such as social network and World Wide Web, has attracted considerable attention in data mining field because it enables description and prediction of complex networks. Many highly sensitive graph clustering algorithms were developed for identification of communities having dense connections internally and loose connections with others. In this context, Newman and Girvan proposed modularity Q score for quantifying the strength of community structure and measuring the fitness of a division. The Q function has become an important standard recently. In this paper, combining the strengths of the Q score and multilevel paradigm first developed for graph partitioning, we introduced a scalable algorithm MOME (i.e. modularity-based multilevel graph clustering) to efficiently discover communities from a network. The experimental results indicated that MOME ran extremely faster and finally achieved a division with a slightly higher Q score against the latest modularity-based method and its variants, particularly when the network was of a large-scale.

Jiang Shan,Chen Changai

DOI: https://doi.org/10.2991/isrme-15.2015.109

2015-01-01

Abstract:The security of software applications, from web-based applications to mobile services, is always at risk because of the open society of internet. With the increase in the number of network throughput and security threats, intrusion detection system has attracted much attention in recent years. In this paper, we undertake the research on the principle techniques for network intrusion detection based on data mining and analysis approach. We adopt the prior knowledge on Bayesian network which is a directed acyclic graph, each node represents a random variable and an edge said direct probabilistic dependencies between two connected nodes. Then, we use the traditional risk assessment model to measure the possibility of being hearted. The numeric analysis and experimental illustration indicates the effectiveness of our method compared with other popular adopted state-of-the-art methodologies. In the future, we plan to introduce the graph and complex network theory into our prototype system to enhance the performance.

Jia Zhanpei,Shen Chao,Yi Xiao,Chen Yufei,Yu Tianwen,Guan Xiaohong

DOI: https://doi.org/10.1109/coase.2017.8256257

2017-01-01

CASE

Abstract:Log data are important audit basis to record routine events occurring on computer or network system, which are also critical data source for detecting system anomalies. By analyzing the data from multi-source logs, it is helpful to detect abnormal system behaviors and discover intruder attacks in real time. In this paper, a Spark-based log data security platform is designed and built to analyze the large-scale log data and detect abnormal network behaviors. By integrating data mining, machine learning, and statistical analysis technologies, our proposed framework can quickly analyze large-scale multi-source log data and accurately discriminate the abnormal behaviors. Furthermore, the association analysis is applied to detect abnormal behaviors or potential threats in the system. Under a real-world network environment, extensive experiments are conducted to evaluate the system performance, which can achieve a fast and accurate detection for abnormal network behaviors, and significantly improve the accuracies under various types of network attack scenarios.

Tao Qin,Yuli Gao,Lingyan Wei,Zhaoli Liu,Chenxu Wang

DOI: https://doi.org/10.1049/iet-net.2017.0188

2018-01-01

IET Networks

Abstract:Log analysis is an efficiency way to detect threats by scrutinizing the events recorded by the operating systems and devices. However, it is more and more difficult to discover threats accurately due to the massive amount of logs and their various formats. Focusing on this problem, the authors propose a method for potential threats mining based on the correlation analysis of multi-type logs. First...

Zhichao Hu,Xiangzhan Yu,Jiantao Shi,Lin Ye

DOI: https://doi.org/10.32604/cmc.2021.017574

2021-01-01

Abstract:With the continuous development of network technology, various large-scale cyber-attacks continue to emerge. These attacks pose a severe threat to the security of systems, networks, and data. Therefore, how to mine attack patterns from massive data and detect attacks are urgent problems. In this paper, an approach for attack mining and detection is proposed that performs tasks of alarm correlation, false-positive elimination, attack mining, and attack prediction. Based on the idea of CluStream, the proposed approach implements a flow clustering method and a two-step algorithm that guarantees efficient streaming and clustering. The context of an alarm in the attack chain is analyzed and the LightGBM method is used to perform false-positive recognition with high accuracy. To accelerate the search for the filtered alarm sequence data to mine attack patterns, the PrefixSpan algorithm is also updated in the store strategy. The updated PrefixSpan increases the processing efficiency and achieves a better result than the original one in experiments. With Bayesian theory, the transition probability for the sequence pattern string is calculated and the alarm transition probability table constructed to draw the attack graph. Finally, a long-short-term memory network and embedding word-vector method are used to perform online prediction. Results of numerical experiments show that the method proposed in this paper has a strong practical value for attack detection and prediction.

Guozheng Yang,Yongheng Zhang,Yuliang Lu,Yi Xie,Jiayi Yu

DOI: https://doi.org/10.3390/e26040315

IF: 2.738

2024-04-05

Entropy

Abstract:Network security situational awareness (NSSA) aims to capture, understand, and display security elements in large-scale network environments in order to predict security trends in the relevant network environment. With the internet's increasingly large scale, increasingly complex structure, and gradual diversification of components, the traditional single-layer network topology model can no longer meet the needs of network security analysis. Therefore, we conduct research based on a multi-layer network model for network security situational awareness, which is characterized by the three-layer network structure of a physical device network, a business application network, and a user role network. Its network characteristics require new assessment methods, so we propose a multi-layer network link importance assessment metric: the multi-layer-dependent link entropy (MDLE). On the one hand, the MDLE comprehensively evaluates the connectivity importance of links by fitting the link-local betweenness centrality and mapping entropy. On the other hand, it relies on the link-dependent mechanism to better aggregate the link importance contributions in each network layer. The experimental results show that the MDLE has better ordering monotonicity during critical link discovery and a higher destruction efficacy in destruction simulations compared to classical link importance metrics, thus better adapting to the critical link discovery requirements of a multi-layer network topology.

physics, multidisciplinary

Zheng Chen,Zengyou He,Hao Liang,Can Zhao,Yan Liu

DOI: https://doi.org/10.48550/arXiv.1904.04583

2019-04-09

Abstract:Mining community structures from the complex network is an important problem across a variety of fields. Many existing community detection methods detect communities through optimizing a community evaluation function. However, most of these functions even have high values on random graphs and may fail to detect small communities in the large-scale network (the so-called resolution limit problem). In this paper, we introduce two novel node-centric community evaluation functions by connecting correlation analysis with community detection. We will further show that the correlation analysis can provide a novel theoretical framework which unifies some existing evaluation functions in the context of a correlation-based optimization problem. In this framework, we can mitigate the resolution limit problem and eliminate the influence of random fluctuations by selecting the right correlation function. Furthermore, we introduce three key properties used in mining association rule into the context of community detection to help us choose the appropriate correlation function. Based on our introduced correlation functions, we propose a community detection algorithm called CBCD. Our proposed algorithm outperforms existing state-of-the-art algorithms on both synthetic benchmark networks and real-world networks.

Social and Information Networks,Physics and Society

Wu Liu,Haixin Duan,Peng Wang,Jianping Wu

DOI: https://doi.org/10.1109/ICCT.2003.1209101

2003-01-01

Abstract:The phenomenal increase in the amounts of network security data are due to the hacker attacks, virus, worm and Shapper etc. Network security log file databases are very important in computer forensics. From researches, a lot of data mining methods have been found, such as content-based queries and similarity searches to manage and use such data. Fast and accurate retrievals for content-based queries are crucial for such numerous database systems to be useful. In this paper, a new method is provided to analyze and mine this kind of time-serial database. We first signalize the NSD databases, then we use these wavelet based transform to analyze the NSD and get the periodic law of intrusion event.

Wei Chen,Xiaorong Jiang,Xin Li,Jing Gao,Xinzheng Xu,Shifei Ding

DOI: https://doi.org/10.1016/j.measurement.2013.04.018

IF: 5.6

2013-01-01

Measurement

Abstract:•A statistical model to analyze the path of activity objects via relevance selection.•Structural characteristics of the coal mine tunnel based Bayesian theories.•The prediction method of path selection based on Bayesian decision.•A theoretical basis for coal mine safety monitoring to prevent dangers of coal mine.

Yingjie Zhou,Guangmin Hu,Dapeng Wu

DOI: https://doi.org/10.1002/sec.801

IF: 1.968

2013-01-01

Security and Communication Networks

Abstract:ABSTRACTDetecting distributed abnormal events has become an increasingly significant task for efficient network management and operation. However, it is still challenging to uncover these distributed behaviors in backbone networks because of the voluminous amount of noisy, high‐dimensional traffic data. In this paper, we present a novel system for detecting distributed abnormal events in backbone networks. The proposed system emphasizes on detecting distributed correlated abnormal events, which are caused by the same reason. In contrast, existing methods are not able to distinguish correlated abnormal events from the independent abnormal events. In our proposed system, a set of data mining techniques is used for modeling and detecting distributed correlated abnormal events by analyzing the traffic features. Specifically, traffic behavior representation is constructed to define and select traffic features for describing the traffic behaviors of interest, feature clustering is performed to group together similar transformations in each feature, behavioral data mining is employed to discover the most significant patterns in network interactions with respect to typical behavior, and behavior classification is used to expose the behaviors of interest. Experiment results using real traffic data present the effectiveness of our proposed methods for detecting distributed correlated abnormal events in the backbone network. Copyright © 2013 John Wiley & Sons, Ltd.