JIN Tao,XUE Zhi,WANG Yi-jun

DOI: https://doi.org/10.3969/j.issn.1009-8054.2011.04.031

2011-01-01

Abstract:With the significant increase in amount and type of network attacks,analysis on Honeypot logs with huge volume becomes more difficult and time-consuming,and data mining technology is a tool for analyzing the dataset as whole and for improving the work efficiency. This paper first describes the principle of the Honeypot system. Then the data mining algorithm Apriori is applied to analyzing the attributes of the log data captured by Honeyd-an open source Honeypot solution,and further to identifying data association rules,and then by these rules discovering and understanding hackers' behaviors. The research work also proves the feasibility of data mining technologies in the field of Honeypot log analysis.

Soumajyoti Sarkar,Mohammad Almukaynizi,Jana Shakarian,Paulo Shakarian

DOI: https://doi.org/10.1007/s13278-019-0603-9

2019-09-30

Social Network Analysis and Mining

Abstract:With the rise in security breaches over the past few years, there has been an increasing need to mine insights from social media platforms to raise alerts of possible attacks in an attempt to defend conflict during competition. In this study, we attempt to build a framework that utilizes unconventional signals from the darkweb forums by leveraging the reply network structure of user interactions with the goal of predicting enterprise-related external cyber attacks. We use both unsupervised and supervised learning models that address the challenges that come with the lack of enterprise attack metadata for ground-truth validation as well as insufficient data for training the models. We validate our models on a binary classification problem that attempts to predict cyber attacks on a daily basis for an organization. Using several controlled studies on features leveraging the network structure, we measure the extent to which the indicators from the darkweb forums can be successfully used to predict attacks. We use information from 53 forums in the darkweb over a span of 17 months for the task. Our framework to predict real-world organization cyber attacks of three different security events suggests that focusing on the reply path structure between groups of users based on random walk transitions and community structures has an advantage in terms of better performance solely relying on forum or user posting statistics prior to attacks.

Zhichao Hu,Xiangzhan Yu,Jiantao Shi,Lin Ye

DOI: https://doi.org/10.32604/cmc.2021.017574

2021-01-01

Abstract:With the continuous development of network technology, various large-scale cyber-attacks continue to emerge. These attacks pose a severe threat to the security of systems, networks, and data. Therefore, how to mine attack patterns from massive data and detect attacks are urgent problems. In this paper, an approach for attack mining and detection is proposed that performs tasks of alarm correlation, false-positive elimination, attack mining, and attack prediction. Based on the idea of CluStream, the proposed approach implements a flow clustering method and a two-step algorithm that guarantees efficient streaming and clustering. The context of an alarm in the attack chain is analyzed and the LightGBM method is used to perform false-positive recognition with high accuracy. To accelerate the search for the filtered alarm sequence data to mine attack patterns, the PrefixSpan algorithm is also updated in the store strategy. The updated PrefixSpan increases the processing efficiency and achieves a better result than the original one in experiments. With Bayesian theory, the transition probability for the sequence pattern string is calculated and the alarm transition probability table constructed to draw the attack graph. Finally, a long-short-term memory network and embedding word-vector method are used to perform online prediction. Results of numerical experiments show that the method proposed in this paper has a strong practical value for attack detection and prediction.

Eric Nunes,Ahmad Diab,Andrew Gunn,Ericsson Marin,Vineet Mishra,Vivin Paliath,John Robertson,Jana Shakarian,Amanda Thart,Paulo Shakarian

DOI: https://doi.org/10.48550/arXiv.1607.08583

2016-07-29

Abstract:In this paper, we present an operational system for cyber threat intelligence gathering from various social platforms on the Internet particularly sites on the darknet and deepnet. We focus our attention to collecting information from hacker forum discussions and marketplaces offering products and services focusing on malicious hacking. We have developed an operational system for obtaining information from these sites for the purposes of identifying emerging cyber threats. Currently, this system collects on average 305 high-quality cyber threat warnings each week. These threat warnings include information on newly developed malware and exploits that have not yet been deployed in a cyber-attack. This provides a significant service to cyber-defenders. The system is significantly augmented through the use of various data mining and machine learning techniques. With the use of machine learning models, we are able to recall 92% of products in marketplaces and 80% of discussions on forums relating to malicious hacking with high precision. We perform preliminary analysis on the data collected, demonstrating its application to aid a security expert for better threat analysis.

Cryptography and Security,Artificial Intelligence,Computers and Society

Hyeok Kong,Cholyong Jong,Unhyok Ryang

DOI: https://doi.org/10.48550/arXiv.1601.05335

2016-01-20

Cryptography and Security

Abstract:Many modern intrusion detection systems are based on data mining and database-centric architecture, where a number of data mining techniques have been found. Among the most popular techniques, association rule mining is one of the important topics in data mining research. This approach determines interesting relationships between large sets of data items. This technique was initially applied to the so-called market basket analysis, which aims at finding regularities in shopping behaviour of customers of supermarkets. In contrast to dataset for market basket analysis, which takes usually hundreds of attributes, network audit databases face tens of attributes. So the typical Apriori algorithm of association rule mining, which needs so many database scans, can be improved, dealing with such characteristics of transaction database. In this paper we propose an impoved Apriori algorithm, very useful in practice, using scan of network audit database only once by transaction cutting and hashing.

Edward Crowder,Jay Lansiquot

DOI: https://doi.org/10.48550/arXiv.2105.13957

2021-05-19

Abstract:Exploring the darknet can be a daunting task; this paper explores the application of data mining the darknet within a Canadian cybercrime perspective. Measuring activity through marketplace analysis and vendor attribution has proven difficult in the past. Observing different aspects of the darknet and implementing methods of monitoring and collecting data in the hopes of connecting contributions to the darknet marketplaces to and from Canada. The significant findings include a small Canadian presence, measured the product categories, and attribution of one cross-marketplace vendor through data visualization. The results were made possible through a multi-stage processing pipeline, including data crawling, scraping, and parsing. The primary future works include enhancing the pipeline to include other media, such as web forums, chatrooms, and emails. Applying machine learning models like natural language processing or sentiment analysis could prove beneficial during investigations.

Cryptography and Security

Pengpeng Wang,Hongri Liu,Bailing Wang,Kaikun Dong,Lianhai Wang,Shujiang Xu

DOI: https://doi.org/10.1145/3148453.3306250

2018-01-01

Abstract:In the era of big data, the amount of information on dark network resources has exploded. Massive dark network data contain abundant information. To detect dark network resources and obtain dark network information, in-depth understanding of the dark network is a prerequisite. However, due to the high anonymity of dark network, it is usually difficult to be found by traditional search engines. Users need to register strictly and use specific tools to log in dynamically. In this paper, we explore the simulation of dark network scene in the big data environment. The Tor network is built on the openstack platform, which simulate the dark network scene. By using wireshark software to analyze network traffic, and using nmon tool to analyze network performance, the results show that the dark network scene can be simulated realistically.

Ping Lou,Guantong Lu,Xuemei Jiang,Zheng Xiao,Jiwei Hu,Junwei Yan

DOI: https://doi.org/10.1007/s10489-020-02007-5

IF: 5.3

2020-01-01

Applied Intelligence

Abstract:Security logs in cloud environment like intrusion detection system (IDS) logs, firewall logs, and system logs provide historical information describing potential security risks. However, the use of logs for cyber intrusion detection relies heavily on expert knowledge. It is very difficult for the non-expert to identify these intrusion behaviors. This paper proposes a new method for mining association rules from multi-source logs to detect various intrusion behaviors in the cloud computing platform. In this method, a rule base is constructed to detect cyber intrusion. An adaptive approach is used to speed up the calculation of the association rule mining, in which the decision depends on the time complexity of the algorithm. Various cyber-attacks are simulated in the verification experiments which show the calculation speed of the proposed method is faster than other algorithms. Furthermore, compared with other methods, the performance of the proposed intrusion detection method is better than others in term of precision, recall, and f-measure.

Michalis Kallitsis,Vasant Honavar,Rupesh Prajapati,Dinghao Wu,John Yen

DOI: https://doi.org/10.48550/arXiv.2108.00079

2021-08-06

Abstract:Network telescopes or "Darknets" provide a unique window into Internet-wide malicious activities associated with malware propagation, denial of service attacks, scanning performed for network reconnaissance, and others. Analyses of the resulting data can provide actionable insights to security analysts that can be used to prevent or mitigate cyber-threats. Large Darknets, however, observe millions of nefarious events on a daily basis which makes the transformation of the captured information into meaningful insights challenging. We present a novel framework for characterizing Darknet behavior and its temporal evolution aiming to address this challenge. The proposed framework: (i) Extracts a high dimensional representation of Darknet events composed of features distilled from Darknet data and other external sources; (ii) Learns, in an unsupervised fashion, an information-preserving low-dimensional representation of these events (using deep representation learning) that is amenable to clustering; (iv) Performs clustering of the scanner data in the resulting representation space and provides interpretable insights using optimal decision trees; and (v) Utilizes the clustering outcomes as "signatures" that can be used to detect structural changes in the Darknet activities. We evaluate the proposed system on a large operational Network Telescope and demonstrate its ability to detect real-world, high-impact cybersecurity incidents.

Cryptography and Security,Machine Learning

Soumajyoti Sarkar,Mohammad Almukaynizi,Jana Shakarian,Paulo Shakarian

DOI: https://doi.org/10.48550/arXiv.1811.06537

2018-11-16

Abstract:With rise in security breaches over the past few years, there has been an increasing need to mine insights from social media platforms to raise alerts of possible attacks in an attempt to defend conflict during competition. We use information from the darkweb forums by leveraging the reply network structure of user interactions with the goal of predicting enterprise cyber attacks. We use a suite of social network features on top of supervised learning models and validate them on a binary classification problem that attempts to predict whether there would be an attack on any given day for an organization. We conclude from our experiments using information from 53 forums in the darkweb over a span of 12 months to predict real world organization cyber attacks of 2 different security events that analyzing the path structure between groups of users is better than just studying network centralities like Pagerank or relying on the user posting statistics in the forums.

Social and Information Networks

Ying Yang,Lina Yang,Meihong Yang,Huanhuan Yu,Guichun Zhu,Zhenya Chen,Lijuan Chen

DOI: https://doi.org/10.1109/ITAIC.2019.8785760

2019-01-01

Abstract:With the rapid development of the Internet, the dark network has also been widely used in the Internet [1]. Due to the anonymity of the dark network, many illegal elements have committed illegal crimes on the dark. It is difficult for law enforcement officials to track the identity of these cyber criminals using traditional network survey techniques based on IP addresses [2]. The threat information is mainly from the dark web forum and the dark web market. In this paper, we introduce the current mainstream dark network communication system TOR and develop a visual dark web forum post association analysis system to graphically display the relationship between various forum messages and posters, and help law enforcement officers to explore deep levels. Clues to analyze crimes in the dark network.

Konstantinos Demertzis,Konstantinos Tsiknas,Dimitrios Takezis,Charalabos Skianis,Lazaros Iliadis

DOI: https://doi.org/10.48550/arXiv.2102.08411

2021-02-17

Abstract:Attackers are perpetually modifying their tactics to avoid detection and frequently leverage legitimate credentials with trusted tools already deployed in a network environment, making it difficult for organizations to proactively identify critical security risks. Network traffic analysis products have emerged in response to attackers relentless innovation, offering organizations a realistic path forward for combatting creative attackers. Additionally, thanks to the widespread adoption of cloud computing, Device Operators processes, and the Internet of Things, maintaining effective network visibility has become a highly complex and overwhelming process. What makes network traffic analysis technology particularly meaningful is its ability to combine its core capabilities to deliver malicious intent detection. In this paper, we propose a novel darknet traffic analysis and network management framework to real-time automating the malicious intent detection process, using a weight agnostic neural networks architecture. It is an effective and accurate computational intelligent forensics tool for network traffic analysis, the demystification of malware traffic, and encrypted traffic identification in real-time. Based on Weight Agnostic Neural Networks methodology, we propose an automated searching neural net architectures strategy that can perform various tasks such as identify zero-day attacks. By automating the malicious intent detection process from the darknet, the advanced proposed solution is reducing the skills and effort barrier that prevents many organizations from effectively protecting their most critical assets.

Cryptography and Security,Machine Learning

Xingguo Li,Dong Liu,Haiying Huang,Junfeng Wang

DOI: https://doi.org/10.3233/jifs-179146

2019-01-01

Journal of Intelligent & Fuzzy Systems

Abstract:With the rapid development of information technology, the era of big data has come. This paper focuses on the analysis and processing of data. How to mine valuable information in large data has been widely concerned by mining frequent itemsets in the data to derive. Association rules are an important part of data mining technology. The analysis of complex network structure based on improved botnet algorithm is the basis of network science. The study of complex network structure is helpful to understand and predict large data of complex network function and behavior. The conclusion of the system in the botnet algorithm process analysis provides some directional suggestions for the improvement of search engine functions and services. In theory, a set of simple and easy botnet algorithm for analyzing the satisfaction factors of clustering is proposed. The practice proves that the big data intelligent search engine based on differential evolution botnet algorithm has significant improvement in retrieval time, recall rate and precision, and can effectively realize personalized and accurate search. A complete big data mining system is implemented, which provides an efficient and easy-to-use tool for data mining botnet algorithms on large data sets.

Cynthia J,

DOI: https://doi.org/10.55041/ijsrem24715

2023-07-07

INTERANTIONAL JOURNAL OF SCIENTIFIC RESEARCH IN ENGINEERING AND MANAGEMENT

Abstract:Encrypted data that is sent over Tor or a VPN is referred to as "darknet traffic." In order to identify network activity brought on by a cyberattack, it is crucial to be able to recognise, find, and explain darknet activities. Cyberattacks that pose a serious danger to network security and management can be effectively observed through darknet monitoring and classification. Despite the fact that many surveys were conducted on network traffic classification using machine learning techniques, only a small number of researchers have the means to review their work on classifying network traffic using deep learning techniques. In this article, we introduce a novel idea for research on the classification of malware used in darknet traffic that uses Deep Learning techniques, which will aid researchers in improving their surveys. First, based on the survey, we chose a few techniques, including Deep Neural Network (DNN), Convolution Neural Network (CNN), Recurrent Neural Network (RNN), and AutoEncoder (AE) that have proven to be more effective in recent study. Second, the dataset CIC-DarkNet-2020, which contains a variety of darknet activities including VPN and TOR traffic, is used to develop the models. Finally, after analysing the information, we discovered the best Deep Learning Model for classifying Darknet traffic, which has the potential to enhance the efficiency of malware variant detection using constrained system and network resources. Index Terms – Darknet, DNN, CNN, RNN, AE, Deep Learning, Classifying Darknet.

Shiyu Li,Baojiang Cui

DOI: https://doi.org/10.1007/978-3-030-50399-4_4

2020-01-01

Abstract:With the rapid development of the Internet, Web applications have been used more and more widely in various industries, and the accompanying security issues have gradually received attention. In the field of network security research, in addition to defense technologies such as intrusion detection and firewall technology, forensic analysis and traceability of network attacks are also the focus of research. Based on this, this paper is devoted to mining the associations of attack traces existing in web application logs, and to provide assistance for forensic analysis and attack source tracing. In this paper we propose a method for analyzing associations of network attack traces based on Web logs. We collect features of common Web attack methods and extracts attack traces. We also propose attack event description models based on key attributes, and improves the Apriori algorithm to adapt the model. The attack trace correlation analysis method proposed in this paper makes full use of and analyzes the infrequently discovered correlations in the log data, which has greatly helped the development of network attack traceability technology.

Wang Li,Li Zhi-tang,Lei Jie

DOI: https://doi.org/10.1109/INM.2007.374834

2007-01-01

Abstract:Huge volume of security data from different security devices can overwhelm security managers and keep them from performing effective analysis and initiating timely response. Therefore, it is important to develop an advanced alert correlation system that can reduce alert redundancy, intelligently correlate security alerts and detect attack strategies. In this paper, we proposed a new method of mining multi-stage attack behaviors pattern in order to recognize attacker's high-level strategies and predict upcoming attack intentions. We apply a reformative Apriori algorithm to mine frequent attack sequence patterns from history alert data. We use correlativity between two contextual elements in the attack sequence to correlate attack behaviors and identify potential attack intentions. The idea is easy to implement and it can be used to detect novel multi-stage attack strategies compared with other techniques. Experiments show that our approach can effectively learn high level attack strategies and can accordingly predict next possible attack behavior.

Sisi Huang,Zhitang Li,Li Wang

DOI: https://doi.org/10.1007/978-3-540-73345-4_72

2007-01-01

Abstract:Nowadays, one very complicated problem bothering network analysts too much is the redundant data generated by IDS. The objective of our system SATA (Security Alert & Threat Analysis) is trying to solve this problem. Several novel methods using data mining technologies to reconstruct attack scenarios were proposed to predict the next stage of attacks according to the recognition the attackers' high level strategies. The main idea of this paper is to propose a novel idea of mining "complicated" attack scenarios based on multi-agent systems without the limitation of necessity of clear attack specifications and precise rule definitions. We propose SAMP and CAST to mine frequent attack behavior sequences and construct attack scenarios. We perform a series of experiments to validate our method on practical attack network environments of CERNET. The results of experiments show that our approach is valid in multi-agent attack scenario construction and correlation analysis.

Weisong He,Guangmin Hu,Xingmiao Yao

DOI: https://doi.org/10.5555/1558733.1558738

2009-01-01

Abstract:Minimize false positive and false negative is one of the difficult problems of network behavior analysis. This paper propose a large-scale communications network behavior feature analysis method using multiple motif pattern association rule mining, analyze multiple behavior feature time series as a whole, produce valid association rules of abnormal network behavior feature, characterize the entire communication network security situation accurately. Experiment with Abilene network data verifies this method.

Shiyi Yang,Hui Guo,Nour Moustafa

DOI: https://doi.org/10.48550/arXiv.2105.09157

2021-09-01

Abstract:Machine learning (ML)-based intrusion detection systems (IDSs) play a critical role in discovering unknown threats in a large-scale cyberspace. They have been adopted as a mainstream hunting method in many organizations, such as financial institutes, manufacturing companies and government agencies. However, existing designs achieve a high threat detection performance at the cost of a large number of false alarms, leading to alert fatigue. To tackle this issue, in this paper, we propose a neural-network-based defense mechanism named DarkHunter. DarkHunter incorporates both supervised learning and unsupervised learning in the design. It uses a deep ensemble network (trained through supervised learning) to detect anomalous network activities and exploits an unsupervised learning-based scheme to trim off mis-detection results. For each detected threat, DarkHunter can trace to its source and present the threat in its original traffic format. Our evaluations, based on the UNSW-NB15 dataset, show that DarkHunter outperforms the existing ML-based IDSs and is able to achieve a high detection accuracy while keeping a low false positive rate.

Cryptography and Security

Zhiqiang Luo,Jun Shen,Huamin Jin,Dongxin Liu

DOI: https://doi.org/10.1007/978-3-319-28121-6_7

2015-01-01

Abstract:With the rapid expansion of the botnet, a single network security system could not meet the requirement. Botnet situation awareness can dynamically reflect the overall botnet security and predict botnet security development trends. Characteristics of big data create opportunity for research breakthrough of large scale botnet situation awareness. This article discusses about botnet security situation awareness based on multi-source logs by utilizing big data analysis. It promotes detection accuracy and fast response of botnet events, and implements the early warning for DDoS attacks.