Xin Li,Zhi-Hong Deng,Hao Ma,Shi-Wei Tang,Bei Zhang

DOI: https://doi.org/10.1016/j.eswa.2010.06.012

IF: 8.5

2010-01-01

Expert Systems with Applications

Abstract:The main objective of network monitoring is to discover the event patterns that happen frequently. In this paper, we have intensively studied the techniques used to mine frequent patterns from network data flow. We devel-oped a powerful class of algorithms to deal with a series of problems when min-ing frequent patterns from network data flow. We experimentally evaluate our algorithms on real datasets collected from the campus network of Peking Uni-versity. The experimental results show these algorithms are efficient.

Guodong Fang,Zhihong Deng,Hao Ma

DOI: https://doi.org/10.1109/FSKD.2009.444

2009-01-01

Abstract:To keep the network secure, it is necessary to monitor network traffic timely and effectively. The traditional methods for detecting network anomalies were mainly based on such ways as sampling, counting and aggregating, but they can not solve the problem of getting accurate and effective results well. In this paper we propose a new method that is based on the basic properties of frequent pattern mining problem and makes use of the vertical mining methods to mine frequent patterns from network traffic. Based on this algorithm, we build a prototype system to evaluate our algorithm on huge netflow data of campus network. The experimental result shows that this algorithm can detect network anomalies timely and effectively and can help network administrators achieve more effective monitoring on network.

Wu Liu,Haixin Duan,Peng Wang,Jianping Wu

DOI: https://doi.org/10.1109/ICCT.2003.1209101

2003-01-01

Abstract:The phenomenal increase in the amounts of network security data are due to the hacker attacks, virus, worm and Shapper etc. Network security log file databases are very important in computer forensics. From researches, a lot of data mining methods have been found, such as content-based queries and similarity searches to manage and use such data. Fast and accurate retrievals for content-based queries are crucial for such numerous database systems to be useful. In this paper, a new method is provided to analyze and mine this kind of time-serial database. We first signalize the NSD databases, then we use these wavelet based transform to analyze the NSD and get the periodic law of intrusion event.

Rahul Chandran,Wei Q. Yan

DOI: https://doi.org/10.4018/ijdcf.2014010103

2014-01-01

International Journal of Digital Crime and Forensics

Abstract:The development of technology in computer networks has boosted the percentage of cyber-attacks today. Hackers are now able to penetrate even the strongest IDS and firewalls. With the help of anti-forensic techniques, attackers defend themselves, from being tracked by destroying and distorting evidences. To detect and prevent network attacks, the main modus of operandi in network forensics is the successful implementation and analysis of attack graph from gathered evidences. This paper conveys the main concepts of attack graphs, requirements for modeling and implementation of graphs. It also contributes the aspect of incorporation of anti-forensic techniques in attack graph which will help in analysis of the diverse possibilities of attack path deviations and thus aids in recommendation of various defense strategies for better security. To the best of our knowledge, this is the first time network anti-forensics has been fully discussed and the attack graphs are employed to analyze the network attacks. The experimental analysis of anti-forensic techniques using attack graphs were conducted in the proposed test-bed which helped to evaluate the model proposed and suggests preventive measures for the improvement of security of the networks.

Xi Ling,Jiongchi Yu,Ziming Zhao,Zhihao Zhou,Haitao Xu,Binbin Chen,Fan Zhang

DOI: https://doi.org/10.1007/978-3-031-54773-7_12

2024-01-01

Abstract:With the proliferation of Internet development, Distributed Denial of Service (DDoS) attacks are on the rise. As rule-based traffic analysis frameworks and Deep Packet Inspection (DPI) defense measures can effectively thwart many DDoS attacks, attackers keep exploring various attack surfaces and traffic amplification strategies to nullify the defense. In this paper, we propose DDoSMiner, an automated framework for DDoS attack characterization and vulnerability mining. DDoSMiner analyzes system call patterns of the TCP-based DDoS attack family, then generates Attack Call Flow Graph (ACFG) by discerning the differences between DDoS attack traffic and benign traffic. Furthermore, DDoSMiner identifies and extracts drop nodes and pivotal TCP states from the distinctive characteristics of attack traffic, then passes to the symbolic execution framework for exploring variants of the DDoS attack. We collectively analyze six types of TCP-based DDoS attacks, construct the corresponding ACFG, and identify a set of attack traffic variants. The attack traffic variants are evaluated on the widely used Network Intrusion Detection System (NIDS) Snort with three popular rule sets. The result shows that DDoSMiner indeed discovers the new DDoS attack trace, and the corresponding attack traffic can bypass all three defense toolkits.

Jia Zhanpei,Shen Chao,Yi Xiao,Chen Yufei,Yu Tianwen,Guan Xiaohong

DOI: https://doi.org/10.1109/coase.2017.8256257

2017-01-01

CASE

Abstract:Log data are important audit basis to record routine events occurring on computer or network system, which are also critical data source for detecting system anomalies. By analyzing the data from multi-source logs, it is helpful to detect abnormal system behaviors and discover intruder attacks in real time. In this paper, a Spark-based log data security platform is designed and built to analyze the large-scale log data and detect abnormal network behaviors. By integrating data mining, machine learning, and statistical analysis technologies, our proposed framework can quickly analyze large-scale multi-source log data and accurately discriminate the abnormal behaviors. Furthermore, the association analysis is applied to detect abnormal behaviors or potential threats in the system. Under a real-world network environment, extensive experiments are conducted to evaluate the system performance, which can achieve a fast and accurate detection for abnormal network behaviors, and significantly improve the accuracies under various types of network attack scenarios.

Minh Hieu Nguyen,Viet Hung Nguyen,Huu Phong Pham,Ngoc Anh Tran

DOI: https://doi.org/10.1145/3628797.3628943

2023-12-07

Abstract:System logs play a vital role in upholding information security by capturing events to address potential risks. Numerous research initiatives have harnessed log data to create machine learning models geared towards spotting unusual activities within systems. In this pragmatic study, we introduce an innovative approach to detecting anomalies in log data, employing a three-step process encompassing preprocessing, advanced natural language processing (NLP) utilizing BERT, and a custom 1D-CNN classification model. During the preprocessing phase, we tokenize the data and eliminate non-essential elements, while BERT enriches log message representations. Our Sliding Window and Overlapping Mechanism ensures consistent input dimensions. The 1D-CNN model extracts temporal features for robust anomaly detection. Empirical findings on HFDS, BGL, Spirit, and Thunderbird datasets illustrate that our method outperforms prior approaches in identifying network attacks.

Computer Science

Ruozhou LIANG,Yue GAO,Xibin ZHAO

DOI: https://doi.org/10.1360/ssi-2021-0252

2021-01-01

Scientia Sinica Informationis

Abstract:Advanced persistent threat (APT) in real scenes, especially in industrial scenes, is complex and long term, but the current methods cannot effectively extract the long term relationship in the attack. An attack detection method with provenance graphs, called SeqNet, is proposed. SeqNet uses sequence feature extraction to detect APT attacks. In SeqNet, the provenance graph sequence describing the running state of the system is transformed into the feature sequence first, and then the gate recurrent unit (GRU) model is used to extract the feature of the system. The encoder-decoder model with the local attention mechanism is used to train the GRU model. Finally, the K-means clustering method is used to model the normal behavior of the system. In this study, experiments are carried out on five public datasets, such as StreamSpot, wget, shellshock, ClearScope, and CADETS, compared with the state-of-the-art methods. The method used here achieves similar or improved results on all five datasets. Experimental results show that the proposed method can detect real-life APT scenarios.

Abdulellah Alsaheel,Yuhong Nan,Shiqing Ma,Le Yu,Gregory Walkup,Z. Berkay Celik,Xiangyu Zhang,Dongyan Xu

2021-01-01

Abstract:Advanced Persistent Threats (APT) involve multiple attack steps over a long period, and their investigation requires analysis of myriad logs to identify their attack steps, which are a set of activities undertaken to run an APT attack. However, on a daily basis in an enterprise, intrusion detection systems generate many threat alerts of suspicious events (attack symptoms). Cyber analysts must investigate such events to determine whether an event is a part of an attack. With many alerts to investigate, cyber analysts often end up with alert fatigue, causing them to ignore a large number of alerts and miss true attack events. In this paper, we present ATLAS, a framework that constructs an end-to-end attack story from off-the-shelf audit logs. Our key observation is that different attacks may share similar abstract attack strategies, regardless of the vulnerabilities exploited and payloads executed. ATLAS leverages a novel combination of causality analysis, natural language processing, and machine learning techniques to build a sequence-based model, which establishes key patterns of attack and non-attack behaviors from a causal graph. At inference time, given a threat alert event, an attack symptom node in a causal graph is identified. ATLAS then constructs a set of candidate sequences associated with the symptom node, uses the sequence-based model to identify nodes in a sequence that contribute to the attack, and unifies the identified attack nodes to construct an attack story. We evaluated ATLAS with ten real-world APT attacks executed in a realistic virtual environment. ATLAS recovers attack steps and construct attack stories with an average of 91.06% precision, 97.29% recall, and 93.76% F1-score. Through this effort, we provide security investigators with a new means of identifying the attack events that make up the attack story.

Lixin Wang,Jianhua Yang,Xiaohua Xu,Peng-Jun Wan

DOI: https://doi.org/10.1155/2021/6632671

2021-03-03

Wireless Communications and Mobile Computing

Abstract:Intruders on the Internet usually launch network attacks through compromised hosts, called stepping stones, in order to reduce the chance of being detected. With stepping-stone intrusions, an attacker uses tools such as SSH to log in several compromised hosts remotely and create an interactive connection chain and then sends attacking packets to a target system. An effective method to detect such an intrusion is to estimate the length of a connection chain. In this paper, we develop an efficient algorithm to detect stepping-stone intrusion by mining network traffic using the k -means clustering. Existing approaches for connection-chain-based stepping-stone intrusion detection either are not effective or require a large number of TCP packets to be captured and processed and, thus, are not efficient. Our proposed detection algorithm can accurately determine the length of a connection chain without requiring a large number of TCP packets being captured and processed, so it is more efficient. Our proposed detection algorithm is also easier to implement than all existing approaches for stepping-stone intrusion detection. The effectiveness, correctness, and efficiency of our proposed detection algorithm are verified through well-designed network experiments.

computer science, information systems,telecommunications,engineering, electrical & electronic

Renjie Zhou,Xiao Wang,Jingjing Yang,Wei Zhang,Sanyuan Zhang

DOI: https://doi.org/10.1155/2021/5560185

IF: 1.968

2021-01-01

Security and Communication Networks

Abstract:The prosperity of mobile networks and social networks brings revolutionary conveniences to our daily lives. However, due to the complexity and fragility of the network environment, network attacks are becoming more and more serious. Characterization of network traffic is commonly used to model and detect network anomalies and finally to raise the cybersecurity awareness capability of network administrators. As a tool to characterize system running status, entropy-based time-series complexity measurement methods such as Multiscale Entropy (MSE), Composite Multiscale Entropy (CMSE), and Fuzzy Approximate Entropy (FuzzyEn) have been widely used in anomaly detection. However, the existing methods calculate the distance between vectors solely using the two most different elements of the two vectors. Furthermore, the similarity of vectors is calculated using the Heaviside function, which has a problem of bouncing between 0 and 1. The Euclidean Distance-Based Multiscale Fuzzy Entropy (EDM-Fuzzy) algorithm was proposed to avoid the two disadvantages and to measure entropy values of system signals more precisely, accurately, and stably. In this paper, the EDM-Fuzzy is applied to analyze the characteristics of abnormal network traffic such as botnet network traffic and Distributed Denial of Service (DDoS) attack traffic. The experimental analysis shows that the EDM-Fuzzy entropy technology is able to characterize the differences between normal traffic and abnormal traffic. The EDM-Fuzzy entropy characteristics of ARP traffic discovered in this paper can be used to detect various types of network traffic anomalies including botnet and DDoS attacks.

Ahmed S. Alzahrani,Reehan Ali Shah,Yuntao Qian,Munwar Ali

DOI: https://doi.org/10.1016/j.aej.2020.01.021

IF: 6.626

2020-01-01

Alexandria Engineering Journal

Abstract:With the rapid advancement in technology, network systems are becoming prone to more sophisticated types of intrusions. However, machine learning (ML) based strategies are among the most efficient and popular methods to identify the network intrusions or attacks. In this study, we examined the important and discriminative features, in order to recognize the various attacks by applying the Structural Sparse Logistic Regression (SSPLR) and Support Vector Machine (SVMs) methods. The SVMs are standard ML-based techniques, which provide the reasonable performance, however, they have few shortcomings, such as, interpretability and huge computational cost. On the other hand, the sparse modeling (SSPLR) is considered as the advanced method for the data examination and processing through regularization. The structural sparse modeling can be used to simultaneously select the distinct features or the group of discriminative features from the repository of the data set to determine the coefficient of the linear classifier, where, prior information of the feature’s structure can be mapped on various sparsity-inducing regularizations. In this way, the particular group of features yielded by the most significant network attacks are selected and potentially identified. The experiments and discussion, show that the proposed techniques have improved performance compared to the most state-of-the-art techniques, used for the Intrusion Detection System (IDS).

Jie Ying,Tiantian Zhu,Wenrui Cheng,Qixuan Yuan,Mingjun Ma,Chunlin Xiong,Tieming Chen,Mingqi Lv,Yan Chen

2024-05-04

Abstract:As the complexity and destructiveness of Advanced Persistent Threat (APT) increase, there is a growing tendency to identify a series of actions undertaken to achieve the attacker's target, called attack investigation. Currently, analysts construct the provenance graph to perform causality analysis on Point-Of-Interest (POI) event for capturing critical events (related to the attack). However, due to the vast size of the provenance graph and the rarity of critical events, existing attack investigation methods suffer from problems of high false positives, high overhead, and high latency. To this end, we propose SPARSE, an efficient and real-time system for constructing critical component graphs (i.e., consisting of critical events) from streaming logs. Our key observation is 1) Critical events exist in a suspicious semantic graph (SSG) composed of interaction flows between suspicious entities, and 2) Information flows that accomplish attacker's goal exist in the form of paths. Therefore, SPARSE uses a two-stage framework to implement attack investigation (i.e., constructing the SSG and performing path-level contextual analysis). First, SPARSE operates in a state-based mode where events are consumed as streams, allowing easy access to the SSG related to the POI event through semantic transfer rule and storage strategy. Then, SPARSE identifies all suspicious flow paths (SFPs) related to the POI event from the SSG, quantifies the influence of each path to filter irrelevant events. Our evaluation on a real large-scale attack dataset shows that SPARSE can generate a critical component graph (~ 113 edges) in 1.6 seconds, which is 2014 X smaller than the backtracking graph (~ 227,589 edges). SPARSE is 25 X more effective than other state-of-the-art techniques in filtering irrelevant edges.

Cryptography and Security

Hyeok Kong,Cholyong Jong,Unhyok Ryang

DOI: https://doi.org/10.48550/arXiv.1601.05335

2016-01-20

Cryptography and Security

Abstract:Many modern intrusion detection systems are based on data mining and database-centric architecture, where a number of data mining techniques have been found. Among the most popular techniques, association rule mining is one of the important topics in data mining research. This approach determines interesting relationships between large sets of data items. This technique was initially applied to the so-called market basket analysis, which aims at finding regularities in shopping behaviour of customers of supermarkets. In contrast to dataset for market basket analysis, which takes usually hundreds of attributes, network audit databases face tens of attributes. So the typical Apriori algorithm of association rule mining, which needs so many database scans, can be improved, dealing with such characteristics of transaction database. In this paper we propose an impoved Apriori algorithm, very useful in practice, using scan of network audit database only once by transaction cutting and hashing.

Wu Liu,Jian-Ping Wu,Hai-Xin Duan,Xing Li

DOI: https://doi.org/10.1007/11540007_96

2006-01-01

Abstract:In this paper, we apply data mining techniques to construct intrusion detection patterns. We mine both system audit data and network traffic data for consistent and useful patterns of program and user behavior, and use an iterative low-frequency-finder mining algorithm to find the low frequency but important patterns.

Sun Donghong,Shu Zhibiao,Liu Wu,Ren Ping,Wu Jian-Ping

DOI: https://doi.org/10.1260/1748-3018.8.1.59

2014-01-01

Journal of Algorithms & Computational Technology

Abstract:Data Analysis of Network Security is very important in intrusion detection and computer forensics. A lot of data mining methods to research it have been found, such as content-based queries and similarity searches to manage and use such data. Fast and accurate retrievals for content-based queries are crucial for such numerous data streams to be useful. In this paper, we apply wavelet transforms into network security to analyze and mine time-serial data streams for the detection of anomalous network security events. We first proposes a wavelet based data analysis framework for network security traffic, and signalize the data stream of network security (DSNS), then after de-noise of DSNS, we use wavelet based transforms to analyze the DSNS and get anomalous events for intrusion detection in computer network security. Experimental results show that, by using wavelet transform, we can decrease the noise signal and keep the useful signals of network security data streams to retrieve anomalous events effectively.

Tao Yi,Xingshu Chen,Qindong Li,Yi Zhu

DOI: https://doi.org/10.1016/j.cose.2024.103809

IF: 5.105

2024-03-29

Computers & Security

Abstract:APT attacks have the characteristics of low frequency, stealth, and persistence. Achieving attack objectives and preventing trace-back often involve diverse tactics, various tools, and changing processes and patterns. Additionally, the goals of APT attacks are diverse. Apart from service disruptions or network outages, the main goals include remotely penetrating target hosts through the network to steal information, unauthorized encryption, and destructive wiping. Existing methods for characterizing attack features lack sufficient research on the communication methods and data transmission patterns used in attacks. In particular, due to the non-associated addresses, low frequency, fragmentation, and silent requirements of attacks, the features exhibited in a single session are increasingly minimal. Traditional approaches are no longer sufficient to address these challenges that relying solely on single-sample statistical features and "packet-sniffing" windowed traffic grouping detection methods. To tackle these issues, we propose a innovative approach to characterize network attack traffic based on Spatial Pyramid Pooling (SPP) by analyzing the attack communication methods and data transmission patters in the network session traffic of APT attacks with the remote information theft. Specifically, it employs derived feature attributes that integrate mean, total, and concentration characteristics to longitudinally extract multi-level spatiotemporal correlated behavioral features from aggregated multi-session sets. These features are then fused with single-session characteristics, ensuring that each session sample possesses both current traffic features and correlated properties of contextual session traffic. Additionally, this approach meets the requirements of fixed-length input for heterogeneous data in deep learning. Extensive experiments have been conducted to demonstrate that this method enhances the effective detection of APT attacks by deep learning models. Experiments results show that this approach exhibits superior timeliness, precision, and specificity when compared to Principal Component Analysis (PCA) artificial feature engineering methods and other methods based on fixed-length deep learning for raw data.

computer science, information systems

Lu Li,Yi Man,Mo Chen

DOI: https://doi.org/10.1007/978-3-319-74521-3_9

2018-01-01

Abstract:With the development of the telecommunication network, more and more devices are used in the network, which has been a burden for the network operation and maintenance. At the same time, network devices generate large amounts of log data every day, recording the activities of each device in detail. As a result, the log can reflect the performance of network state, and sometimes, we can predict the occurrence of network failure based on the log. However, since the log has such features: big volume, multi-source heterogeneous and difficult to understand, people have not reasonably used it to analyze and predict network failure. Therefore, we propose a method for structuring a large number of device logs in the short term, and use the data generated from a real communication device network to verify the effect. Besides, we compare our method with the traditional log parsers, such as regular expressions, LogSig, etc. to demonstrate the efficient processing performance and accurate pattern extraction analysis for massive network device logs.

LIU Zuo-da,XU Jing-fang,CHEN Mao-ke,LI Xing

DOI: https://doi.org/10.3321/j.issn:0438-0479.2007.z2.044

2007-01-01

Abstract:The rapid development of campus network has brought a vast quantity of web information to us.In order to improve the efficiency of information spreading via campus network,this paper presents a way to analyze the distribution of campus network users based on web log analyzing.A system using this method is designed and implemented in our campus network which shows our solution is valuable.This paper also proposes a classification of campus network information based on the characteristic of users accessing to certain websites.And practical experiment results show the rationality of the proposed method.

W Liu,HX Duan,P Ren,X Li,JP Wu

DOI: https://doi.org/10.1109/icmlc.2003.1264466

2003-01-01

Abstract:The phenomenal increase in the amounts of network security data are due to the hacker attacks, virus, worm and Slapper etc. Network security log databases are very important in intrusion detection and computer forensics. A lot of data mining methods to research it have been found. Fast and accurate retrievals for content-based queries are crucial for such numerous database systems to be useful. In this paper, a new method is provided to analyze and mine this kind of time-serial database. After signalize the NSD databases, we first represent a DWT wavelet transform analysis algorithm, then present two wavelet-based algorithms GET/spl I.bar/INDICES and QUERY for querying the complex and numerous NSD, and finally give the experimental result using these algorithms.