Jung-Chun Liu,Chao-Tung Yang,Yu-Wei Chan,Endah Kristiani,Wei-Je Jiang

DOI: https://doi.org/10.1007/s11227-021-03715-6

IF: 3.3

2021-03-16

The Journal of Supercomputing

Abstract:Network log data is significant for network administrators, since it contains information on every event that occurs in a network, including system errors, alerts, and packets sending statuses. Effectively analyzing large volumes of diverse log data brings opportunities to identify issues before they become problems and to prevent future cyberattacks; however, processing of the diverse NetFlow data poses challenges such as volume, velocity, and veracity of log data. In this study, by means of Elasticsearch, Logstash, and Kibana, i.e., the ELK Stack, we construct an analysis and management system for network log data, which provides functions to filter, analyze, and display network log data for further applications and creates data visualization on a Web browser. In addition, an advanced cyberattack detection model is facilitated using deep neural network (DNN), recurrent neural networks (RNN), and long short-term memory (LSTM) approaches. By knowing cyberattack behaviors and cross-validating with the log analysis system, one can learn from this model the characteristics of a variety of cyberattacks. Finally, we also implement Grafana to perform metrics monitoring.

Dongxue Zhang,Yang Zheng,Yu Wen,Yujue Xu,Jingchuo Wang,Yang Yu,Dan Meng

DOI: https://doi.org/10.1145/3267494.3267495

2018-01-01

Abstract:Insider threats have shown their great destructive power in information security and financial stability and have received widespread attention from governments and organizations. Traditional intrusion detection systems fail to be effective in insider attacks due to the lack of extensive knowledge for insider behavior patterns. Instead, a more sophisticated method is required to have a deeper understanding for activities that insiders communicate with the information system. In this paper, we design a classifier, a neural network model utilizing Long Short Term Memory (LSTM) to model user log as a natural language sequence and achieve role-based classification. LSTM Model can learn behavior patterns of different users by automatically extracting feature and detect anomalies when log patterns deviate from the trained model. To illustrate the effective of classification model, we design two experiments based on cmu dataset. Experimental evaluations have shown that our model can successfully distinguish different behavior pattern and detect malicious behavior.

Ming Zhong,Yajin Zhou,Gang Chen

DOI: https://doi.org/10.1155/2021/5542543

IF: 1.968

2021-03-23

Security and Communication Networks

Abstract:Due to the complexity of the social network server system, various system abnormalities may occur and in turn will lead to subsequent system failures and information losses. Thus, to monitor the system state and detect the system abnormalities are of great importance. As the system log contains valuable information and records the system operating status and users’ behaviors, log data in system abnormality detection and diagnosis can ensure system availability and reliability. This paper discloses a log analysis method based on deep learning for an intrusion detection system, which includes the following steps: preprocess the acquired logs of different types in the target system; perform log analysis on the preprocessed logs using a clustering-based method; then, encode the parsed log events into digital feature vectors; use LSTM-based neural network and log collect-based clustering methods to learn the encoded logs to form warning information; lastly, trace the source of the warning information to the corresponding component to determine the point of intrusion. The paper finally implements the proposed intrusion detection method in the server system, thereby improving the system’s security status.

computer science, information systems,telecommunications

Zezhou Li,Jing Zhang,Xianbo Zhang,Feng Lin,Chao Wang,Xingye Cai

DOI: https://doi.org/10.1109/seai55746.2022.9832400

2022-01-01

Abstract:Logs are widely used in IT industry and the anomaly detection of logs is essential to identify the running status of systems. Conventional methods solving this problem require sophisticated rule-based regulations and intensive labor input. In this paper, we propose a new model based on natural language processing techniques. In order to modify the feature extraction and to improve the vector quality of log templates, Part-of-Speech (PoS) and Named Entity Recognition (NER) are employed in our model, which leads to the less involvement of regulation-based rule and a modification of the template vector thanks to the weight vector by NER. The PoS property of each token in the template is firstly analyzed, which also reduces labor involvement and helps for better weight allocation. The weight investigation on tokens of the template is introduced to modify the template vector. And the final detection based on the modified vector of templates is realized by deep neural networks (DNNs). The effectiveness of our model is tested on three datasets, and compared with two state-of-the-art models. The evaluation results prove that our model achieves better log anomaly detection.

Konstantina Fotiadou,Terpsichori-Helen Velivassaki,Artemis Voulkidis,Dimitrios Skias,Sofia Tsekeridou,Theodore Zahariadis

DOI: https://doi.org/10.3390/info12050215

2021-05-19

Information

Abstract:Network intrusion detection is a key pillar towards the sustainability and normal operation of information systems. Complex threat patterns and malicious actors are able to cause severe damages to cyber-systems. In this work, we propose novel Deep Learning formulations for detecting threats and alerts on network logs that were acquired by pfSense, an open-source software that acts as firewall on FreeBSD operating system. pfSense integrates several powerful security services such as firewall, URL filtering, and virtual private networking among others. The main goal of this study is to analyse the logs that were acquired by a local installation of pfSense software, in order to provide a powerful and efficient solution that controls traffic flow based on patterns that are automatically learnt via the proposed, challenging DL architectures. For this purpose, we exploit the Convolutional Neural Networks (CNNs), and the Long Short Term Memory Networks (LSTMs) in order to construct robust multi-class classifiers, able to assign each new network log instance that reaches our system into its corresponding category. The performance of our scheme is evaluated by conducting several quantitative experiments, and by comparing to state-of-the-art formulations.

Yung-Chung Wang,Yi-Chun Houng,Han-Xuan Chen,Shu-Ming Tseng

DOI: https://doi.org/10.3390/s23042171

IF: 3.9

2023-02-16

Sensors

Abstract:The prevalence of internet usage leads to diverse internet traffic, which may contain information about various types of internet attacks. In recent years, many researchers have applied deep learning technology to intrusion detection systems and obtained fairly strong recognition results. However, most experiments have used old datasets, so they could not reflect the latest attack information. In this paper, a current state of the CSE-CIC-IDS2018 dataset and standard evaluation metrics has been employed to evaluate the proposed mechanism. After preprocessing the dataset, six models—deep neural network (DNN), convolutional neural network (CNN), recurrent neural network (RNN), long short-term memory (LSTM), CNN + RNN and CNN + LSTM—were constructed to judge whether network traffic comprised a malicious attack. In addition, multi-classification experiments were conducted to sort traffic into benign traffic and six categories of malicious attacks: BruteForce, Denial-of-service (DoS), Web Attacks, Infiltration, Botnet, and Distributed denial-of-service (DDoS). Each model showed a high accuracy in various experiments, and their multi-class classification accuracy were above 98%. Compared with the intrusion detection system (IDS) of other papers, the proposed model effectively improves the detection performance. Moreover, the inference time for the combinations of CNN + RNN and CNN + LSTM is longer than that of the individual DNN, RNN and CNN. Therefore, the DNN, RNN and CNN are better than CNN + RNN and CNN + LSTM for considering the implementation of the algorithm in the IDS device.

engineering, electrical & electronic,chemistry, analytical,instruments & instrumentation

Khloud Al Jallad,Mohamad Aljnidi,Mohammad Said Desouki

DOI: https://doi.org/10.48550/arXiv.2209.13961

2022-09-28

Cryptography and Security

Abstract:With the growing use of information technology in all life domains, hacking has become more negatively effective than ever before. Also with developing technologies, attacks numbers are growing exponentially every few months and become more sophisticated so that traditional IDS becomes inefficient detecting them. This paper proposes a solution to detect not only new threats with higher detection rate and lower false positive than already used IDS, but also it could detect collective and contextual security attacks. We achieve those results by using Networking Chatbot, a deep recurrent neural network: Long Short Term Memory (LSTM) on top of Apache Spark Framework that has an input of flow traffic and traffic aggregation and the output is a language of two words, normal or abnormal. We propose merging the concepts of language processing, contextual analysis, distributed deep learning, big data, anomaly detection of flow analysis. We propose a model that describes the network abstract normal behavior from a sequence of millions of packets within their context and analyzes them in near real-time to detect point, collective and contextual anomalies. Experiments are done on MAWI dataset, and it shows better detection rate not only than signature IDS, but also better than traditional anomaly IDS. The experiment shows lower false positive, higher detection rate and better point anomalies detection. As for prove of contextual and collective anomalies detection, we discuss our claim and the reason behind our hypothesis. But the experiment is done on random small subsets of the dataset because of hardware limitations, so we share experiment and our future vision thoughts as we wish that full prove will be done in future by other interested researchers who have better hardware infrastructure than ours.

Zhijun Zhao,Chen Xu,Bo Li

DOI: https://doi.org/10.1007/s11265-021-01644-4

2021-02-05

Journal of Signal Processing Systems

Abstract:Abstract Security devices produce huge number of logs which are far beyond the processing speed of human beings. This paper introduces an unsupervised approach to detecting anomalous behavior in large scale security logs. We propose a novel feature extracting mechanism and could precisely characterize the features of malicious behaviors. We design a LSTM-based anomaly detection approach and could successfully identify attacks on two widely-used datasets. Our approach outperforms three popular anomaly detection algorithms, one-class SVM, GMM and Principal Components Analysis, in terms of accuracy and efficiency.

Chao-Tung Yang,Yu-Wei Chan,Jung-Chun Liu,Endah Kristiani,Cing-Han Lai

DOI: https://doi.org/10.1007/s00500-022-06954-8

IF: 3.732

2022-03-31

Soft Computing

Abstract:The usage of artificial intelligence and machine learning methods on cyberattacks increasing significantly recently. For the defense method of cyberattacks, it is possible to detect and identify the attack event by observing the log data and analyzing whether it has abnormal behavior or not. This paper implemented the ELK Stack network log system (NetFlow Log) to visually analyze log data and present several network attack behavior characteristics for further analysis. Additionally, this system evaluated the extreme gradient enhancement (XGBoost), Recurrent Neural Network (RNN), and Deep Neural Network (DNN) model for machine learning methods. Keras was used as a deep learning framework for building a model to detect the attack event. From the experiments, it can be confirmed that the XGBoost model has an accuracy rate of 96.01% for potential threats. The full attack dataset can achieve 96.26% accuracy, which is better than RNN and DNN models.

computer science, artificial intelligence, interdisciplinary applications

Ahmed S. Alzahrani,Reehan Ali Shah,Yuntao Qian,Munwar Ali

DOI: https://doi.org/10.1016/j.aej.2020.01.021

IF: 6.626

2020-01-01

Alexandria Engineering Journal

Abstract:With the rapid advancement in technology, network systems are becoming prone to more sophisticated types of intrusions. However, machine learning (ML) based strategies are among the most efficient and popular methods to identify the network intrusions or attacks. In this study, we examined the important and discriminative features, in order to recognize the various attacks by applying the Structural Sparse Logistic Regression (SSPLR) and Support Vector Machine (SVMs) methods. The SVMs are standard ML-based techniques, which provide the reasonable performance, however, they have few shortcomings, such as, interpretability and huge computational cost. On the other hand, the sparse modeling (SSPLR) is considered as the advanced method for the data examination and processing through regularization. The structural sparse modeling can be used to simultaneously select the distinct features or the group of discriminative features from the repository of the data set to determine the coefficient of the linear classifier, where, prior information of the feature’s structure can be mapped on various sparsity-inducing regularizations. In this way, the particular group of features yielded by the most significant network attacks are selected and potentially identified. The experiments and discussion, show that the proposed techniques have improved performance compared to the most state-of-the-art techniques, used for the Intrusion Detection System (IDS).

Bayi Xu,Lei Sun,Xiuqing Mao,Chengwei Liu,Zhiyi Ding

DOI: https://doi.org/10.32604/cmc.2023.046478

2024-01-01

Abstract:In recent years, frequent network attacks have highlighted the importance of efficient detection methods for ensuring cyberspace security. This paper presents a novel intrusion detection system consisting of a data preprocessing stage and a deep learning model for accurately identifying network attacks. We have proposed four deep neural network models, which are constructed using architectures such as Convolutional Neural Networks (CNN), Bi-directional Long Short-Term Memory (BiLSTM), Bidirectional Gate Recurrent Unit (BiGRU), and Attention mechanism. These models have been evaluated for their detection performance on the NSL-KDD dataset.To enhance the compatibility between the data and the models, we apply various preprocessing techniques and employ the particle swarm optimization algorithm to perform feature selection on the NSL-KDD dataset, resulting in an optimized feature subset. Moreover, we address class imbalance in the dataset using focal loss. Finally, we employ the BO-TPE algorithm to optimize the hyperparameters of the four models, maximizing their detection performance. The test results demonstrate that the proposed model is capable of extracting the spatiotemporal features of network traffic data effectively. In binary and multiclass experiments, it achieved accuracy rates of 0.999158 and 0.999091, respectively, surpassing other state-of-the-art methods.

computer science, information systems,materials science, multidisciplinary

Aaron Tuor,Ryan Baerwolf,Nicolas Knowles,Brian Hutchinson,Nicole Nichols,Rob Jasper

DOI: https://doi.org/10.48550/arXiv.1712.00557

2017-12-02

Neural and Evolutionary Computing

Abstract:Automated analysis methods are crucial aids for monitoring and defending a network to protect the sensitive or confidential data it hosts. This work introduces a flexible, powerful, and unsupervised approach to detecting anomalous behavior in computer and network logs, one that largely eliminates domain-dependent feature engineering employed by existing methods. By treating system logs as threads of interleaved "sentences" (event log lines) to train online unsupervised neural network language models, our approach provides an adaptive model of normal network behavior. We compare the effectiveness of both standard and bidirectional recurrent neural network language models at detecting malicious activity within network log data. Extending these models, we introduce a tiered recurrent architecture, which provides context by modeling sequences of users' actions over time. Compared to Isolation Forest and Principal Components Analysis, two popular anomaly detection algorithms, we observe superior performance on the Los Alamos National Laboratory Cyber Security dataset. For log-line-level red team detection, our best performing character-based model provides test set area under the receiver operator characteristic curve of 0.98, demonstrating the strong fine-grained anomaly detection performance of this approach on open vocabulary logging sources.

Vanlalruata Hnamte,Hong Nhung-Nguyen,Jamal Hussain,Yong Hwa-Kim

DOI: https://doi.org/10.1109/access.2023.3266979

IF: 3.9

2023-01-01

IEEE Access

Abstract:Machine learning and deep learning techniques are widely used to evaluate intrusion detection systems (IDS) capable of rapidly and automatically recognizing and classifying cyber-attacks on networks and hosts. However, when destructive attacks are becoming more extensive, more challenges develop, needing a comprehensive response. Numerous intrusion detection datasets are publicly accessible for further analysis by the cybersecurity research community. However, no previous research has examined the performance of the proposed model on a variety of publicly accessible datasets in detail. Due to the dynamic nature of the attack and its rapidly changing attack techniques, the publicly accessible intrusion datasets must be updated and benchmarked regularly. The deep neural network (DNN) and convolutional neural network (CNN) are examined in this article as types of deep learning models for developing a flexible and effective IDS capable of detecting and comparing them with the proposed model in detecting cyber-attacks. The constant development of network behavior and the fast growth of attacks need the development of IDS and the evaluation of many datasets produced over time through static and dynamic methods. This kind of research enables the identification of the most efficient algorithm for identifying future cyber-attacks. We proposed a novel two-stage deep learning technique hybridizing Long-Short Term Memory (LSTM) and Auto-Encoders (AE) for detecting attacks. The CICIDS2017 and CSE-CICDIS2018 datasets are used to determine the optimum network parameters for the proposed LSTM-AE. The experimental results show that the proposed hybrid model works well and is applicable for detecting attacks in modern scenarios.

computer science, information systems,telecommunications,engineering, electrical & electronic

Shuzhan Wang,Ruxue Jiang,Zhaoqi Wang,Yan Zhou

2024-09-14

Abstract:Computer network anomaly detection and log analysis, as an important topic in the field of network security, has been a key task to ensure network security and system reliability. First, existing network anomaly detection and log analysis methods are often challenged by high-dimensional data and complex network topologies, resulting in unstable performance and high false-positive rates. In addition, traditional methods are usually difficult to handle time-series data, which is crucial for anomaly detection and log analysis. Therefore, we need a more efficient and accurate method to cope with these problems. To compensate for the shortcomings of current methods, we propose an innovative fusion model that integrates Isolation Forest, GAN (Generative Adversarial Network), and Transformer with each other, and each of them plays a unique role. Isolation Forest is used to quickly identify anomalous data points, and GAN is used to generate synthetic data with the real data distribution characteristics to augment the training dataset, while the Transformer is used for modeling and context extraction on time series data. The synergy of these three components makes our model more accurate and robust in anomaly detection and log analysis tasks. We validate the effectiveness of this fusion model in an extensive experimental evaluation. Experimental results show that our model significantly improves the accuracy of anomaly detection while reducing the false alarm rate, which helps to detect potential network problems in advance. The model also performs well in the log analysis task and is able to quickly identify anomalous behaviors, which helps to improve the stability of the system. The significance of this study is that it introduces advanced deep learning techniques, which work anomaly detection and log analysis.

Machine Learning,Cryptography and Security

Yusuf ALACA,Yuksel CELIK,Sanjay GOEL

DOI: https://doi.org/10.51537/chaos.1348302

2023-10-18

Chaos Theory and Applications

Abstract:Intrusion detection systems utilize the analysis of log data to effectively detect anomalies. However, detecting anomalies quickly and effectively in large and heterogeneous log data can be challenging. To address this difficulty, this study proposes the GLSTM (Graph-based Long Short-Term Memory) framework, a graph-based deep learning model that analyzes log data to detect cyber-attacks rapidly and effectively. The framework involves standardizing the complex and diverse log data, training this data on an artificial intelligence model, and detecting anomalies. Initially, the complex and diverse log data is transformed into graph data using Node2Vec, enabling efficient and rapid analysis on the artificial intelligence model. Subsequently, these graph data are trained using LSTM (Long Short-Term Memory), Bi-LSTM, and GRU(Gated Recurrent Unit) deep learning algorithms. The proposed framework is tested using Hadoop’s HDFS dataset, collected from different systems and heterogeneous sources, as well as the BGL and IMDB datasets. Experimental results on the selected datasets demonstrate high levels of success.

Yuansheng Dong,Rong Wang,Juan He

DOI: https://doi.org/10.1109/icsess47205.2019.9040718

2019-01-01

Abstract:Computer network is vulnerable to hackers, computer viruses, and other malicious attacks. As an active defense technology, intrusion detection plays an important role in the field of network security. Traditional intrusion detection technologies face problems such as low accuracy, low detection efficiency, high false positive rate, and inability to cope with new types of intrusions. To solve these problems, we propose a real-time network intrusion detection system based on deep learning, which uses big data technology, natural language processing technology and deep learning technology. Our main contributions are as follows: (1) Use Flume as the agent for log collection to realize real-time massive log collection, using Flink as real-time computation engine. (2) Aiming at the high dimensional problem of traffic data, a self-encoder-based intrusion detection dimension reduction method is proposed, and the intrusion detection data is preprocessed, including data cleaning, coding, extraction and integration, and normalization. (3) Propos a deep learning-based intrusion detection model, AE-AlexNet, which uses Auto-Encoder AlexNet neural network. The experimental results of the intrusion detection data set KDD 99 show that the accuracy of the AE-AlexNet, model is as high as 94.32%.

Zhuangbin Chen,Jinyang Liu,Wenwei Gu,Yuxin Su,Michael R. Lyu

DOI: https://doi.org/10.48550/arXiv.2107.05908

2021-07-13

Software Engineering

Abstract:Logs have been an imperative resource to ensure the reliability and continuity of many software systems, especially large-scale distributed systems. They faithfully record runtime information to facilitate system troubleshooting and behavior understanding. Due to the large scale and complexity of modern software systems, the volume of logs has reached an unprecedented level. Consequently, for log-based anomaly detection, conventional manual inspection methods or even traditional machine learning-based methods become impractical, which serve as a catalyst for the rapid development of deep learning-based solutions. However, there is currently a lack of rigorous comparison among the representative log-based anomaly detectors that resort to neural networks. Moreover, the re-implementation process demands non-trivial efforts, and bias can be easily introduced. To better understand the characteristics of different anomaly detectors, in this paper, we provide a comprehensive review and evaluation of five popular neural networks used by six state-of-the-art methods. Particularly, four of the selected methods are unsupervised, and the remaining two are supervised. These methods are evaluated with two publicly available log datasets, which contain nearly 16 million log messages and 0.4 million anomaly instances in total. We believe our work can serve as a basis in this field and contribute to future academic research and industrial applications.

Barış Bulut,Hasan Burak Ketmen

DOI: https://doi.org/10.1109/SIU53274.2021.9477836

2021-06-09

Abstract:Today, the logs of the services running on virtual and real servers provide us with data from which statistical inferences can be made about the service itself and the ecosystem it is in, if it is analyzed. The usage purposes of the tools used in DevOps, the content of the logs they produce, the way they are stored and the frequency of reproduction may vary. Creating metrics by analyzing logs and taking necessary actions on metrics can potentially increase productivity when the hurdles such as fragmentation of unstructured data, processing of data and processing of data are overcome. In this study, it is shown that the logs can be modeled as a natural language sequence in order that the necessary actions be taken, and it is possible to classify the process logs of Jenkins, which is one of the services used in DevOps, by using the Bidirectional Long Short-Term Memory method, with high accuracy and Cohen's Kappa score.

Computer Science

Aravind Prakash M,Indra Gandhi K,Sriram R,Amaysingh

DOI: https://doi.org/10.3233/apc210005

2021-10-04

Abstract:Recently machine learning algorithms are utilized for identifying network threats. Threats otherwise called as intrusions, will harm the network in a stern manner, thus it must be dealt cautiously. In the proposed research work, a deep learning model has been applied to recognize and categorize unanticipated and unpredictable cyber-attacks. The UNSW NB-15 dataset has a vital number of features which will be learned by the hidden layers present in the suggested model and classified by the output layer. The suitable quantity of layers, neurons in each layer and the optimizer utilized in the proposed work are obtained through a sequence of trial and error experiments. The concluding model acquired can be utilized for estimating future malicious attacks. There are several data preprocessing techniques available at our disposal. We used two types of techniques in our experiment: 1) Log transformation, MinMaxScaling and factorize technique; and 2) Z-score encoding and dummy encoding technique. In general, the selection of data preprocessing techniques has a direct impact on the output performed by any machine learning process and our research, attempts to prove this concept.

Rakesh P. Menon

DOI: https://doi.org/10.1007/978-3-319-13728-5_46

2015-01-01

Abstract:This paper proposes an intrusion prediction system in which network log file entries are used for the prediction of attacks. Good filtering and classification techniques helps to process huge amount of data and find patterns of anomalies pertaining to network attacks. The techniques used in this paper are Naive Bayes and Adaboost Cost Sensitive Learning algorithms. The network log files obtained from network devices like IDS, Firewalls etc. are collected, normalized and correlated with the help of Alienvault SIEM and the fields which are important for classification are extracted. Next, the training data is classified with the help of Naive Bayes and misclassified entries are passed on to Cost Sensitive variant of Adaboost by which the classification rate is improved. Now with the help of this train data the system creates an attack model with the help of which it predicts whether an attack is about to happen or not.