A multi-step attack-correlation method with privacy protection

Zhang, Yongtang; Luo, Xianlu; Luo, Haibo

doi:10.1007/bf03391586

Cited by 9 publications

(3 citation statements)

References 4 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…In the constructed }, we consider two popular temporal correlations between links (as shown in Fig. 4), i.e., multiple steps and multiple hops [31][32][33]. We only explain the correlations between two links here for simplification although they can actually happen among more links.…”

Section: Structure-enhanced Abnormality Evaluationmentioning

confidence: 99%

Semi-supervised anomaly detection in dynamic communication networks

Meng

Wang

Liang

et al. 2021

Information Sciences

View full text Add to dashboard Cite

Section: Structure-enhanced Abnormality Evaluationmentioning

confidence: 99%

Semi-supervised anomaly detection in dynamic communication networks

Meng

Wang

Liang

et al. 2021

Information Sciences

View full text Add to dashboard Cite

“…In this case, the repeated comparisons between alerts will lead to a huge computational overload especially in large scale networks. Supervised learning algorithms were applied by many au-thors such as [32] [33] [34] [35] [36] [37] [38] [39] [40] [41] and [42]. Qin and Lee [43] proposed an integrated correlation system to identify novel attack strategies using INFOSEC alerts.…”

Section: Motivation and Related Workmentioning

confidence: 99%

An Effective Attack Scenario Construction Model based on Attack Steps and Stages Identification

Alhaj¹,

Siraj²,

Zainal³

et al. 2021

Preprint

View full text Add to dashboard Cite

A Network Intrusion Detection System (NIDS) is a network security technology for detecting intruder attacks. However, it produces a great amount of lowlevel alerts which makes the analysis difficult, especially to construct the attack scenarios. Attack scenario construction (ASC) via Alert Correlation (AC) is important to reveal the strategy of attack in terms of steps and stages that need to be launched to make the attack successful. In most of the existing works, alerts are correlated by classifying the alerts based on the cause-effect relationship. However, the drawback of these works is the identification of false and incomplete correlations due to infiltration of raw alerts. To address this problem, this work proposes an effective ASC model to discover the complete relationship among alerts. The model is successfully experimented using two types of dataset, which are DARPA 2000, and ISCX2012. The Completeness and Soundness of the proposed model are measured to evaluate the overall correlation effectiveness.

show abstract

“…As shown in Fig. 3, abnormal flows happen in a sequence, i.e., multi-step and multi-hop flow sequences, where the previous detected abnormal flows will increase the abnormal possibility of the upcoming flows [41]. For example, in Fig.…”

Section: B Modeling Structural Correlationsmentioning

confidence: 99%

Interactive Anomaly Detection in Dynamic Communication Networks

Meng

Wang

et al. 2021

IEEE/ACM Trans. Networking

View full text Add to dashboard Cite

Network flows are the basic components of the Internet. Considering the serious consequences of abnormal flows, it is crucial to provide timely anomaly detection in dynamic communication networks. To obtain accurate anomaly detection results in dynamic networks, supervision from experts is highly demanded. However, to obtain high-quality ground truth of abnormal flows, we suffer from two major problems: (1) limited labor resources: experts with the latest domain knowledge are much fewer than the large number of flows; and (2) dynamic environment: considering the new abnormal patterns (i.e., new attacks) and continuously changing network structures, it requires timely supervision to adaptively update the parameters. To tackle these problems, we propose HADDN, a novel bandit framework for periodic-updated anomaly detection in dynamic communication networks. We formulate the task as a bandit problem, where by interactions, supervision is offered by human experts to provide the ground truth to a fraction of flows. We construct semi-parametric expected rewards to optimize the estimation of flows' abnormality in limited interactions. Also, we utilize feature-based clusters and structural correlations to make connections between historical flows and new flows to improve both efficiency and accuracy of abnormality estimation. What's more, we provide two implementations for the semi-parametric expected reward of the proposed HADDN with theoretical proof. Experimental evaluations on public datasets demonstrate the substantial improvement of our proposed approaches compared to state-of-art anomaly detection methods.

show abstract

A multi-step attack-correlation method with privacy protection

Cited by 9 publications

References 4 publications

Semi-supervised anomaly detection in dynamic communication networks

Semi-supervised anomaly detection in dynamic communication networks

An Effective Attack Scenario Construction Model based on Attack Steps and Stages Identification

Interactive Anomaly Detection in Dynamic Communication Networks

Contact Info

Product

Resources

About