APEX: Characterizing Attack Behaviors from Network Anomalies

Sudheera, Kalupahana Liyanage Kushan; Tian, Zixu; Divakaran, Dinil Mon; Chan, Mun Choon; Gurusamy, Mohan

doi:10.1109/ipccc55026.2022.9894328

Cited by 3 publications

(2 citation statements)

References 25 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…Meanwhile, works that leverage and build on top of the explanations to provide additional functionalities (such as giving context to anomalies in order to group or characterize them) are scarce and are designed for centralized or distributed architectures that do not offer the same benefits as FL. Moreover, most works require labeled data in certain stages of their proposal [22,24,[27][28][29][30], which might not be feasible in practical settings.…”

Section: Discussionmentioning

confidence: 99%

“…However, this particular point is underexplored in the paper, and the gradient method is specific to the VAE model. Liyanage et al [27] leverage GEE to develop a framework for characterizing attacks from network flow anomalies. Instead of using XAI techniques or GEE's gradient-based explanation methods, they use two levels of frequent itemset mining (FIM) to extract anomalous data patterns.…”

Section: Explainability For Cybersecurity Anomaly or Attack Detection...mentioning

confidence: 99%

See 1 more Smart Citation

Federated Explainability for Network Anomaly Characterization

Sáez-de-Cámara,

Flores,

Arellano

et al. 2023

Proceedings of the 26th International Symposium on Research in Attacks, Intrusions and Defenses

View full text Add to dashboard Cite

Machine learning (ML) based systems have shown promising results for intrusion detection due to their ability to learn complex patterns. In particular, unsupervised anomaly detection approaches offer practical advantages as does not require labeling the training data, which is costly and time-consuming. To further address practical concerns, there is a rising interest in adopting federated learning (FL) techniques as a recent ML model training paradigm for distributed settings (e.g., IoT), thereby addressing challenges such as data privacy, availability and communication cost concerns. However, output generated by unsupervised models provide limited contextual information to security analysts at SOCs, as they usually lack the means to know why a sample was classified as anomalous or cannot distinguish between different types of anomalies, difficulting the extraction of actionable information and correlation with other indicators. Moreover, ML explainability methods have received little attention in FL settings and present additional challenges due to the distributed nature and data locality requirements. This paper proposes a new methodology to characterize and explain the anomalies detected by unsupervised ML-based intrusion detection models in FL settings. We adapt and develop explainability, clustering and cluster validation algorithms to FL settings to mine patterns in the anomalous samples and identify different threats throughout the entire network, demonstrating the results on two network intrusion detection datasets containing real IoT malware, namely Gafgyt and Mirai, and various attack traces. The learned clustering results can be used to classify emerging anomalies, provide additional context that can be leveraged to gain more insight

show abstract