Clustering Detection Method of Network Intrusion Feature Based on Support Vector Machine and LCA Block Algorithm

Zhang, Jie; Sun, Junying; He, Hong

doi:10.1007/s11277-021-08353-y

Cited by 5 publications

(4 citation statements)

References 1 publication

Supporting

Mentioning

Contrasting

Order By: Relevance

“…Analysis of network data for the purpose of supporting an anomaly-based IDS has been a topic of interest for some time [ 9 , 10 , 11 , 12 , 13 , 14 , 15 , 16 , 17 ]. The first widely studied network dataset was the KDD99Cup dataset, analyzed in [ 10 , 12 , 15 ].…”

Section: Related Workmentioning

confidence: 99%

See 1 more Smart Citation

Detecting Reconnaissance and Discovery Tactics from the MITRE ATT&CK Framework in Zeek Conn Logs Using Spark’s Machine Learning in the Big Data Framework

Bagui

Mink²,

Ghosh³

et al. 2022

Sensors

View full text Add to dashboard Cite

While computer networks and the massive amount of communication taking place on these networks grow, the amount of damage that can be done by network intrusions grows in tandem. The need is for an effective and scalable intrusion detection system (IDS) to address these potential damages that come with the growth of these networks. A great deal of contemporary research on near real-time IDS focuses on applying machine learning classifiers to labeled network intrusion datasets, but these datasets need be relevant pertaining to the currency of the network intrusions. This paper focuses on a newly created dataset, UWF-ZeekData22, that analyzes data from Zeek’s Connection Logs collected using Security Onion 2 network security monitor and labelled using the MITRE ATT&CK framework TTPs. Due to the volume of data, Spark, in the big data framework, was used to run many of the well-known classifiers (naïve Bayes, random forest, decision tree, support vector classifier, gradient boosted trees, and logistic regression) to classify the reconnaissance and discovery tactics from this dataset. In addition to looking at the performance of these classifiers using Spark, scalability and response time were also analyzed.

show abstract

Section: Related Workmentioning

confidence: 99%

“…Other studies, such as [ 14 ], used data that are not made publicly available. They applied a multilayer SVM to their data to support a block lowest common ancestor algorithm to cluster network intrusion features.…”

Section: Related Workmentioning

confidence: 99%

Detecting Reconnaissance and Discovery Tactics from the MITRE ATT&CK Framework in Zeek Conn Logs Using Spark’s Machine Learning in the Big Data Framework

Bagui

Mink²,

Ghosh³

et al. 2022

Sensors

View full text Add to dashboard Cite

show abstract

“…Many studies have been performed on identifying attack network traffic after the attacks have happened [2][3][4][5], but in this work we are trying to study the step before that, that is, who is trying to gather information about our system so that they can perform an attack. Hence, our aim in this work is to analyze the Reconnaissance Tactic (TA0043) of the MITRE ATT&CK framework.…”

Section: Introductionmentioning

confidence: 99%

Using a Graph Engine to Visualize the Reconnaissance Tactic of the MITRE ATT&CK Framework from UWF-ZeekData22

Bagui,

Mink,

Bagui

et al. 2023

Preprint

View full text Add to dashboard Cite

There has been a great deal of research in the area of using graph engines and graph databases to model network traffic and network attacks, but the novelty of this research lies in visually or graphically representing the Reconnaissance Tactic (TA0043) of the MITRE ATT&amp;CK framework. Using the newly created dataset, UWF-Zeekdata22, based on the MITRE ATT&amp;CK framework, patterns involving network connectivity, connection duration, and data volume were found and loaded into a graph environment. Patterns were also found in the graphed data that match the Reconnaissance as well as other tactics captured by UWF-Zeekdata22. The Star motif was particularly useful in mapping the Reconnaissance tactic. The results of this paper show that graph databases/graph engines can be essential tools for understanding network traffic and trying to detect network intrusions before they happen. Finally, an analysis of the run-time performance of the reduced dataset used to create the graph databases showed that the reduced datasets performed better than the full dataset.

show abstract

“…Many studies have been performed on identifying attack network traffic after the attacks have happened [2][3][4][5], but in this work we are trying to study the step before that-that is, identifying who is trying to gather information about our system so that they can perform an attack. Hence, our aim in this work is to analyze the Reconnaissance Tactic (TA0043) of the MITRE ATT&CK framework.…”

Section: Introductionmentioning

confidence: 99%

Using a Graph Engine to Visualize the Reconnaissance Tactic of the MITRE ATT&CK Framework from UWF-ZeekData22

Bagui,

Mink,

Bagui

et al. 2023

Future Internet

View full text Add to dashboard Cite

There has been a great deal of research in the area of using graph engines and graph databases to model network traffic and network attacks, but the novelty of this research lies in visually or graphically representing the Reconnaissance Tactic (TA0043) of the MITRE ATT&CK framework. Using the newly created dataset, UWF-Zeekdata22, based on the MITRE ATT&CK framework, patterns involving network connectivity, connection duration, and data volume were found and loaded into a graph environment. Patterns were also found in the graphed data that matched the Reconnaissance as well as other tactics captured by UWF-Zeekdata22. The star motif was particularly useful in mapping the Reconnaissance Tactic. The results of this paper show that graph databases/graph engines can be essential tools for understanding network traffic and trying to detect network intrusions before they happen. Finally, an analysis of the runtime performance of the reduced dataset used to create the graph databases showed that the reduced datasets performed better than the full dataset.

show abstract

Clustering Detection Method of Network Intrusion Feature Based on Support Vector Machine and LCA Block Algorithm

Cited by 5 publications

References 1 publication

Detecting Reconnaissance and Discovery Tactics from the MITRE ATT&CK Framework in Zeek Conn Logs Using Spark’s Machine Learning in the Big Data Framework

Detecting Reconnaissance and Discovery Tactics from the MITRE ATT&CK Framework in Zeek Conn Logs Using Spark’s Machine Learning in the Big Data Framework

Using a Graph Engine to Visualize the Reconnaissance Tactic of the MITRE ATT&CK Framework from UWF-ZeekData22

Using a Graph Engine to Visualize the Reconnaissance Tactic of the MITRE ATT&CK Framework from UWF-ZeekData22

Contact Info

Product

Resources

About

Clustering Detection Method of Network Intrusion Feature Based on Support Vector Machine and LCA Block Algorithm

Cited by 5 publications

References 1 publication

Detecting Reconnaissance and Discovery Tactics from the MITRE ATT&CK Framework in Zeek Conn Logs Using Spark’s Machine Learning in the Big Data Framework

Detecting Reconnaissance and Discovery Tactics from the MITRE ATT&CK Framework in Zeek Conn Logs Using Spark’s Machine Learning in the Big Data Framework

Using a Graph Engine to Visualize the Reconnaissance Tactic of the MITRE ATT&amp;CK Framework from UWF-ZeekData22

Using a Graph Engine to Visualize the Reconnaissance Tactic of the MITRE ATT&CK Framework from UWF-ZeekData22

Contact Info

Product

Resources

About

Using a Graph Engine to Visualize the Reconnaissance Tactic of the MITRE ATT&CK Framework from UWF-ZeekData22