Detecting Reconnaissance and Discovery Tactics from the MITRE ATT&amp;CK Framework in Zeek Conn Logs Using Spark’s Machine Learning in the Big Data Framework

Bagui, Sikha; Mink, Dustin; Ghosh, Tirthankar; McElroy, Tom; Paredes, Esteban; Khasnavis, Nithisha; Plenkers, Russell

doi:10.3390/s22207999

Cited by 12 publications

(15 citation statements)

References 17 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…Multi-classification had not been conducted on this set of data previously, but these results are better than some previous results obtained for binary classification using classical machine learning classifiers like SVM, naïve Bayes, and logistic regression in [30].…”

Section: Discussioncontrasting

confidence: 58%

Graphical Representation of UWF-ZeekData22 Using Memgraph

Bagui,

Mink,

Bagui

et al. 2024

Electronics

Self Cite

View full text Add to dashboard Cite

This work uses Memgraph, an open-source graph data platform, to analyze, visualize, and apply graph machine learning techniques to detect cybersecurity attack tactics in a newly created Zeek Conn log dataset, UWF-ZeekData22, generated in The University of West Florida’s cyber simulation environment. The dataset is transformed to a representative graph, and the graph’s properties studied in this paper are PageRank, degree, bridge, weakly connected components, node and edge cardinality, and path length. Node classification is used to predict the connection between IP addresses and ports as a form of attack tactic or non-attack tactic in the MITRE framework, implemented using Memgraph’s graph neural networks. Multi-classification is performed using the attack tactics, and three different graph neural network models are compared. Using only three graph features, in-degree, out-degree, and PageRank, Memgraph’s GATJK model performs the best, with source node classification accuracy of 98.51% and destination node classification accuracy of 97.85%.

show abstract

Section: Discussioncontrasting

confidence: 58%

Graphical Representation of UWF-ZeekData22 Using Memgraph

Bagui,

Mink,

Bagui

et al. 2024

Electronics

Self Cite

View full text Add to dashboard Cite

show abstract

“…As can be seen from the dataset, the reconnaissance tactic makes up 99.97% of the attack tactics, and the second highest tactic is the discovery tactic, making up 0.02247%. The reconnaissance and discovery tactics were easily detectable using ML algorithms, as seen from [32]. These results will show that, though the discovery tactic made up a much smaller percentage of the dataset, this tactic was still detectable using ML algorithms without resampling.…”

Section: The Datamentioning

confidence: 77%

“…UWF-Zeekdata22 [10,11], a new dataset created in 2022, is a crowd-sourced dataset comprising benign as well as attack tactic data collected from Zeeklogs, an open-source network-monitoring tool used to collect data. This dataset, labeled using the MITRE Adversarial Tactics, Techniques, and Common Knowledge (ATT&CK) framework [32], has 9280 million tactic records and 9281 million benign records. The breakdown of the tactic data in UWF-ZeekData22 is presented in Figure 1.…”

Section: The Datamentioning

confidence: 99%

See 1 more Smart Citation

Resampling to Classify Rare Attack Tactics in UWF-ZeekData22

Bagui,

Mink,

Bagui

et al. 2024

Knowledge

Self Cite

View full text Add to dashboard Cite

One of the major problems in classifying network attack tactics is the imbalanced nature of data. Typical network datasets have an extremely high percentage of normal or benign traffic and machine learners are skewed toward classes with more data; hence, attack data remain incorrectly classified. This paper addresses the class imbalance problem using resampling techniques on a newly created dataset, UWF-ZeekData22. This is the first dataset with tactic labels, labeled as per the MITRE ATT&CK framework. This dataset contains about half benign data and half attack tactic data, but specific tactics have a meager number of occurrences within the attack tactics. Our objective in this paper was to use resampling techniques to classify two rare tactics, privilege escalation and credential access, never before classified. The study also looks at the order of oversampling and undersampling. Varying resampling ratios were used with oversampling techniques such as BSMOTE and SVM-SMOTE and random undersampling without replacement was used. Based on the results, it can be observed that the order of oversampling and undersampling matters and, in many cases, even an oversampling ratio of 10% of the majority data is enough to obtain the best results.

show abstract

“…In order to best characterize the data, the following attributes of the edge connections were binned: number of connections, average duration, and average bytes. In order to bin the data, the methodology outlined by the authors of [16] was utilized, however, a stationary mean was implemented instead of a moving mean. The standard deviation was first calculated by using the formula:…”

Section: Binning Methodologymentioning

confidence: 99%

Using a Graph Engine to Visualize the Reconnaissance Tactic of the MITRE ATT&CK Framework from UWF-ZeekData22

Bagui,

Mink,

Bagui

et al. 2023

Preprint

View full text Add to dashboard Cite

There has been a great deal of research in the area of using graph engines and graph databases to model network traffic and network attacks, but the novelty of this research lies in visually or graphically representing the Reconnaissance Tactic (TA0043) of the MITRE ATT&amp;CK framework. Using the newly created dataset, UWF-Zeekdata22, based on the MITRE ATT&amp;CK framework, patterns involving network connectivity, connection duration, and data volume were found and loaded into a graph environment. Patterns were also found in the graphed data that match the Reconnaissance as well as other tactics captured by UWF-Zeekdata22. The Star motif was particularly useful in mapping the Reconnaissance tactic. The results of this paper show that graph databases/graph engines can be essential tools for understanding network traffic and trying to detect network intrusions before they happen. Finally, an analysis of the run-time performance of the reduced dataset used to create the graph databases showed that the reduced datasets performed better than the full dataset.

show abstract

Detecting Reconnaissance and Discovery Tactics from the MITRE ATT&CK Framework in Zeek Conn Logs Using Spark’s Machine Learning in the Big Data Framework

Cited by 12 publications

References 17 publications

Graphical Representation of UWF-ZeekData22 Using Memgraph

Graphical Representation of UWF-ZeekData22 Using Memgraph

Resampling to Classify Rare Attack Tactics in UWF-ZeekData22

Using a Graph Engine to Visualize the Reconnaissance Tactic of the MITRE ATT&CK Framework from UWF-ZeekData22

Contact Info

Product

Resources

About

Detecting Reconnaissance and Discovery Tactics from the MITRE ATT&CK Framework in Zeek Conn Logs Using Spark’s Machine Learning in the Big Data Framework

Cited by 12 publications

References 17 publications

Graphical Representation of UWF-ZeekData22 Using Memgraph

Graphical Representation of UWF-ZeekData22 Using Memgraph

Resampling to Classify Rare Attack Tactics in UWF-ZeekData22

Using a Graph Engine to Visualize the Reconnaissance Tactic of the MITRE ATT&amp;CK Framework from UWF-ZeekData22

Contact Info

Product

Resources

About

Using a Graph Engine to Visualize the Reconnaissance Tactic of the MITRE ATT&CK Framework from UWF-ZeekData22