Discovering Attackers Past Behavior to Generate Online Hyper-Alerts

Kawakani, Cláudio Toshio; Barbon, Sylvio; Miani, Rodrigo Sanches; Cukier, Michel; Zarpelão, Bruno Bogaz

doi:10.5753/isys.2017.331

Cited by 4 publications

(4 citation statements)

References 30 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…The algorithm aggregates alerts into a graph structure according to internet provider (IP) address and attack mode and applies the Bit-AssocRule algorithm to mine frequent patterns in the model graph. Ramaki et al [ 26 ] proposed a real-time alert correlation framework based on stream mining to detect multi-step attack scenarios. First, the framework aggregate alerts into hyper-alerts and sorts them by their time tags.…”

Section: Related Workmentioning

confidence: 99%

See 1 more Smart Citation

Distributed Attack Modeling Approach Based on Process Mining and Graph Segmentation

Chen

Liu

et al. 2020

Entropy

View full text Add to dashboard Cite

Attack graph modeling aims to generate attack models by investigating attack behaviors recorded in intrusion alerts raised in network security devices. Attack models can help network security administrators discover an attack strategy that intruders use to compromise the network and implement a timely response to security threats. However, the state-of-the-art algorithms for attack graph modeling are unable to obtain a high-level or global-oriented view of the attack strategy. To address the aforementioned issue, considering the similarity between attack behavior and workflow, we employ a heuristic process mining algorithm to generate the initial attack graph. Although the initial attack graphs generated by the heuristic process mining algorithm are complete, they are extremely complex for manual analysis. To improve their readability, we propose a graph segmentation algorithm to split a complex attack graph into multiple subgraphs while preserving the original structure. Furthermore, to handle massive volume alert data, we propose a distributed attack graph generation algorithm based on Hadoop MapReduce and a distributed attack graph segmentation algorithm based on Spark GraphX. Additionally, we conduct comprehensive experiments to validate the performance of the proposed algorithms. The experimental results demonstrate that the proposed algorithms achieve considerable improvement over comparative algorithms in terms of accuracy and efficiency.

show abstract

Section: Related Workmentioning

confidence: 99%

“…Manual analysis of cyber-attacks by network security administrators is an important means to ensure network system security in practice [ 26 ]. However, attack graphs generated by state-of-the-art algorithms are extremely complex for network security administrators to understand.…”

Section: Attack Modelingmentioning

confidence: 99%

Distributed Attack Modeling Approach Based on Process Mining and Graph Segmentation

Chen

Liu

et al. 2020

Entropy

View full text Add to dashboard Cite

show abstract

“…10 Example of graph signature in the EDL language [61] and correlation, known as the NAC process [68]. This process may be complemented by a clustering step [69,70] to enrich detection capacity.…”

Section: Second Ids Generation: Alert Correlationmentioning

confidence: 99%

“…Knowledge-based approaches include Frequent Subgraph Mining (FSM), description languages and expert systems. Machine-learning-based approaches in this classification include Bayesian networks and outlier detection, which are advanced statistical techniques, as well as Markov models [78], neural networks [79], fuzzy logic, genetic algorithms [80], ant-colony-based solutions [81] and clustering [69].…”

Section: Third Ids Generation: Data Miningmentioning

confidence: 99%

Foundations and applications of artificial Intelligence for zero-day and multi-step attack detection

Parrend

Navarro

Guigou

et al. 2018

EURASIP J. on Info. Security

View full text Add to dashboard Cite

Behind firewalls, more and more cybersecurity attacks are specifically targeted to the very network where they are taking place. This review proposes a comprehensive framework for addressing the challenge of characterising novel complex threats and relevant countermeasures. Two kinds of attacks are particularly representative of this issue: zero-day attacks that are not publicly disclosed and multi-step attacks that are built of several individual steps, some malicious and some benign. Two main approaches are developed in the artificial intelligence field to track these attacks: statistics and machine learning. Statistical approaches include rule-based and outlier-detection-based solutions. Machine learning includes the detection of behavioural anomalies and event sequence tracking. Applications of artificial intelligence cover the field of intrusion detection, which is typically performed online, and security investigation, performed offline.

show abstract

The parameter optimization based on LVPSO algorithm for detecting multi-step attacks

Jiang

Wang

Shi

et al. 2019

Proceedings of the 16th ACM International Conference on Computing Frontiers

View full text Add to dashboard Cite

Discovering Attackers Past Behavior to Generate Online Hyper-Alerts

Cited by 4 publications

References 30 publications

Distributed Attack Modeling Approach Based on Process Mining and Graph Segmentation

Distributed Attack Modeling Approach Based on Process Mining and Graph Segmentation

Foundations and applications of artificial Intelligence for zero-day and multi-step attack detection

The parameter optimization based on LVPSO algorithm for detecting multi-step attacks

Contact Info

Product

Resources

About