On the Sequential Pattern and Rule Mining in the Analysis of Cyber Security Alerts

Husák, Martin; Kašpar, Jaroslav; Bou‐Harb, Elias; Čeleda, Pavel

doi:10.1145/3098954.3098981

Cited by 19 publications

(23 citation statements)

References 37 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…Similar port combinations in Top-10 rules can be seen in rules 5 and 8. In general, we can see common combinations of port numbers that are often scanned together [23]. Another example of attack progression can be seen in rule 2, where we can see two distinct attack steps, scanning and brute-forcing.…”

Section: Resultsmentioning

confidence: 99%

“…However, a generic approach similar to early attempts to attack prediction is still an open research problem [3]. Further, many of the proposed attack prediction methods have only been evaluated using the datasets, but we know little about running such methods on data from real networks [23]. In a related domain of threat intelligence, Fachkha et al [24] used data mining on darknet data to predict cyber threats in the global scope.…”

Section: Related Workmentioning

confidence: 99%

“…In our previous work [23], we have discussed sequential pattern and rule mining methods applied to the analysis of cyber security alerts. The literature search and experimental evaluation led us to the conclusion that sequential pattern mining is applicable in the correlation of security alerts, while sequential rule mining can also be applied in attack prediction.…”

Section: Mining the Attack Prediction Rulesmentioning

confidence: 99%

“…As we can see, the sequences describe actions of an attacker behind a single IP address. Other combinations of keys and items were discussed in the previous work [23]. It is worth noting that sequential rule mining does not, by default, work with time differences between items.…”

Section: Mining the Attack Prediction Rulesmentioning

confidence: 99%

See 3 more Smart Citations

Towards Predicting Cyber Attacks Using Information Exchange and Data Mining

Husák

Kašpar

2018

2018 14th International Wireless Communications &Amp; Mobile Computing Conference (IWCMC)

View full text Add to dashboard Cite

Abstract-In this paper, we present an empirical evaluation of an approach to predict attacker's activities based on information exchange and data mining. We gathered the cyber security alerts shared within the SABU platform, in which around 220,000 alerts from heterogeneous geographically distributed sensors (intrusion detection systems and honeypots) are shared every day. Subsequently, we used the methods of sequential rule mining to identify common attack patterns and to derive rules for predicting attacks. As we illustrate in this paper, a collaborative environment allows attack prediction in multiple dimensions. First, we can predict what will the attacker do next and when. Second, we can predict where will the attack hit, e.g., when an attacker is targeting several networks at once. In a weeklong experiment, we processed in total over 1 million alerts, from which we mined predictive rules every day. Our findings show that most of the rules display stable values of support and confidence and, thus, can be used to predict cyber attacks in consecutive days after mining without a need to actualize the rules every day.

show abstract

Section: Resultsmentioning

confidence: 99%

Section: Related Workmentioning

confidence: 99%

Section: Mining the Attack Prediction Rulesmentioning

confidence: 99%

Section: Mining the Attack Prediction Rulesmentioning

confidence: 99%

See 2 more Smart Citations

Towards Predicting Cyber Attacks Using Information Exchange and Data Mining

Husák

Kašpar

2018

2018 14th International Wireless Communications &Amp; Mobile Computing Conference (IWCMC)

View full text Add to dashboard Cite

show abstract

“…Perceiving the security situation via intrusion detection systems (IDS) and comprehending cyber attacks via alert correlation allows for the projection of ongoing attacks and prediction of upcoming security events. This article builds foundations from our previous work, in which we tackled various related topics, such as method selection [20], long-term observations [18], and system design [19]. Herein, we present further explorations within such fields and shed light on lessons learned towards the utmost goal of achieving attack projections and building predictive blacklisting capabilities.…”

Section: Introductionmentioning

confidence: 96%

Predictive Cyber Situational Awareness and Personalized Blacklisting

Husák

Bajtoš

Kašpar

et al. 2020

ACM Trans. Manage. Inf. Syst.

Self Cite

View full text Add to dashboard Cite

Cybersecurity adopts data mining for its ability to extract concealed and indistinct patterns in the data, such as for the needs of alert correlation. Inferring common attack patterns and rules from the alerts helps in understanding the threat landscape for the defenders and allows for the realization of cyber situational awareness, including the projection of ongoing attacks. In this paper, we explore the use of data mining, namely sequential rule mining, in the analysis of intrusion detection alerts. We employed a dataset of 12 million alerts from 34 intrusion detection systems in 3 organizations gathered in an alert sharing platform, and processed it using our analytical framework. We execute the mining of sequential rules that we use to predict security events, which we utilize to create a predictive blacklist. Thus, the recipients of the data from the sharing platform will receive only a small number of alerts of events that are likely to occur instead of a large number of alerts of past events. The predictive blacklist has the size of only 3 % of the raw data, and more than 60 % of its entries are shown to be successful in performing accurate predictions in operational, real-world settings.

show abstract

On the Feasibility of Anomaly Detection with Fine-Grained Program Tracing Events

Huang

2022

J Netw Syst Manage

View full text Add to dashboard Cite

On the Sequential Pattern and Rule Mining in the Analysis of Cyber Security Alerts

Cited by 19 publications

References 37 publications

Towards Predicting Cyber Attacks Using Information Exchange and Data Mining

Towards Predicting Cyber Attacks Using Information Exchange and Data Mining

Predictive Cyber Situational Awareness and Personalized Blacklisting

On the Feasibility of Anomaly Detection with Fine-Grained Program Tracing Events

Contact Info

Product

Resources

About