Use of Machine Learning Algorithms with SIEM for Attack Prediction

Anumol, E. T.

doi:10.1007/978-81-322-2012-1_24

Cited by 11 publications

(2 citation statements)

References 2 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…For example, some studies show ways to detect the targeted attack [8] [9] [10] and measures against the targeted attack [11]. Also, other studies have used a combination of SIEM and Support Vector Machine (SVM) [12], anomaly detection of a network using SVM [13], performance evaluation of a classifier [14], and so on.…”

Section: Related Researchmentioning

confidence: 99%

Development of Intellectual Network Forensic System LIFT against Targeted Attacks

Hashimoto¹,

Hiruma²,

Matsumoto³

et al. 2015

2015 Fourth International Conference on Cyber Security, Cyber Warfare, and Digital Forensic (CyberSec)

View full text Add to dashboard Cite

Recently, the number of targeted attacks to specific organizations, such as companies or governments, has been increasing. Although such organizations are required to conduct to protect against the attack or mitigate the effect of the targeted attack, it is very difficult to perform the proper operation without the assistance of a support system. Therefore, the authors developed the Live and Intelligent Network Forensic Technologies (LIFT) system to guide the proper operation and/or conduct an automatic operation using artificial intelligence. The LIFT system collects the logs from servers, PCs, and communication equipment such as routers and detects abnormal signs from the collected logs. Next, the LIFT system calculates the certainty factor of an event occurrence by using the knowledge of the relation between the detected signs and the estimated event. If the certainty factor is large enough, the event is assumed to occur, or else the LIFT system requires collecting additional logs or results of a memory dump. Moreover, the LIFT system guides the proper operation and/or conducts an automatic operation with the knowledge of the relation between the event and proposed action, which would be a guide or automatic operation. If the knowledge described is given to the LIFT system, a total simulation can be performed in the LIFT system based on rulebased technology, which is one of the artificial intelligence technologies. This paper describes the objective to develop the LIFT system, the overview of the system, the developed prototype of the LIFT system and the experimental results of applying the LIFT system prototype. From the experimental results, we confirm that the LIFT system can be a useful tool to perform the proper operation against a targeted attack.

show abstract

Section: Related Researchmentioning

confidence: 99%

Development of Intellectual Network Forensic System LIFT against Targeted Attacks

Hashimoto¹,

Hiruma²,

Matsumoto³

et al. 2015

2015 Fourth International Conference on Cyber Security, Cyber Warfare, and Digital Forensic (CyberSec)

View full text Add to dashboard Cite

show abstract

“…Data analytics is a relevant feature of a SIEM platform. As a subfield of AI, machine learning (ML) involves data-driven algorithms that support the decision-making process of SOC analysts in detecting network intrusions (Anumol, 2015 ). In the current literature, several research works propose innovative AI-based intrusion detection methodologies (Das et al, 2019 ; Singh A. et al, 2022 ; Alkhudaydi et al, 2023 ; Maci et al, 2023 , 2024 ; Park et al, 2023 ; Coscia et al, 2024 ).…”

Section: Introductionmentioning

confidence: 99%

A comprehensive investigation of clustering algorithms for User and Entity Behavior Analytics

Artioli,

Maci,

Magrì

2024

Front. Big Data

View full text Add to dashboard Cite

IntroductionGovernment agencies are now encouraging industries to enhance their security systems to detect and respond proactively to cybersecurity incidents. Consequently, equipping with a security operation center that combines the analytical capabilities of human experts with systems based on Machine Learning (ML) plays a critical role. In this setting, Security Information and Event Management (SIEM) platforms can effectively handle network-related events to trigger cybersecurity alerts. Furthermore, a SIEM may include a User and Entity Behavior Analytics (UEBA) engine that examines the behavior of both users and devices, or entities, within a corporate network.MethodsIn recent literature, several contributions have employed ML algorithms for UEBA, especially those based on the unsupervised learning paradigm, because anomalous behaviors are usually not known in advance. However, to shorten the gap between research advances and practice, it is necessary to comprehensively analyze the effectiveness of these methodologies. This paper proposes a thorough investigation of traditional and emerging clustering algorithms for UEBA, considering multiple application contexts, i.e., different user-entity interaction scenarios.Results and discussionOur study involves three datasets sourced from the existing literature and fifteen clustering algorithms. Among the compared techniques, HDBSCAN and DenMune showed promising performance on the state-of-the-art CERT behavior-related dataset, producing groups with a density very close to the number of users.

show abstract