Exploiting the Outcome of Outlier Detection for Novel Attack Pattern Recognition on Streaming Data

Future-oriented networking infrastructures are characterized by highly dynamic Streaming Data (SD) whose volume, speed and number of dimensions increased significantly over the past couple of years, energized by trends such as Software-Defined Networking or Artificial Intelligence. As an essential core component of network security, Intrusion Detection Systems (IDS) help to uncover malicious activity. In particular, consecutively applied alert correlation methods can aid in mining attack patterns based on the alerts generated by IDS. However, most of the existing methods lack the functionality to deal with SD data affected by the phenomenon called concept drift and are mainly designed to operate on the output from signature-based IDS. Although unsupervised Outlier Detection (OD) methods have the ability to detect yet unknown attacks, most of the alert correlation methods cannot handle the outcome of such anomaly-based IDS. In this paper, we introduce a novel framework called Streaming Outlier Analysis and Attack Pattern Recognition, denoted as SOAAPR, which is able to process the output of various online unsupervised OD methods in a streaming fashion to extract information about novel attack patterns. Three different privacy-preserving, fingerprint-like signatures are computed from the clustered set of correlated alerts by SOAAPR, which characterizes and represents the potential attack scenarios with respect to their communication relations, their manifestation in the data's features and their temporal behavior. Beyond the recognition of known attacks, comparing derived signatures, they can be leveraged to find similarities between yet unknown and novel attack patterns. The evaluation, which is split into two parts, takes advantage of attack scenarios from the widely-used and popular CICIDS2017 and CSE‐CIC‐IDS2018 datasets. Firstly, the streaming alert correlation capability is evaluated on CICIDS2017 and compared to a state-of-the-art offline algorithm, called Graph-based Alert Correlation (GAC), which has the potential to deal with the outcome of anomaly-based IDS. Secondly, the three types of signatures are computed from attack scenarios in the datasets and compared to each other. The discussion of results, on the one hand, shows that SOAAPR can compete with GAC in terms of alert correlation capability leveraging four different metrics and outperforms it significantly in terms of processing time by an average factor of 70 in 11 attack scenarios. On the other hand, in most cases, all three types of signatures seem to reliably characterize attack scenarios such that similar ones are grouped together, with up to 99.05\% similarity between the FTP and SSH Patator attack.intrusion detection; alert analysis; alert correlation; outlier detection; attack scenario; streaming data; network security

Multilevel Intrusion Alert Post-processing for the Elimination of False Positives

Intrusion detection systems are the last line of defence in the network security domain. Improving the performance of intrusion detection systems always increase false positives. This is a serious problem in the field of intrusion detection. In order to overcome this issue to a great extend, we propose a multi level post processing of intrusion alerts eliminating false positives produced by various intrusion detection systems in the network. For this purpose, the alerts are normalized first. Then, a preliminary alert filtration phase prioritize the alerts and removes irrelevant alerts. The higher priority alerts are then aggregated to fewer numbers of hyper alerts. In the final phase, alert correlation is done and alert correlation graph is constructed for finding the causal relationship among the alerts which further eliminates false positives. Experiments were conducted on LLDOS 1.0 dataset for verifying the approach and measuring the accuracy. Keywords: Intrusion detection system, alert prioritization, alert aggregation, alert correlation, LLDOS 1.0 dataset, alert correlation graph.

Hybridized Design For Feature Optimization and Reduction of Intrusion Detection Systems Alert in a Correlation Framework

The Intrusion Detection System (IDS) produces a large number of alerts. Many large organizations deploy numerous IDSs in their network, generating an even larger quantity of these alerts, where some are real or true alerts and several others are false positives. These alerts cause very severe complications for IDS and create difficulty for the security administrators to ascertain effective attacks and to carry out curative measures. The categorization of such alerts established on their level of attack is necessary to ascertain the most severe alerts and to minimize the time required for response. An improved hybridized model was developed to assess and reduce IDS alerts using the combination of the Genetic Algorithm (GA) and Support Vector Machine (SVM) Algorithm in a correlation framework. The model is subsequently referred to as GA-SVM Alert Correlation (GASAC) model in this study. Our model was established employing the object-oriented analysis and design software methodology and implemented with Java programming language. This study will be benefitted by cooperating with networked organizations since only real alerts will be generated in a way that security procedures can be quickly implemented to protect the system from both interior and exterior attacks

Deep learning model for preicting multistage cyber attacks

The prediction of cyberattacks has been a major concern in cybersecurity. This is due to the huge financial and resource losses incurred by organisations after a cyberattack. The emergence of new applications and disruptive technologies has come with new vulnerabilities, most of which are novel – with no immediate remediation available. Recent attacks signatures are becoming evasive, deploying very complex techniques and algorithms to infiltrate a network, leading to unauthorized access and modification of system parameters and classified data. Although there exists several approaches to mitigating attacks, challenges of using known attack signatures and modeled behavioural profiles of network environments still linger. Consequently, this paper discusses the use of unsupervised statistical and supervised deep learning techniques to predict attacks by mapping hyper-alerts to class labels of attacks. This enhances the processes of feature extraction and transformation, as a means of giving structured interpretation of the dynamic profiles of a network.Keywords: Alert correlation, Cyberattack prediction, Cybersecurity, Deep learning, Cyberattacks, Supervised and Unsupervised LearningVol. 26 No 1, June 2019