Alert Correlation for Extracting Attack Strategies Authors: B. Zhu and A. A. Ghorbani Source: IJNS review paper Reporter: Chun-Ta Li ( 李俊達 )

Slides:



Advertisements
Similar presentations
Applications of one-class classification
Advertisements

Query Chains: Learning to Rank from Implicit Feedback Paper Authors: Filip Radlinski Thorsten Joachims Presented By: Steven Carr.
Probabilistic Group-Level Motion Analysis and Scenario Recognition Ming-Ching Chang, Nils Krahnstoever, Weina Ge ICCV2011.
Data Mining and Intrusion Detection
Cyber Threat Analysis  Intrusions are actions that attempt to bypass security mechanisms of computer systems  Intrusions are caused by:  Attackers accessing.
 Firewalls and Application Level Gateways (ALGs)  Usually configured to protect from at least two types of attack ▪ Control sites which local users.
Pattern Classification All materials in these slides were taken from Pattern Classification (2nd ed) by R. O. Duda, P. E. Hart and D. G. Stork, John Wiley.
Report on Intrusion Detection and Data Fusion By Ganesh Godavari.
Prénom Nom Document Analysis: Artificial Neural Networks Prof. Rolf Ingold, University of Fribourg Master course, spring semester 2008.
1 Learning to Detect Objects in Images via a Sparse, Part-Based Representation S. Agarwal, A. Awan and D. Roth IEEE Transactions on Pattern Analysis and.
Prénom Nom Document Analysis: Linear Discrimination Prof. Rolf Ingold, University of Fribourg Master course, spring semester 2008.
Learning From Data Chichang Jou Tamkang University.
Chapter 6: Multilayer Neural Networks
Associative Learning in Hierarchical Self Organizing Learning Arrays Janusz A. Starzyk, Zhen Zhu, and Yue Li School of Electrical Engineering and Computer.
MACHINE LEARNING 12. Multilayer Perceptrons. Neural Networks Lecture Notes for E Alpaydın 2004 Introduction to Machine Learning © The MIT Press (V1.1)
Neural Networks. Background - Neural Networks can be : Biological - Biological models Artificial - Artificial models - Desire to produce artificial systems.
Chapter 5 Data mining : A Closer Look.
Building Survivable Systems based on Intrusion Detection and Damage Containment Paper by: T. Bowen Presented by: Tiyseer Al Homaiyd 1.
Automated malware classification based on network behavior
1. Introduction Generally Intrusion Detection Systems (IDSs), as special-purpose devices to detect network anomalies and attacks, are using two approaches.
Data Mining for Intrusion Detection: A Critical Review Klaus Julisch From: Applications of data Mining in Computer Security (Eds. D. Barabara and S. Jajodia)
Temporal Event Map Construction For Event Search Qing Li Department of Computer Science City University of Hong Kong.
A Statistical Anomaly Detection Technique based on Three Different Network Features Yuji Waizumi Tohoku Univ.
Intrusion Detection Jie Lin. Outline Introduction A Frame for Intrusion Detection System Intrusion Detection Techniques Ideas for Improving Intrusion.
Review – Backpropagation
NATIONAL INSTITUTE OF SCIENCE & TECHNOLOGY Presented by:Manoj Kumar Gantayat CS: Technical Seminar Presentation by MANOJ KUMAR GANTAYAT.
Masquerade Detection Mark Stamp 1Masquerade Detection.
Network Intrusion Detection Using Random Forests Jiong Zhang Mohammad Zulkernine School of Computing Queen's University Kingston, Ontario, Canada.
Speaker:Chiang Hong-Ren Botnet Detection by Monitoring Group Activities in DNS Traffic.
Intrusion Detection Using Hybrid Neural Networks Vishal Sevani ( )
Cristian Urs and Ben Riveira. Introduction The article we chose focuses on improving the performance of Genetic Algorithms by: Use of predictive models.
© N. Kasabov Foundations of Neural Networks, Fuzzy Systems, and Knowledge Engineering, MIT Press, 1996 INFO331 Machine learning. Neural networks. Supervised.
Human Gesture Recognition Using Kinect Camera Presented by Carolina Vettorazzo and Diego Santo Orasa Patsadu, Chakarida Nukoolkit and Bunthit Watanapa.
Multi-Layer Perceptrons Michael J. Watts
Pattern Classification All materials in these slides were taken from Pattern Classification (2nd ed) by R. O. Duda, P. E. Hart and D. G. Stork, John Wiley.
NEURAL NETWORKS FOR DATA MINING
Introduction to machine learning and data mining 1 iCSC2014, Juan López González, University of Oviedo Introduction to machine learning Juan López González.
Report on Intrusion Detection and Data Fusion By Ganesh Godavari.
Image Pattern Recognition The identification of animal species through the classification of hair patterns using image pattern recognition: A case study.
Machine Learning Using Support Vector Machines (Paper Review) Presented to: Prof. Dr. Mohamed Batouche Prepared By: Asma B. Al-Saleh Amani A. Al-Ajlan.
An Overview of Intrusion Detection Using Soft Computing Archana Sapkota Palden Lama CS591 Fall 2009.
Automatically Generating Models for Botnet Detection Presenter: 葉倚任 Authors: Peter Wurzinger, Leyla Bilge, Thorsten Holz, Jan Goebel, Christopher Kruegel,
Exploiting Context Analysis for Combining Multiple Entity Resolution Systems -Ramu Bandaru Zhaoqi Chen Dmitri V.kalashnikov Sharad Mehrotra.
Information Fusion By Ganesh Godavari. Outline of Talk Problem Definition –Attack Types Correlation Solutions OSSIM Work Status.
Face Detection Ying Wu Electrical and Computer Engineering Northwestern University, Evanston, IL
Establishing authenticated channels and secure identifiers in ad-hoc networks Authors: B. Sieka and A. D. Kshemkalyani (University of Illinois at Chicago)
Cryptography and Network Security Sixth Edition by William Stallings.
© Devi Parikh 2008 Devi Parikh and Tsuhan Chen Carnegie Mellon University April 3, ICASSP 2008 Bringing Diverse Classifiers to Common Grounds: dtransform.
Neural Networks Teacher: Elena Marchiori R4.47 Assistant: Kees Jong S2.22
Chapter 8: Adaptive Networks
Combining Evolutionary Information Extracted From Frequency Profiles With Sequence-based Kernels For Protein Remote Homology Detection Name: ZhuFangzhi.
Identifying “Best Bet” Web Search Results by Mining Past User Behavior Author: Eugene Agichtein, Zijian Zheng (Microsoft Research) Source: KDD2006 Reporter:
Refined Online Citation Matching and Adaptive Canonical Metadata Construction CSE 598B Course Project Report Huajing Li.
1. ABSTRACT Information access through Internet provides intruders various ways of attacking a computer system. Establishment of a safe and strong network.
Network Management Lecture 13. MACHINE LEARNING TECHNIQUES 2 Dr. Atiq Ahmed Université de Balouchistan.
Data Mining: Concepts and Techniques1 Prediction Prediction vs. classification Classification predicts categorical class label Prediction predicts continuous-valued.
Pattern Recognition Lecture 20: Neural Networks 3 Dr. Richard Spillman Pacific Lutheran University.
Experience Report: System Log Analysis for Anomaly Detection
Intrusion Detection using Deep Neural Networks
DATA MINING © Prentice Hall.
School of Computer Science & Engineering
Feature Selection for Pattern Recognition
Source: Procedia Computer Science(2015)70:
BotCatch: A Behavior and Signature Correlated Bot Detection Approach
RECURRENT NEURAL NETWORKS FOR VOICE ACTIVITY DETECTION
Intrusion Detection with Neural Networks my awesome graphic ↑
Department of Electrical Engineering
Bug Localization with Combination of Deep Learning and Information Retrieval A. N. Lam et al. International Conference on Program Comprehension 2017.
Presentation transcript:

Alert Correlation for Extracting Attack Strategies Authors: B. Zhu and A. A. Ghorbani Source: IJNS review paper Reporter: Chun-Ta Li ( 李俊達 )

2 Outline  Introduction  Proposed approach  Test and evaluation  Conclusions and future work  Comments

3 Introduction (1/2)  Security issues The number of incidents rapidly increased from 82,094 in 2002 to 137,529 in Attacks are getting more and more sophisticated. One of the solutions: Intrusion detection systems (IDS)  Intrusion detection systems Host-based and network-based (data source) Problems:  Understanding of attack behaviors  Extracting attack strategies from the alerts Manually managing, time-consuming and error-prone

4 Introduction (2/2)  Alert correlation techniques Alert Correlation Based on Feature Similarity  Based on the similarities of some selected features  Ex. Source IP address, target IP address, and port number  Drawback: Cannot discover the causal relationships between related alerts Alert Correlation Based on Known Scenario  Learned from training datasets using data mining approach  It can uncover the causal relationship of alerts  Drawback: They are all restricted to known situations Alert Correlation Based on Prerequisite and Consequence Relationship  Most alerts are not isolated, but related to different stages of attacks  Drawback: It cannot correlated unknown attacks

5 Proposed approach (1/9)  Overview To reveal the causal relationship among the alerts Automated construction of attack graphs Alert Alert Correlation Matrix (ACM) n alerts n n 1. Multi-Layer Perceptron (MLP) 2. Support Vector Machine (SVM) ▪ Whether or not two alerts should be correlated ▪ If yes, the probability with which they are correlated A group of the correlated alerts Algorithm 1 A list of hyper-alerts Algorithm 2 Attack graph (Causal relationship among alerts) Correlation engine

6 Proposed approach (2/9)  Alert Correlation Matrix (ACM) Cell: (temporal relationship) Each cell in ACM holds a correlation weight: Correlation Strength (Π)  Backward Correlation Strength (Π b )  Forward Correlation Strength (Π f ) Current alert Next alert Previous alert ΠbΠb ΠfΠf ΠfΠf ΠbΠb n n

7 Proposed approach (3/9)  Feature selection Alert information: timestamp, source IP, destination IP, source port, destination port, type of the attack 6 features:   0 or 1   between 0 or 1 ▪ The value of F6 is low  two alerts are seldom correlated (Π b is not reliable) ▪ The value of F6 becomes large  two alerts are frequently correlated (Π b is reliable)

8 Proposed approach (4/9)  Alert Correlation Using Multi-Layer Perceptron (MLP) Inputs: 6 elements and label Outputs: a value between 0 and 1 (the probability that two alerts are correlated)  Alert Correlation Using Support Vector Machine (SVM) Inputs: the same input used for MLP and bipolar format labels Outputs: a value between 0 and 1 -- The output of the conventional SVM (not probability) -- The probability output of SVM [Platt, 1999] -- cross-entropy error function [Platt, 1999]

Proposed approach (5/9)  Comparison of MLP and SVM MLP:  More accurate than SVM  Slow training speed  Over-fitting problem SVM:  To produce precise probabilistic output  selected appropriate training patterns // To make a decision based on the outputs of both of these two methods //

10 Proposed approach (6/9)  Correlation process (Algorithm 1) Construct the hyper-alert graph  To give the network administrator intrinsic view of attack scenarios  Two thresholds: correlation threshold and correlation sensitivity

11  0.5

12 Proposed approach (8/9)  Generating Attack Graph using ACM (Algorithm 2) To represent different typical attack strategies hyper-alert graph vs. attack graph  Attack graph (it can have cycles), hyper-alert graph (no cycles)  Attack graphs are a more general representations of attack strategies  Encodes causal relationship among alerts The algorithm performs a horizontal search (Π f ) in the ACM

13

14 Test and evaluation (1/7)  Experiment with DARPA 2000 Dataset [MIT Lincoln Laboratory] Two multistage attack scenarios: LLDOS1.0 and LLDOS2.0.2  Alert log file [RealSecure IDS] LLDOS1.0 (924 alerts)  Correlation process correlation threshold r = 0.5 correlation sensitivity s = 0.1  ACM contains 19 different types of alerts LLDOS2.0.2 (494 alerts)  Correlation process correlation threshold r = 0.5 correlation sensitivity s = 0.1  ACM contains 17 different types of alerts

15

16 Test and evaluation (3/7)  LLDOS 1.0 – Scenario One

17 Test and evaluation (4/7)

18 Test and evaluation (5/7)  LLDOS – Scenario Two

19 Test and evaluation (6/7)

20 Test and evaluation (7/7)  The attack strategies from intrusion alerts is similar to Ning et al. [Ning and Xu, 2003]  The difference is that the proposed approach does not need to define a large number of rules in order to correlate the alerts.  The ACS is adaptive to the emerge of new attack patterns because new alerts are automatically added to the ACM.

21 Conclusions and future work  This paper presents an alert correlation technique Multilayer Perceptron (MLP) Support Vector Machine (SVM) Alert Correlation Matrix (ACM) Automatic extracting attack strategies from alerts  Future work Identifying more features for correlation Real-time correlation Recognizing the variations of attack strategies Target recognition and risk assessment

22 Comments  In this paper, the authors would like to propose a new alert correlation technique that can automatically extract attack strategies from a large number of intrusion alerts for the administrator to study new countermeasures. There are two neural network approaches is used to determine the causal relationship of two alerts, including Multilayer Perceptron (MLP) and Support Vector Machine (SVM). Moreover, an Alert Correlation Matrix (ACM) is used to process and update the correlation strength of any two types of alerts. From the evaluation results on the DARPA 2000 dataset shows, the result of author ’ s approach is similar to previous research. The difference is that it does not need to define a large number of rules for the alerts and the new alerts can be automatically add to the ACM for studying new attack strategies.  My outlook More features The value of each label in MLP and SVM 18 training patterns SVM writing Efficiency and correlations  11 typos Evaluation of Paper: Good Recommendation: Accept after minor revision

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2024 SlidePlayer.com Inc. All rights reserved.