{"title":"Poster Abstract: An Unsupervised Two-Layer Multi-Step Network Attack Detector","authors":"Su Wang, Zhiliang Wang, Xia Yin, Xingang Shi","doi":"10.1109/INFOCOMWKSHPS50562.2020.9163041","DOIUrl":null,"url":null,"abstract":"Nowadays, attackers tend to perform several steps to complete a cyber attack named multi-step network attack which is different from the traditional network attack. Plenty of studies carried on multi-step attack detection use rule-based intrusion detection system (IDS) alerts as source while rule-based IDS relies heavily on its rule set. It is hard for IDS rule set to detect every anomaly behavior and once some attack steps do not cause alert, the subsequent multi-step attack detection will be affected. In this poster, we present a novel unsupervised two layer multi-step attack detector. In the first layer, we propose Dynamic Threshold Time Decay Frequent Item Mining to detect those steps IDS cannot generate alert and in the second layer, we utilize Heuristic Alarm Clustering method to detect the multi step attack scenario. The results of evaluation on IDS2012 dataset show that our detector can significantly reduce the false negative rate (FNR) of Suricata IDS.","PeriodicalId":104136,"journal":{"name":"IEEE INFOCOM 2020 - IEEE Conference on Computer Communications Workshops (INFOCOM WKSHPS)","volume":"75 1","pages":"0"},"PeriodicalIF":0.0000,"publicationDate":"2020-07-01","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":"0","resultStr":null,"platform":"Semanticscholar","paperid":null,"PeriodicalName":"IEEE INFOCOM 2020 - IEEE Conference on Computer Communications Workshops (INFOCOM WKSHPS)","FirstCategoryId":"1085","ListUrlMain":"https://doi.org/10.1109/INFOCOMWKSHPS50562.2020.9163041","RegionNum":0,"RegionCategory":null,"ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"","JCRName":"","Score":null,"Total":0}
引用次数: 0
Abstract
Nowadays, attackers tend to perform several steps to complete a cyber attack named multi-step network attack which is different from the traditional network attack. Plenty of studies carried on multi-step attack detection use rule-based intrusion detection system (IDS) alerts as source while rule-based IDS relies heavily on its rule set. It is hard for IDS rule set to detect every anomaly behavior and once some attack steps do not cause alert, the subsequent multi-step attack detection will be affected. In this poster, we present a novel unsupervised two layer multi-step attack detector. In the first layer, we propose Dynamic Threshold Time Decay Frequent Item Mining to detect those steps IDS cannot generate alert and in the second layer, we utilize Heuristic Alarm Clustering method to detect the multi step attack scenario. The results of evaluation on IDS2012 dataset show that our detector can significantly reduce the false negative rate (FNR) of Suricata IDS.
京公网安备 11010802042870号
京ICP备2023020795号-1
分享
求助内容:
应助结果提醒方式:
扫码关注我们
