ActDetector: A Sequence-based Framework for Network Attack Activity Detection

Jiaqi Kang, Huiran Yang, Y. Zhang, Yueyue Dai, Mengqi Zhan, Weiping Wang
{"title":"ActDetector: A Sequence-based Framework for Network Attack Activity Detection","authors":"Jiaqi Kang, Huiran Yang, Y. Zhang, Yueyue Dai, Mengqi Zhan, Weiping Wang","doi":"10.1109/ISCC55528.2022.9912824","DOIUrl":null,"url":null,"abstract":"The cyber security situation is not optimistic in recent years due to the rapid growth of security threats. What's more worrying is that threats are tending to be more sophis-ticated, which poses challenges to attack activity analysis. It is quite important for analysts to understand attack activities from a holistic perspective, rather than just pay attention to alerts. Currently, the attack activity analysis generally relies on human resources, which is a heavy workload for manual analysis. Besides, it's difficult to achieve high detection accuracy due to the missing and false-positive alerts. In this paper, we propose a new framework, ActDetector, to detect attack activities automatically from the raw Network Intrusion Detection System (NIDS) alerts, which will greatly reduce the workload of security analysts. We extract attack phase descriptions from alerts and embed attack activity descriptions to obtain their numerical expression. Finally, we use a temporal-sequence-based model to detect potential attack activities. We evaluate ActDetector with three datasets. Experimental results demonstrate that ActDetector can detect attack activities from the raw NIDS alerts with an average of 94.8% Precision, 95.0% Recall, and 94.6% F1-score.","PeriodicalId":309606,"journal":{"name":"2022 IEEE Symposium on Computers and Communications (ISCC)","volume":"42 1","pages":"0"},"PeriodicalIF":0.0000,"publicationDate":"2022-06-30","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":"0","resultStr":null,"platform":"Semanticscholar","paperid":null,"PeriodicalName":"2022 IEEE Symposium on Computers and Communications (ISCC)","FirstCategoryId":"1085","ListUrlMain":"https://doi.org/10.1109/ISCC55528.2022.9912824","RegionNum":0,"RegionCategory":null,"ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"","JCRName":"","Score":null,"Total":0}
引用次数: 0

Abstract

The cyber security situation is not optimistic in recent years due to the rapid growth of security threats. What's more worrying is that threats are tending to be more sophis-ticated, which poses challenges to attack activity analysis. It is quite important for analysts to understand attack activities from a holistic perspective, rather than just pay attention to alerts. Currently, the attack activity analysis generally relies on human resources, which is a heavy workload for manual analysis. Besides, it's difficult to achieve high detection accuracy due to the missing and false-positive alerts. In this paper, we propose a new framework, ActDetector, to detect attack activities automatically from the raw Network Intrusion Detection System (NIDS) alerts, which will greatly reduce the workload of security analysts. We extract attack phase descriptions from alerts and embed attack activity descriptions to obtain their numerical expression. Finally, we use a temporal-sequence-based model to detect potential attack activities. We evaluate ActDetector with three datasets. Experimental results demonstrate that ActDetector can detect attack activities from the raw NIDS alerts with an average of 94.8% Precision, 95.0% Recall, and 94.6% F1-score.
查看原文
分享 分享
微信好友 朋友圈 QQ好友 复制链接
本刊更多论文
ActDetector:基于序列的网络攻击活动检测框架
近年来,网络安全形势不容乐观,安全威胁快速增长。更令人担忧的是,威胁越来越复杂,这给攻击活动分析带来了挑战。对于分析师来说,从整体角度理解攻击活动是非常重要的,而不仅仅是关注警报。目前,攻击活动分析一般依赖于人力资源,手工分析工作量较大。此外,由于漏报和误报报警的存在,很难达到较高的检测精度。在本文中,我们提出了一个新的框架,ActDetector,从原始网络入侵检测系统(NIDS)警报中自动检测攻击活动,这将大大减少安全分析人员的工作量。从警报中提取攻击阶段描述,嵌入攻击活动描述,得到攻击阶段描述的数值表达式。最后,我们使用基于时间序列的模型来检测潜在的攻击活动。我们用三个数据集评估ActDetector。实验结果表明,ActDetector可以从原始NIDS警报中检测出攻击活动,平均准确率为94.8%,召回率为95.0%,f1得分为94.6%。
本文章由计算机程序翻译,如有差异,请以英文原文为准。
求助全文
约1分钟内获得全文 去求助
来源期刊
自引率
0.00%
发文量
0
期刊最新文献
Convergence-Time Analysis for the HTE Link Quality Estimator OCVC: An Overlapping-Enabled Cooperative Computing Protocol in Vehicular Fog Computing Non-Contact Heart Rate Signal Extraction and Identification Based on Speckle Image Active Eavesdroppers Detection System in Multi-hop Wireless Sensor Networks A Comparison of Machine and Deep Learning Models for Detection and Classification of Android Malware Traffic
×
引用
GB/T 7714-2015
复制
MLA
复制
APA
复制
导出至
BibTeX EndNote RefMan NoteFirst NoteExpress
×
×
提示
您的信息不完整,为了账户安全,请先补充。
现在去补充
×
提示
您因"违规操作"
具体请查看互助需知
我知道了
×
提示
现在去查看 取消
×
提示
确定
0
微信
客服QQ
Book学术公众号 扫码关注我们
反馈
×
意见反馈
请填写您的意见或建议
请填写您的手机或邮箱
已复制链接
已复制链接
快去分享给好友吧!
我知道了
×
扫码分享
扫码分享
Book学术官方微信
Book学术文献互助
Book学术文献互助群
群 号:481959085
Book学术
文献互助 智能选刊 最新文献 互助须知 联系我们:info@booksci.cn
Book学术提供免费学术资源搜索服务,方便国内外学者检索中英文文献。致力于提供最便捷和优质的服务体验。
Copyright © 2023 Book学术 All rights reserved.
ghs 京公网安备 11010802042870号 京ICP备2023020795号-1