Pub Date : 2022-07-01DOI: 10.1109/AsiaJCIS57030.2022.00018
Ryoichi Isawa, Nobuyuki Kanaya, Yoshitada Fujiwara, T. Takehisa, Hayato Ushimaru, Dai Arisue, Daisuke Makita, Satoshi Mimura, D. Inoue
When debugging a DUT (Device Under Test) written in HDL (Hardware Description Language) code in simulation, code coverage is one of the most important evaluation metrics because it indicates how many unchecked statements remain where bugs could be hidden. A typical random test-pattern generator can be used very easily for debugging; however, it could fail to obtain enough code coverage of DUTs because it does not provide effective strategies for code coverage. In this paper, we propose an HDL simulator to improve branch coverage of DUTs up to 100%. A key idea behind our simulator is to directly write values to registers of DUTs for intentionally transfer a state to an unchecked state in the state machine of DUTs. This improves code coverage by executing statements corresponding to an unchecked state. Our simulator uses an SMT (Satisfiability Modulo Theories) solver to obtain the values written to registers from the condition (e.g., if and case) corresponding to an unchecked state. With the evaluation, we confirmed that our simulator successfully obtained a branch coverage of 100% for each of three open-sourced IP (Intellectual Property) core modules. As a bench mark, we also used a random test-pattern generator for those modules.
{"title":"An HDL Simulator with Direct Register Access for Improving Code Coverage","authors":"Ryoichi Isawa, Nobuyuki Kanaya, Yoshitada Fujiwara, T. Takehisa, Hayato Ushimaru, Dai Arisue, Daisuke Makita, Satoshi Mimura, D. Inoue","doi":"10.1109/AsiaJCIS57030.2022.00018","DOIUrl":"https://doi.org/10.1109/AsiaJCIS57030.2022.00018","url":null,"abstract":"When debugging a DUT (Device Under Test) written in HDL (Hardware Description Language) code in simulation, code coverage is one of the most important evaluation metrics because it indicates how many unchecked statements remain where bugs could be hidden. A typical random test-pattern generator can be used very easily for debugging; however, it could fail to obtain enough code coverage of DUTs because it does not provide effective strategies for code coverage. In this paper, we propose an HDL simulator to improve branch coverage of DUTs up to 100%. A key idea behind our simulator is to directly write values to registers of DUTs for intentionally transfer a state to an unchecked state in the state machine of DUTs. This improves code coverage by executing statements corresponding to an unchecked state. Our simulator uses an SMT (Satisfiability Modulo Theories) solver to obtain the values written to registers from the condition (e.g., if and case) corresponding to an unchecked state. With the evaluation, we confirmed that our simulator successfully obtained a branch coverage of 100% for each of three open-sourced IP (Intellectual Property) core modules. As a bench mark, we also used a random test-pattern generator for those modules.","PeriodicalId":304383,"journal":{"name":"2022 17th Asia Joint Conference on Information Security (AsiaJCIS)","volume":"1 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2022-07-01","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"128861142","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
Pub Date : 2022-07-01DOI: 10.1109/asiajcis57030.2022.00007
{"title":"Organizing Committee: AsiaJCIS 2022","authors":"","doi":"10.1109/asiajcis57030.2022.00007","DOIUrl":"https://doi.org/10.1109/asiajcis57030.2022.00007","url":null,"abstract":"","PeriodicalId":304383,"journal":{"name":"2022 17th Asia Joint Conference on Information Security (AsiaJCIS)","volume":"1 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2022-07-01","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"130625718","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
Pub Date : 2022-07-01DOI: 10.1109/AsiaJCIS57030.2022.00019
Yong-Seob Kim, H. Kim
In most multiplayer online games, players' repetitive tasks (i.e., spec-up) are required to grow their characters. However, some users use illegal programs, “game bots,” to achieve a high level fast or gain cyber-money. Various methods have been proposed to identify game bots. However, the methods have generalization issues. Because the methods use features only existed in the specific game. Thus, we carefully use common features that existed in multiple datasets broadly, such as ‘login’ or ‘exit’ events to detect bots. Choosing such general events gives merits from the applicability view; however, if we only use time or space-related features, we fail to detect bots from normal users because the bots' behavior patterns are omitted too much. We use a convolutional LSTM (ConvLSTM) model to overcome this problem, superimpose their behavioral histories over time, and record them as image sequences. By finding a user who shows high self-similar behavior, we regard it as an unidentified bot; then, we update their behavior patterns for future use. As a result, the proposed model showed a high accuracy of 98% in classifyina game bot users.
{"title":"Bot-pelganger: Predict and Preserve Game Bots' Behavior","authors":"Yong-Seob Kim, H. Kim","doi":"10.1109/AsiaJCIS57030.2022.00019","DOIUrl":"https://doi.org/10.1109/AsiaJCIS57030.2022.00019","url":null,"abstract":"In most multiplayer online games, players' repetitive tasks (i.e., spec-up) are required to grow their characters. However, some users use illegal programs, “game bots,” to achieve a high level fast or gain cyber-money. Various methods have been proposed to identify game bots. However, the methods have generalization issues. Because the methods use features only existed in the specific game. Thus, we carefully use common features that existed in multiple datasets broadly, such as ‘login’ or ‘exit’ events to detect bots. Choosing such general events gives merits from the applicability view; however, if we only use time or space-related features, we fail to detect bots from normal users because the bots' behavior patterns are omitted too much. We use a convolutional LSTM (ConvLSTM) model to overcome this problem, superimpose their behavioral histories over time, and record them as image sequences. By finding a user who shows high self-similar behavior, we regard it as an unidentified bot; then, we update their behavior patterns for future use. As a result, the proposed model showed a high accuracy of 98% in classifyina game bot users.","PeriodicalId":304383,"journal":{"name":"2022 17th Asia Joint Conference on Information Security (AsiaJCIS)","volume":"14 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2022-07-01","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"128169134","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
Pub Date : 2022-07-01DOI: 10.1109/AsiaJCIS57030.2022.00012
Tomohiko Yano, Hiroki Kuzuno, Kenichi Magata
It is important for organizations to take measures against information leakage. Confidential files can be leaked through various channels, so it is necessary to have a method to prevent information leakage against various threats. Some of the previous works have utilized the difference of users' legitimate file access patterns, and other works use strings about confidential files, or the similarity of confidential files in the organizations. However, the former works are difficult to detect traitors and unintentional perpetrators, and latter works are difficult to perform when confidential files are significantly transformed through encryption or encoding. Therefore, we need a method for discovering information leakage that are independent of the subjects and of the file transformation formats. In this paper, we present a novel method for file tracking and visualization to assist the discovery of information leakage. In our file tracking method, we track all user processes that read confidential files and files written by these processes. Therefore, tracking is possible whoever manipulate the confidential files and even who even when the data is heavily transformed from the original files. In our visualization method, we present these file tracking results in the form of a network graph. We represent what process the confidential file is read and what file is written by process, by using the flow of a network graph based on the result of confidential file tracking. By using our proposed network graph, it is possible to track events briefly even when the file transforms into another file through multiple events. Additionally, in order to reduce the events needed to focus on as information leakage, we prune the network graph based on past read and write events. By pruning the network graph, visibility is expected to be improved. Our experiment shows that we observed the results of the network graph when files under two information leakage scenarios were moved and copied. Most of the results were visualized according to the scenario, and we could reduce the vertices by 11.5 % and edges by 7.3 % by pruning the network graph.
{"title":"Constructing a Network Graph of File Tracking Results Against Information Leakage","authors":"Tomohiko Yano, Hiroki Kuzuno, Kenichi Magata","doi":"10.1109/AsiaJCIS57030.2022.00012","DOIUrl":"https://doi.org/10.1109/AsiaJCIS57030.2022.00012","url":null,"abstract":"It is important for organizations to take measures against information leakage. Confidential files can be leaked through various channels, so it is necessary to have a method to prevent information leakage against various threats. Some of the previous works have utilized the difference of users' legitimate file access patterns, and other works use strings about confidential files, or the similarity of confidential files in the organizations. However, the former works are difficult to detect traitors and unintentional perpetrators, and latter works are difficult to perform when confidential files are significantly transformed through encryption or encoding. Therefore, we need a method for discovering information leakage that are independent of the subjects and of the file transformation formats. In this paper, we present a novel method for file tracking and visualization to assist the discovery of information leakage. In our file tracking method, we track all user processes that read confidential files and files written by these processes. Therefore, tracking is possible whoever manipulate the confidential files and even who even when the data is heavily transformed from the original files. In our visualization method, we present these file tracking results in the form of a network graph. We represent what process the confidential file is read and what file is written by process, by using the flow of a network graph based on the result of confidential file tracking. By using our proposed network graph, it is possible to track events briefly even when the file transforms into another file through multiple events. Additionally, in order to reduce the events needed to focus on as information leakage, we prune the network graph based on past read and write events. By pruning the network graph, visibility is expected to be improved. Our experiment shows that we observed the results of the network graph when files under two information leakage scenarios were moved and copied. Most of the results were visualized according to the scenario, and we could reduce the vertices by 11.5 % and edges by 7.3 % by pruning the network graph.","PeriodicalId":304383,"journal":{"name":"2022 17th Asia Joint Conference on Information Security (AsiaJCIS)","volume":"73 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2022-07-01","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"115238286","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
Attribute-based encryption (ABE), which was first conceptualized by Sahai and Waters in 2005, has been developed into one of the most popular research topics in modern cryptography. Various variants of ABE has been designed and proposed in literature, e.g., ABE supporting user/attribute revocation, pairing-free ABE, etc. In this work, we study two ABE schemes proposed by Sethia et al. and Guo et al., respectively, in 2001. We found that, the scheme of Sethia et al. is insecure against the collusion attacks, and the scheme of Guo et al. fails to revoke a user. Therefore, in this manuscript, we will review on their schemes, and give the corresponding cryptanalysis. Besides, the discussion on the reasons to the attacks and possible improvement will be presented as well.
基于属性的加密(ABE)是Sahai和Waters于2005年首次提出的概念,目前已发展成为现代密码学中最热门的研究课题之一。文献中已经设计和提出了ABE的各种变体,例如,支持用户/属性撤销的ABE,无配对ABE等。在这项工作中,我们研究了Sethia et al.和Guo et al.分别于2001年提出的两种ABE方案。我们发现,Sethia等人的方案对合谋攻击是不安全的,Guo等人的方案无法撤销用户。因此,在本文中,我们将回顾他们的方案,并给出相应的密码分析。此外,还将讨论攻击的原因和可能的改进。
{"title":"Cryptanalysis and Discussion on Two Attribute-Based Encryption Schemes","authors":"Yi-Fan Tseng, Jheng-Jia Huang, Hao Yang, Tsung-Yu Chien, Chieh-Han Wu","doi":"10.1109/AsiaJCIS57030.2022.00014","DOIUrl":"https://doi.org/10.1109/AsiaJCIS57030.2022.00014","url":null,"abstract":"Attribute-based encryption (ABE), which was first conceptualized by Sahai and Waters in 2005, has been developed into one of the most popular research topics in modern cryptography. Various variants of ABE has been designed and proposed in literature, e.g., ABE supporting user/attribute revocation, pairing-free ABE, etc. In this work, we study two ABE schemes proposed by Sethia et al. and Guo et al., respectively, in 2001. We found that, the scheme of Sethia et al. is insecure against the collusion attacks, and the scheme of Guo et al. fails to revoke a user. Therefore, in this manuscript, we will review on their schemes, and give the corresponding cryptanalysis. Besides, the discussion on the reasons to the attacks and possible improvement will be presented as well.","PeriodicalId":304383,"journal":{"name":"2022 17th Asia Joint Conference on Information Security (AsiaJCIS)","volume":"60 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2022-07-01","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"114760726","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
Pub Date : 2022-07-01DOI: 10.1109/asiajcis57030.2022.00008
{"title":"Program Committee: AsiaJCIS 2022","authors":"","doi":"10.1109/asiajcis57030.2022.00008","DOIUrl":"https://doi.org/10.1109/asiajcis57030.2022.00008","url":null,"abstract":"","PeriodicalId":304383,"journal":{"name":"2022 17th Asia Joint Conference on Information Security (AsiaJCIS)","volume":"497 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2022-07-01","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"134175623","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
Pub Date : 2022-07-01DOI: 10.1109/asiajcis57030.2022.00010
{"title":"Reviewers: AsiaJCIS 2022","authors":"","doi":"10.1109/asiajcis57030.2022.00010","DOIUrl":"https://doi.org/10.1109/asiajcis57030.2022.00010","url":null,"abstract":"","PeriodicalId":304383,"journal":{"name":"2022 17th Asia Joint Conference on Information Security (AsiaJCIS)","volume":"1 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2022-07-01","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"125178410","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
Ransomware attacks targeting Network Attached Storage (NAS) devices have shown a steady presence in the threat landscape since 2019. Early research has analyzed the functionality of IoT ransomware but its attack infrastructure and operation remain unrevealed. In this paper, we propose an attack observation system named SPOT, which uses popular bare metal NAS devices, QNAP, as honeypot and malware sandbox to conduct an in-depth analysis of the ransomware attacks. During the three-month observation with SPOT from September to November 2021, we observed, on average, 130 hosts per day accessing from the Internet that retrieves files in the storage and exploits the vulnerable services of the NAS devices, indicating NAS devices are intensively targeted. Moreover, we obtained 39 eCh0raix samples from VirusTotal and executed them in the SPOT sandboxes. We identified six remote Onion proxy servers used to connect to the C&C server behind the TOR network to hide their locations. By redirecting the C&C connections to active proxy servers, we successfully observed two malware samples interacting with the C&C server, encrypting files in the infected NAS device, and leaving ransom notes. Two kinds of contact points for ransom payment were found in the ransom notes; instruction web pages and email addresses. While the email addresses were not reachable during the experiment, we could access the instruction website, which was hosted on the same TOR hidden service as the C&C server. We kept monitoring the instruction page as it was created for each ransomware infection and we even observed a “30% discount campaign” of ransom payments for a limited period. We observe that the degree of automation in the attack operation is much higher compared to the tailored and targeted ransomware attacks. While each case of successful ransom payment is limited to 0.03 BTC, the automated nature of the attacks would maximize the frequency of such successful cases.
{"title":"SPOT: Analyzing IoT Ransomware Attacks using Bare Metal NAS Devices","authors":"Hiroki Yasui, Takahiro Inoue, Takayuki Sasaki, Rui Tanabe, K. Yoshioka, Tsutomu Matsumoto","doi":"10.1109/AsiaJCIS57030.2022.00013","DOIUrl":"https://doi.org/10.1109/AsiaJCIS57030.2022.00013","url":null,"abstract":"Ransomware attacks targeting Network Attached Storage (NAS) devices have shown a steady presence in the threat landscape since 2019. Early research has analyzed the functionality of IoT ransomware but its attack infrastructure and operation remain unrevealed. In this paper, we propose an attack observation system named SPOT, which uses popular bare metal NAS devices, QNAP, as honeypot and malware sandbox to conduct an in-depth analysis of the ransomware attacks. During the three-month observation with SPOT from September to November 2021, we observed, on average, 130 hosts per day accessing from the Internet that retrieves files in the storage and exploits the vulnerable services of the NAS devices, indicating NAS devices are intensively targeted. Moreover, we obtained 39 eCh0raix samples from VirusTotal and executed them in the SPOT sandboxes. We identified six remote Onion proxy servers used to connect to the C&C server behind the TOR network to hide their locations. By redirecting the C&C connections to active proxy servers, we successfully observed two malware samples interacting with the C&C server, encrypting files in the infected NAS device, and leaving ransom notes. Two kinds of contact points for ransom payment were found in the ransom notes; instruction web pages and email addresses. While the email addresses were not reachable during the experiment, we could access the instruction website, which was hosted on the same TOR hidden service as the C&C server. We kept monitoring the instruction page as it was created for each ransomware infection and we even observed a “30% discount campaign” of ransom payments for a limited period. We observe that the degree of automation in the attack operation is much higher compared to the tailored and targeted ransomware attacks. While each case of successful ransom payment is limited to 0.03 BTC, the automated nature of the attacks would maximize the frequency of such successful cases.","PeriodicalId":304383,"journal":{"name":"2022 17th Asia Joint Conference on Information Security (AsiaJCIS)","volume":"28 24 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2022-07-01","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"132207688","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
Pub Date : 2022-07-01DOI: 10.1109/AsiaJCIS57030.2022.00017
Ruizhong Du, Haoyu Jiang, Mingyue Li
In view of the limited storage and computing power of the client and the high delay of interaction with the cloud platform in public key searchable encryption, a new public key searchable encryption scheme SE-EPOMFC based on edge cloud network is proposed. The scheme adopts a multi cloud multi edge node architecture. By delegating the task of generating searchable ciphertext, trapdoor and general keyword set from the client to the edge node, the storage and computing overhead of the client is reduced. The edge network caches the frequently searched hot data, and the client can search on the edge network, so as to reduce the traffic load of the backbone network. At the same time, the response speed of the system is improved. A filtering algorithm based on partial homomorphic encryption is designed to filter completely mismatched tasks, which reduces the communication overhead between distributed systems and saves storage space for cloud services. The filtering algorithm can be calculated in the ciphertext state, which proves that it is safe under the collusion attack of semi trusted edge cloud nodes. In addition, the distributed two trapdoor public key cryptosystem is used to divide the keys for multiple nodes. Through the subset decisionmaking mechanism, the relationship between keywords is represented by binary strings to realize the search of multiple keywords. The simulation results show that the communication time of se-epomfc is saved by 25.46% in the case of task set matching degree II and 62.21% in the case of task set matching degree I.
{"title":"Lightweight Searchable Encryption with Small Clients on Edge Cloud","authors":"Ruizhong Du, Haoyu Jiang, Mingyue Li","doi":"10.1109/AsiaJCIS57030.2022.00017","DOIUrl":"https://doi.org/10.1109/AsiaJCIS57030.2022.00017","url":null,"abstract":"In view of the limited storage and computing power of the client and the high delay of interaction with the cloud platform in public key searchable encryption, a new public key searchable encryption scheme SE-EPOMFC based on edge cloud network is proposed. The scheme adopts a multi cloud multi edge node architecture. By delegating the task of generating searchable ciphertext, trapdoor and general keyword set from the client to the edge node, the storage and computing overhead of the client is reduced. The edge network caches the frequently searched hot data, and the client can search on the edge network, so as to reduce the traffic load of the backbone network. At the same time, the response speed of the system is improved. A filtering algorithm based on partial homomorphic encryption is designed to filter completely mismatched tasks, which reduces the communication overhead between distributed systems and saves storage space for cloud services. The filtering algorithm can be calculated in the ciphertext state, which proves that it is safe under the collusion attack of semi trusted edge cloud nodes. In addition, the distributed two trapdoor public key cryptosystem is used to divide the keys for multiple nodes. Through the subset decisionmaking mechanism, the relationship between keywords is represented by binary strings to realize the search of multiple keywords. The simulation results show that the communication time of se-epomfc is saved by 25.46% in the case of task set matching degree II and 62.21% in the case of task set matching degree I.","PeriodicalId":304383,"journal":{"name":"2022 17th Asia Joint Conference on Information Security (AsiaJCIS)","volume":"17 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2022-07-01","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"125601621","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
Pub Date : 2022-07-01DOI: 10.1109/AsiaJCIS57030.2022.00011
Samuel Ndichu, Tao Ban, Takeshi Takahashi, D. Inoue
Imbalanced class distribution can cause information loss and missed/false alarms for deep learning and machine-learning algorithms. The detection performance of traditional intrusion detection systems tend to degenerate due to skewed class distribution caused by the uneven allocation of observations in different kinds of attacks. To combat class imbalance and improve network intrusion detection performance, we adopt the conditional generative adversarial network (CTGAN) that enables the generation of samples of specific classes of interest. CTGAN builds on the generative adversarial networks (GAN) architecture to model tabular data and generate high quality synthetic data by conditionally sampling rows from the generated model. Oversampling using CTGAN adds instances to the minority class such that both data in the majority and the minority class are of equal distribution. The generated security alerts are used for training classifiers that realize critical alert detection. The proposed scheme is evaluated on a real-world dataset collected from security operation center of a large enterprise. The experiment results show that detection accuracy can be substantially improved when CTGAN is adopted to produce a balanced security-alert dataset. We believe the proposed CTGAN-based approach can cast new light on building effective systems for critical alert detection with reduced missed/false alarms.
{"title":"Security-Alert Screening with Oversampling Based on Conditional Generative Adversarial Networks","authors":"Samuel Ndichu, Tao Ban, Takeshi Takahashi, D. Inoue","doi":"10.1109/AsiaJCIS57030.2022.00011","DOIUrl":"https://doi.org/10.1109/AsiaJCIS57030.2022.00011","url":null,"abstract":"Imbalanced class distribution can cause information loss and missed/false alarms for deep learning and machine-learning algorithms. The detection performance of traditional intrusion detection systems tend to degenerate due to skewed class distribution caused by the uneven allocation of observations in different kinds of attacks. To combat class imbalance and improve network intrusion detection performance, we adopt the conditional generative adversarial network (CTGAN) that enables the generation of samples of specific classes of interest. CTGAN builds on the generative adversarial networks (GAN) architecture to model tabular data and generate high quality synthetic data by conditionally sampling rows from the generated model. Oversampling using CTGAN adds instances to the minority class such that both data in the majority and the minority class are of equal distribution. The generated security alerts are used for training classifiers that realize critical alert detection. The proposed scheme is evaluated on a real-world dataset collected from security operation center of a large enterprise. The experiment results show that detection accuracy can be substantially improved when CTGAN is adopted to produce a balanced security-alert dataset. We believe the proposed CTGAN-based approach can cast new light on building effective systems for critical alert detection with reduced missed/false alarms.","PeriodicalId":304383,"journal":{"name":"2022 17th Asia Joint Conference on Information Security (AsiaJCIS)","volume":"41 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2022-07-01","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"123740729","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
京公网安备 11010802042870号
京ICP备2023020795号-1
扫码关注我们
求助内容:
应助结果提醒方式: