基于异常的入侵检测的模块化日志数据分析管道

Digital Threats: Research and Practice Pub Date : 2022-10-10 DOI:10.1145/3567675

Max Landauer, Markus Wurzenberger, Florian Skopik, Wolfgang Hotwagner, Georg Höld

{"title":"基于异常的入侵检测的模块化日志数据分析管道","authors":"Max Landauer, Markus Wurzenberger, Florian Skopik, Wolfgang Hotwagner, Georg Höld","doi":"10.1145/3567675","DOIUrl":null,"url":null,"abstract":"Cyber attacks are omnipresent and their rapid detection is crucial for system security. Signature-based intrusion detection monitors systems for attack indicators and plays an important role in recognizing and preventing such attacks. Unfortunately, it is unable to detect new attack vectors and may be evaded by attack variants. As a solution, anomaly detection employs techniques from machine learning to detect suspicious log events without relying on predefined signatures. While visibility of attacks in network traffic is limited due to encryption of network packets, system log data is available in raw format and thus allows fine-granular analysis. However, system log processing is difficult as it involves different formats and heterogeneous events. To ease log-based anomaly detection, we present the AMiner, an open-source tool in the AECID toolbox that enables fast log parsing, analysis, and alerting. In this article, we outline the AMiner’s modular architecture and demonstrate its applicability in three use-cases.","PeriodicalId":202552,"journal":{"name":"Digital Threats: Research and Practice","volume":"68 1","pages":"0"},"PeriodicalIF":0.0000,"publicationDate":"2022-10-10","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":"7","resultStr":"{\"title\":\"AMiner: A Modular Log Data Analysis Pipeline for Anomaly-based Intrusion Detection\",\"authors\":\"Max Landauer, Markus Wurzenberger, Florian Skopik, Wolfgang Hotwagner, Georg Höld\",\"doi\":\"10.1145/3567675\",\"DOIUrl\":null,\"url\":null,\"abstract\":\"Cyber attacks are omnipresent and their rapid detection is crucial for system security. Signature-based intrusion detection monitors systems for attack indicators and plays an important role in recognizing and preventing such attacks. Unfortunately, it is unable to detect new attack vectors and may be evaded by attack variants. As a solution, anomaly detection employs techniques from machine learning to detect suspicious log events without relying on predefined signatures. While visibility of attacks in network traffic is limited due to encryption of network packets, system log data is available in raw format and thus allows fine-granular analysis. However, system log processing is difficult as it involves different formats and heterogeneous events. To ease log-based anomaly detection, we present the AMiner, an open-source tool in the AECID toolbox that enables fast log parsing, analysis, and alerting. In this article, we outline the AMiner’s modular architecture and demonstrate its applicability in three use-cases.\",\"PeriodicalId\":202552,\"journal\":{\"name\":\"Digital Threats: Research and Practice\",\"volume\":\"68 1\",\"pages\":\"0\"},\"PeriodicalIF\":0.0000,\"publicationDate\":\"2022-10-10\",\"publicationTypes\":\"Journal Article\",\"fieldsOfStudy\":null,\"isOpenAccess\":false,\"openAccessPdf\":\"\",\"citationCount\":\"7\",\"resultStr\":null,\"platform\":\"Semanticscholar\",\"paperid\":null,\"PeriodicalName\":\"Digital Threats: Research and Practice\",\"FirstCategoryId\":\"1085\",\"ListUrlMain\":\"https://doi.org/10.1145/3567675\",\"RegionNum\":0,\"RegionCategory\":null,\"ArticlePicture\":[],\"TitleCN\":null,\"AbstractTextCN\":null,\"PMCID\":null,\"EPubDate\":\"\",\"PubModel\":\"\",\"JCR\":\"\",\"JCRName\":\"\",\"Score\":null,\"Total\":0}","platform":"Semanticscholar","paperid":null,"PeriodicalName":"Digital Threats: Research and Practice","FirstCategoryId":"1085","ListUrlMain":"https://doi.org/10.1145/3567675","RegionNum":0,"RegionCategory":null,"ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"","JCRName":"","Score":null,"Total":0}

引用次数: 7

摘要

网络攻击无处不在，其快速检测对系统安全至关重要。基于签名的入侵检测是对系统攻击指标的监控，在识别和防范此类攻击中起着重要作用。不幸的是，它无法检测到新的攻击向量，并且可能被攻击变体所逃避。作为一种解决方案，异常检测采用机器学习技术来检测可疑日志事件，而不依赖于预定义签名。由于对网络数据包进行了加密，网络流量中的攻击可见性受到限制，但系统日志数据以原始格式提供，因此可以进行细粒度分析。然而，系统日志处理是困难的，因为它涉及不同的格式和异构事件。为了简化基于日志的异常检测，我们提供了AMiner，这是AECID工具箱中的一个开源工具，支持快速日志解析、分析和警报。在本文中，我们概述了AMiner的模块化体系结构，并演示了它在三个用例中的适用性。

本文章由计算机程序翻译，如有差异，请以英文原文为准。

查看原文

微信好友朋友圈 QQ好友复制链接

本刊更多论文

AMiner: A Modular Log Data Analysis Pipeline for Anomaly-based Intrusion Detection

Cyber attacks are omnipresent and their rapid detection is crucial for system security. Signature-based intrusion detection monitors systems for attack indicators and plays an important role in recognizing and preventing such attacks. Unfortunately, it is unable to detect new attack vectors and may be evaded by attack variants. As a solution, anomaly detection employs techniques from machine learning to detect suspicious log events without relying on predefined signatures. While visibility of attacks in network traffic is limited due to encryption of network packets, system log data is available in raw format and thus allows fine-granular analysis. However, system log processing is difficult as it involves different formats and heterogeneous events. To ease log-based anomaly detection, we present the AMiner, an open-source tool in the AECID toolbox that enables fast log parsing, analysis, and alerting. In this article, we outline the AMiner’s modular architecture and demonstrate its applicability in three use-cases.

求助全文

通过发布文献求助，成功后即可免费获取论文全文。去求助

来源期刊

Digital Threats: Research and Practice

自引率

0.00%

发文量