Jiaqi Kang, Huiran Yang, Y. Zhang, Yueyue Dai, Mengqi Zhan, Weiping Wang
{"title":"ActDetector:基于序列的网络攻击活动检测框架","authors":"Jiaqi Kang, Huiran Yang, Y. Zhang, Yueyue Dai, Mengqi Zhan, Weiping Wang","doi":"10.1109/ISCC55528.2022.9912824","DOIUrl":null,"url":null,"abstract":"The cyber security situation is not optimistic in recent years due to the rapid growth of security threats. What's more worrying is that threats are tending to be more sophis-ticated, which poses challenges to attack activity analysis. It is quite important for analysts to understand attack activities from a holistic perspective, rather than just pay attention to alerts. Currently, the attack activity analysis generally relies on human resources, which is a heavy workload for manual analysis. Besides, it's difficult to achieve high detection accuracy due to the missing and false-positive alerts. In this paper, we propose a new framework, ActDetector, to detect attack activities automatically from the raw Network Intrusion Detection System (NIDS) alerts, which will greatly reduce the workload of security analysts. We extract attack phase descriptions from alerts and embed attack activity descriptions to obtain their numerical expression. Finally, we use a temporal-sequence-based model to detect potential attack activities. We evaluate ActDetector with three datasets. Experimental results demonstrate that ActDetector can detect attack activities from the raw NIDS alerts with an average of 94.8% Precision, 95.0% Recall, and 94.6% F1-score.","PeriodicalId":309606,"journal":{"name":"2022 IEEE Symposium on Computers and Communications (ISCC)","volume":"42 1","pages":"0"},"PeriodicalIF":0.0000,"publicationDate":"2022-06-30","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":"0","resultStr":"{\"title\":\"ActDetector: A Sequence-based Framework for Network Attack Activity Detection\",\"authors\":\"Jiaqi Kang, Huiran Yang, Y. Zhang, Yueyue Dai, Mengqi Zhan, Weiping Wang\",\"doi\":\"10.1109/ISCC55528.2022.9912824\",\"DOIUrl\":null,\"url\":null,\"abstract\":\"The cyber security situation is not optimistic in recent years due to the rapid growth of security threats. What's more worrying is that threats are tending to be more sophis-ticated, which poses challenges to attack activity analysis. It is quite important for analysts to understand attack activities from a holistic perspective, rather than just pay attention to alerts. Currently, the attack activity analysis generally relies on human resources, which is a heavy workload for manual analysis. Besides, it's difficult to achieve high detection accuracy due to the missing and false-positive alerts. In this paper, we propose a new framework, ActDetector, to detect attack activities automatically from the raw Network Intrusion Detection System (NIDS) alerts, which will greatly reduce the workload of security analysts. We extract attack phase descriptions from alerts and embed attack activity descriptions to obtain their numerical expression. Finally, we use a temporal-sequence-based model to detect potential attack activities. We evaluate ActDetector with three datasets. Experimental results demonstrate that ActDetector can detect attack activities from the raw NIDS alerts with an average of 94.8% Precision, 95.0% Recall, and 94.6% F1-score.\",\"PeriodicalId\":309606,\"journal\":{\"name\":\"2022 IEEE Symposium on Computers and Communications (ISCC)\",\"volume\":\"42 1\",\"pages\":\"0\"},\"PeriodicalIF\":0.0000,\"publicationDate\":\"2022-06-30\",\"publicationTypes\":\"Journal Article\",\"fieldsOfStudy\":null,\"isOpenAccess\":false,\"openAccessPdf\":\"\",\"citationCount\":\"0\",\"resultStr\":null,\"platform\":\"Semanticscholar\",\"paperid\":null,\"PeriodicalName\":\"2022 IEEE Symposium on Computers and Communications (ISCC)\",\"FirstCategoryId\":\"1085\",\"ListUrlMain\":\"https://doi.org/10.1109/ISCC55528.2022.9912824\",\"RegionNum\":0,\"RegionCategory\":null,\"ArticlePicture\":[],\"TitleCN\":null,\"AbstractTextCN\":null,\"PMCID\":null,\"EPubDate\":\"\",\"PubModel\":\"\",\"JCR\":\"\",\"JCRName\":\"\",\"Score\":null,\"Total\":0}","platform":"Semanticscholar","paperid":null,"PeriodicalName":"2022 IEEE Symposium on Computers and Communications (ISCC)","FirstCategoryId":"1085","ListUrlMain":"https://doi.org/10.1109/ISCC55528.2022.9912824","RegionNum":0,"RegionCategory":null,"ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"","JCRName":"","Score":null,"Total":0}
ActDetector: A Sequence-based Framework for Network Attack Activity Detection
The cyber security situation is not optimistic in recent years due to the rapid growth of security threats. What's more worrying is that threats are tending to be more sophis-ticated, which poses challenges to attack activity analysis. It is quite important for analysts to understand attack activities from a holistic perspective, rather than just pay attention to alerts. Currently, the attack activity analysis generally relies on human resources, which is a heavy workload for manual analysis. Besides, it's difficult to achieve high detection accuracy due to the missing and false-positive alerts. In this paper, we propose a new framework, ActDetector, to detect attack activities automatically from the raw Network Intrusion Detection System (NIDS) alerts, which will greatly reduce the workload of security analysts. We extract attack phase descriptions from alerts and embed attack activity descriptions to obtain their numerical expression. Finally, we use a temporal-sequence-based model to detect potential attack activities. We evaluate ActDetector with three datasets. Experimental results demonstrate that ActDetector can detect attack activities from the raw NIDS alerts with an average of 94.8% Precision, 95.0% Recall, and 94.6% F1-score.