Loading...
Publication
Clustering Dynamically-Defined NetFlow and Windows Event Features for Intrusion Detection
| Name: | Description: | Size: | Format: | |
|---|---|---|---|---|
| 3.17 MB | Adobe PDF |
Authors
Abstract(s)
Nos últimos anos, o mundo tem assistido a um aumento dramático dos ciberataques. O cenário de ameaças está a evoluir sem precedentes, deixando as organizações vulneráveis a ciberataques. Os sistemas de deteção de intrusões (SDIs) têm como objetivo proteger e monitorizar as redes ameaçadas. Os SDIs devem evoluir para defender os sistemas atuais de forma consistente e robusta.
O principal objetivo deste trabalho é mostrar as vantagens de incluir os eventos do Microsoft (MS) Windows (EMSW) nos SDIs atuais. Os EMSW fornecem uma representação aprofundada do comportamento das máquinas MS Windows. Este sistema implementa a extração dinâmica de características tanto do host como da rede. A única instrução definida pelo utilizador é o número total de características a extrair. Além disso, o sistema seleciona um conjunto fixo de características do host e da rede. O processo de clustering inclui três algoritmos que funcionam em simultâneo. O sistema também explora quatro métodos de deteção de anomalias para ultrapassar a dificuldade de detetar várias vítimas do mesmo ataque.
O sistema proposto é avaliado com um dataset artificial e público que contém ambos os tipos de dados. As métricas de avaliação obtidas são depois comparadas com abordagens semelhantes para demonstrar as vantagens da inclusão de EMSW no sistema. Os resultados mostram um aumento do F1-score de 3%, do recall de 5% e da mesma precisão em comparação com a abordagem com melhor desempenho. Os resultados alcançados pelo sistema proposto sublinham as contribuições oferecidas para a área dos SDIs.
In recent years, the world has witnessed a dramatic increase in cyberattacks. The threat landscape is evolving unprecedentedly, leaving organizations vulnerable to cyberattacks. Intrusion Detection Systems (IDS) aim to protect and monitor the threatened networks. IDSs must evolve faster than attackers to defend current systems consistently and robustly. The main goal of this work is to show the benefits of including Microsoft (MS) Windows Events (MSWEs) in current IDSs, taking advantage of the full range of data types. MSWEs provide an in-depth representation of the behaviour of MS Windows machines. This system implements the dynamic extraction of both host and network features. The only user-defined instruction for feature extraction is the total number of features to extract. In addition, the system selects a fixed set of host and network features. The clustering process comprises three clustering algorithms working simultaneously to detect outliers. The system also explores four methods for outlier detection to overcome the difficulty of detecting multiple victims in the same attack. The proposed system is then evaluated with a public artificial dataset containing both data types. The evaluation metrics achieved by the different outlier detection metrics are then compared to similar approaches to demonstrate the benefits of including MSWEs in the system. The results show an increase of the F-score by 3%, recall by 5%, and the same precision compared with the best-performing similar approach. The results achieved by the proposed system emphasise the contributions offered by this work to the field of IDSs.
In recent years, the world has witnessed a dramatic increase in cyberattacks. The threat landscape is evolving unprecedentedly, leaving organizations vulnerable to cyberattacks. Intrusion Detection Systems (IDS) aim to protect and monitor the threatened networks. IDSs must evolve faster than attackers to defend current systems consistently and robustly. The main goal of this work is to show the benefits of including Microsoft (MS) Windows Events (MSWEs) in current IDSs, taking advantage of the full range of data types. MSWEs provide an in-depth representation of the behaviour of MS Windows machines. This system implements the dynamic extraction of both host and network features. The only user-defined instruction for feature extraction is the total number of features to extract. In addition, the system selects a fixed set of host and network features. The clustering process comprises three clustering algorithms working simultaneously to detect outliers. The system also explores four methods for outlier detection to overcome the difficulty of detecting multiple victims in the same attack. The proposed system is then evaluated with a public artificial dataset containing both data types. The evaluation metrics achieved by the different outlier detection metrics are then compared to similar approaches to demonstrate the benefits of including MSWEs in the system. The results show an increase of the F-score by 3%, recall by 5%, and the same precision compared with the best-performing similar approach. The results achieved by the proposed system emphasise the contributions offered by this work to the field of IDSs.
Description
Keywords
Cibersegurança Aprendizagem Automática Sistema de Deteção de Intrusões Análise de Segurança NetFlow Logs Cybersecurity Machine learning Intrusion Detection System Security Analytics