Towards event aggregation for reducing the volume of logged events during IKC stages of APT attacks

Nowadays, targeted attacks like Advanced Persistent Threats (APTs) has become one of the major concern of many enterprise networks. As a common approach to counter these attacks, security staff deploy a variety of security and non-security sensors at different lines of defense (Network, Host, and Application) to track the attacker’s behaviors during their kill chain. However, one of the drawbacks of this approach is the huge amount of events raised by heterogeneous security and non-security sensors which makes it difficult to analyze logged events for later processing i.e. event correlation for timely detection of APT attacks. Till now, some research papers have been published on event aggregation for reducing the volume of logged low-level events. However, most research works have been provided a method to aggregate the events of a single-type and homogeneous event source i.e. NIDS. In addition, their main focus is only on the degree to which the event volume is reduced, while the amount of security information lost during the event aggregation process is also very important. In this paper, we propose a three-phase event aggregation method to reduce the volume of logged heterogeneous events during APT attacks considering the lowest rate of loss of security information. To this aim, at first, low-level events of the sensors are clustered into some similar event groups and then, after filtering noisy event clusters, the remained clusters are summarized based on an Attribute-Oriented Induction (AOI) method in a controllable manner to reduce the unimportant or duplicated events. The method has been evaluated on the three publicly available datasets: SotM34, Bryant, and LANL. The experimental results show that the method is efficient enough in event aggregation and can reduce events volume up to 99.7% with an acceptable level of information loss ratio (ILR).

[1]  Wim Mees,et al.  Graph-based APT detection , 2018, 2018 International Conference on Military Communications and Information Systems (ICMCIS).

[2]  Jan Vykopal,et al.  Exchanging security events: Which and how many alerts can we aggregate? , 2017, 2017 IFIP/IEEE Symposium on Integrated Network and Service Management (IM).

[3]  Ouissem Ben Fredj A realistic graph-based alert correlation system , 2015, Secur. Commun. Networks.

[4]  Elias Bou-Harb,et al.  Survey of Attack Projection, Prediction, and Forecasting in Cyber Security , 2019, IEEE Communications Surveys & Tutorials.

[5]  Wei Wang,et al.  A Context-Based Detection Framework for Advanced Persistent Threats , 2012, 2012 International Conference on Cyber Security.

[6]  B. M. Mehtre,et al.  A Lifecycle Based Approach for Malware Analysis , 2014, 2014 Fourth International Conference on Communication Systems and Network Technologies.

[7]  Abbas Ghaemi Bafghi,et al.  Moving Target Defense Against Advanced Persistent Threats for Cybersecurity Enhancement , 2018, 2018 8th International Conference on Computer and Knowledge Engineering (ICCKE).

[8]  Wei Wang,et al.  Using Large Scale Distributed Computing to Unveil Advanced Persistent Threats , 2012 .

[9]  Ali A. Ghorbani,et al.  Multi-layer episode filtering for the multi-step attack detection , 2012, Comput. Commun..

[10]  A. Spadaro Event correlation for detecting advanced multi-stage cyber-attacks , 2013 .

[11]  Alexander D. Kent,et al.  Comprehensive, Multi-Source Cyber-Security Events Data Set , 2015 .

[12]  Ali Ahmadian Ramaki,et al.  Causal knowledge analysis for detecting and modeling multi-step attacks , 2016, Secur. Commun. Networks.

[13]  Javier Aracil,et al.  Loginson: a transform and load system for very large-scale log analysis in large IT infrastructures , 2017, The Journal of Supercomputing.

[14]  Edgar Toshiro Yano,et al.  Towards a Framework to Detect Multi-stage Advanced Persistent Threats Attacks , 2014, 2014 IEEE 8th International Symposium on Service Oriented System Engineering.

[15]  Eric Michael Hutchins,et al.  Intelligence-Driven Computer Network Defense Informed by Analysis of Adversary Campaigns and Intrusion Kill Chains , 2010 .

[16]  Sylvio Barbon Junior,et al.  Process mining and hierarchical clustering to help intrusion alert visualization , 2018, Comput. Secur..

[17]  M. Amer,et al.  Nearest-Neighbor and Clustering based Anomaly Detection Algorithms for RapidMiner , 2012 .

[18]  Abbas Ghaemi Bafghi,et al.  A Systematic Mapping Study on Intrusion Alert Analysis in Intrusion Detection Systems , 2018, ACM Comput. Surv..

[19]  Fei Wang,et al.  HERCULE: attack story reconstruction via community discovery on correlated log graph , 2016, ACSAC.

[20]  Julien Bourgeois,et al.  Fast attack detection using correlation and summarizing of security alerts in grid computing networks , 2012, The Journal of Supercomputing.

[21]  I. Traoré,et al.  Heterogeneous Multi-sensor IDS Alerts Aggregation using Semantic Analysis , 2012 .

[22]  Muttukrishnan Rajarajan,et al.  Intrusion alert prioritisation and attack detection using post-correlation analysis , 2015, Comput. Secur..

[23]  Mihai Carabas,et al.  Enhanced Security Using Elasticsearch and Machine Learning , 2020, SAI.

[24]  Jiye Liang,et al.  A simple and effective outlier detection algorithm for categorical data , 2014, Int. J. Mach. Learn. Cybern..

[25]  Helge Janicke,et al.  Semantics-aware detection of targeted attacks: a survey , 2017, Journal of Computer Virology and Hacking Techniques.

[26]  Guo Tao,et al.  An IDS Alerts Aggregation Algorithm Based on Rough Set Theory , 2018 .

[27]  Amin Hassanzadeh,et al.  SAMIIT: Spiral Attack Model in IIoT Mapping Security Alerts to Attack Life Cycle Phases , 2018 .

[28]  Xiaomei Chen,et al.  An Improved Frequent Pattern Growth Based Approach to Intrusion Detection System Alert Aggregation , 2020, Journal of Physics: Conference Series.

[29]  Morteza Amini,et al.  RTECA: Real time episode correlation algorithm for multi-step attack scenarios detection , 2015, Comput. Secur..

[30]  Jinoh Kim,et al.  Scalable Security Event Aggregation for Situation Analysis , 2015, 2015 IEEE First International Conference on Big Data Computing Service and Applications.

[31]  Sokratis K. Katsikas,et al.  Enhancing IDS performance through comprehensive alert post-processing , 2013, Comput. Secur..

[32]  Faeiz M. Alserhani Alert correlation and aggregation techniques for reduction of security alerts and detection of multistage attack , 2015 .

[33]  Jaechoon Jo,et al.  Automatic extraction of named entities of cyber threats using a deep Bi-LSTM-CRF network , 2020, International Journal of Machine Learning and Cybernetics.

[34]  Pratyusa K. Manadhata,et al.  The Operational Role of Security Information and Event Management Systems , 2014, IEEE Security & Privacy.

[35]  Christopher Krügel,et al.  Comprehensive approach to intrusion detection alert correlation , 2004, IEEE Transactions on Dependable and Secure Computing.

[36]  Kyung Kyu Kim,et al.  Modified cyber kill chain model for multimedia service environments , 2018, Multimedia Tools and Applications.

[37]  Ping Chen,et al.  A Study on Advanced Persistent Threats , 2014, Communications and Multimedia Security.

[38]  Gregory B. White,et al.  Using an Improved Cybersecurity Kill Chain to Develop an Improved Honey Community , 2016, 2016 49th Hawaii International Conference on System Sciences (HICSS).

[39]  Mohiuddin Ahmed Data summarization: a survey , 2018, Knowledge and Information Systems.

[40]  Zengyou He,et al.  Discovering cluster-based local outliers , 2003, Pattern Recognit. Lett..

[41]  Chao Liu,et al.  A Visualization Scheme for Network Forensics Based on Attribute Oriented Induction Based Frequent Item Mining and Hyper Graph , 2017, ICDF2C.

[42]  Gabriel Maciá-Fernández,et al.  A model-based survey of alert correlation techniques , 2013, Comput. Networks.

[43]  Jong Hyuk Park,et al.  A comprehensive study on APT attacks and countermeasures for future networks and communications: challenges and solutions , 2019, The Journal of Supercomputing.

[44]  Christoph Meinel,et al.  Hierarchical object log format for normalisation of security events , 2013, 2013 9th International Conference on Information Assurance and Security (IAS).

[45]  Tomasz Dziopa,et al.  Clustering Validity Indices Evaluation with Regard to Semantic Homogeneity , 2016, FedCSIS.

[46]  Michalis Vazirgiannis,et al.  Clustering validity checking methods: part II , 2002, SGMD.

[47]  Ángel Martín del Rey,et al.  A New Proposal on the Advanced Persistent Threat: A Survey , 2020, Applied Sciences.

[48]  Hossein Saiedian,et al.  A novel kill-chain framework for remote security log analysis with SIEM software , 2017, Comput. Secur..

[49]  V. N. Venkatakrishnan,et al.  HOLMES: Real-Time APT Detection through Correlation of Suspicious Information Flows , 2018, 2019 IEEE Symposium on Security and Privacy (SP).

[50]  Fatos Xhafa,et al.  A layered security architecture based on cyber kill chain against advanced persistent threats , 2019, Security and Privacy for Big Data, Cloud Computing and Applications.