Integrating Traffics with Network Device Logs for Anomaly Detection

Advanced cyberattacks are often featured by multiple types, layers, and stages, with the goal of cheating the monitors. Existing anomaly detection systems usually search logs or traffics alone for evidence of attacks but ignore further analysis about attack processes. For instance, the traffic detection methods can only detect the attack flows roughly but fail to reconstruct the attack event process and reveal the current network node status. As a result, they cannot fully model the complex multistage attack. To address these problems, we present Traffic-Log Combined Detection (TLCD), which is a multistage intrusion analysis system. Inspired by multiplatform intrusion detection techniques, we integrate traffics with network device logs through association rules. TLCD correlates log data with traffic characteristics to reflect the attack process and construct a federated detection platform. Specifically, TLCD can discover the process steps of a cyberattack attack, reflect the current network status, and reveal the behaviors of normal users. Our experimental results over different cyberattacks demonstrate that TLCD works well with high accuracy and low false positive rate.

[1]  Dawn Xiaodong Song,et al.  Pi: a path identification mechanism to defend against DDoS attacks , 2003, 2003 Symposium on Security and Privacy, 2003..

[2]  Jay Beale,et al.  Snort Intrusion Detection and Prevention Toolkit , 2007 .

[3]  M. Zontul,et al.  Anomaly Detection Using Data Mining Methods in IT Systems: A Decision Support Application , 2018, Sakarya University Journal of Science.

[4]  Matt Brown CS0 as an indicator of student risk for failure to complete a degree in computing , 2013 .

[5]  Luo Si,et al.  LEAPS: Detecting Camouflaged Attacks with Statistical Learning Guided by Program Analysis , 2015, 2015 45th Annual IEEE/IFIP International Conference on Dependable Systems and Networks.

[6]  Fei Wang,et al.  HERCULE: attack story reconstruction via community discovery on correlated log graph , 2016, ACSAC.

[7]  Tatsuya Mori,et al.  Simple and Accurate Identification of High-Rate Flows by Packet Sampling , 2006, Proceedings IEEE INFOCOM 2006. 25TH IEEE International Conference on Computer Communications.

[8]  Choon Lin Tan,et al.  A survey of phishing attacks: Their types, vectors and technical approaches , 2018, Expert Syst. Appl..

[9]  George Kesidis,et al.  Denial-of-service attack-detection techniques , 2006, IEEE Internet Computing.

[10]  Wenhua Huang,et al.  Identification Method of Attack Path Based on Immune Intrusion Detection , 2014, J. Networks.

[11]  Zhendong Su,et al.  Temporal search: detecting hidden malware timebombs with virtual machines , 2006, ASPLOS XII.

[12]  Mohammad Zulkernine,et al.  Anomaly Based Network Intrusion Detection with Unsupervised Outlier Detection , 2006, 2006 IEEE International Conference on Communications.

[13]  Gabriel Maciá-Fernández,et al.  Anomaly-based network intrusion detection: Techniques, systems and challenges , 2009, Comput. Secur..

[14]  Yingbing Yu,et al.  A survey of anomaly intrusion detection techniques , 2012 .

[15]  Elaine Shi,et al.  Portcullis: protecting connection setup from denial-of-capability attacks , 2007, SIGCOMM 2007.

[16]  Alejandro Zunino,et al.  An empirical comparison of botnet detection methods , 2014, Comput. Secur..

[17]  David G. Daut,et al.  Signature Based Spectrum Sensing Algorithms for IEEE 802.22 WRAN , 2007, 2007 IEEE International Conference on Communications.