Cyber Situation Awareness with Active Learning for Intrusion Detection

Intrusion detection has focused primarily on detecting cyberattacks at the event-level. Since there is such a large volume of network data and attacks are minimal, machine learning approaches have focused on improving accuracy and reducing false positives, but this has frequently resulted in overfitting. In addition, the volume of intrusion detection alerts is large and creates fatigue in the human analyst who must review them. This research addresses the problems associated with event-level intrusion detection and the large volumes of intrusion alerts by applying active learning and cyber situation awareness. This paper includes the results of two experiments using the UNSWNB15 dataset. The first experiment evaluated sampling approaches for querying the oracle, as part of active learning. It then trained a Random Forest classifier using the samples and evaluated its results. The second experiment applied cyber situation awareness by aggregating the detection results of the first experiment and calculating the probability that a computer system was part of a cyberattack. This research showed that moving the perspective of event-level alerts to the probability that a computer system was part of an attack improved the accuracy of detection and reduced the volume of alerts that a human analyst would need to review.

[1]  Ajith Abraham,et al.  Feature deduction and ensemble design of intrusion detection systems , 2005, Comput. Secur..

[2]  Deborah A. Frincke,et al.  A Multi-Phase Network Situational Awareness Cognitive Task Analysis , 2010, Inf. Vis..

[3]  Kevin Jones,et al.  On the collaborative practices of cyber threat intelligence analysts to develop and utilize tacit Threat and Defence Knowledge , 2016, 2016 International Conference On Cyber Situational Awareness, Data Analytics And Assessment (CyberSA).

[4]  Vern Paxson,et al.  Enhancing byte-level network intrusion detection signatures with context , 2003, CCS '03.

[5]  Burr Settles,et al.  Active Learning Literature Survey , 2009 .

[6]  Todd L. Heberlein,et al.  Network intrusion detection , 1994, IEEE Network.

[7]  Steven L. Scott,et al.  A Bayesian paradigm for designing intrusion detection systems , 2004, Computational Statistics & Data Analysis.

[8]  Carl K. Chang,et al.  Bayesian Model Averaging of Bayesian Network Classifiers for Intrusion Detection , 2014, 2014 IEEE 38th International Computer Software and Applications Conference Workshops.

[9]  Andrew H. Sung,et al.  Intrusion detection using neural networks and support vector machines , 2002, Proceedings of the 2002 International Joint Conference on Neural Networks. IJCNN'02 (Cat. No.02CH37290).

[10]  George P. Tadda,et al.  Overview of Cyber Situation Awareness , 2010, Cyber Situational Awareness.

[11]  Christopher Krügel,et al.  Bayesian event classification for intrusion detection , 2003, 19th Annual Computer Security Applications Conference, 2003. Proceedings..

[12]  David A. Cohn,et al.  Active Learning with Statistical Models , 1996, NIPS.

[13]  Vern Paxson,et al.  Outside the Closed World: On Using Machine Learning for Network Intrusion Detection , 2010, 2010 IEEE Symposium on Security and Privacy.

[14]  Alfonso Valdes,et al.  Adaptive, Model-Based Monitoring for Cyber Attack Detection , 2000, Recent Advances in Intrusion Detection.

[15]  Nour Moustafa,et al.  UNSW-NB15: a comprehensive data set for network intrusion detection systems (UNSW-NB15 network data set) , 2015, 2015 Military Communications and Information Systems Conference (MilCIS).

[16]  Steven McElwee,et al.  Active learning intrusion detection using k-means clustering selection , 2017, SoutheastCon 2017.

[17]  Sanjoy Dasgupta,et al.  Analysis of a greedy active learning strategy , 2004, NIPS.

[18]  James Cannady,et al.  Artificial Neural Networks for Misuse Detection , 1998 .

[19]  James Cannady,et al.  Improving the performance of self-organizing maps for intrusion detection , 2016, SoutheastCon 2016.

[20]  Dana Angluin,et al.  Queries and concept learning , 1988, Machine Learning.

[21]  Mica R. Endsley,et al.  Toward a Theory of Situation Awareness in Dynamic Systems , 1995, Hum. Factors.

[22]  Ling Huang,et al.  Adversarial Active Learning , 2014, AISec '14.

[23]  Joel S. Warm,et al.  Cyber Vigilance , 2014 .

[24]  Fabio A. González,et al.  An immunity-based technique to characterize intrusions in computer networks , 2002, IEEE Trans. Evol. Comput..