Unsupervised multi-stage attack detection framework without details on single-stage attacks

Jinmyeong Shin, Seok Hwan Choi, Peng Liu, Yoon Ho Choi

Research output: Contribution to journalArticle

Abstract

Majority of network attacks currently consist of sophisticated multi-stage attacks, which break down network attacks into several single-stage attacks. The early multi-stage attack detection methods focused on describing the detection rule based on the occurrence sequence of each single-stage attacks. That is, such works assumed that after details on single-stage attack behavior are obtained from attack knowledge, attack semantics or attack statistical analysis, the detection rules can be generated from their possible occurrence sequence. However, their practical usage is limited due to the high false negative ratio while detecting multi-stage attack that consists of diverse combinations of single-stage attacks during the long time period. In this paper, we propose a new multi-stage attack detection framework, which consists of multi-stage attack detection rule generation phase and multi-stage attack detection phase. After comparing the incoming traffics with the generated multi-stage attack detection rules, various multi-stage attack patterns are detected without pre-observed details on the single-stage attack behavior. From DARPA LLS DDoS dataset, we show that all the possible multi-stage attack patterns are correctly detected. Also, from datasets in CTU-13 including the large volume of multi-stage attack patterns, we observe F1-measure of 0.938 at maximum.

Original languageEnglish (US)
Pages (from-to)811-825
Number of pages15
JournalFuture Generation Computer Systems
Volume100
DOIs
StatePublished - Nov 1 2019

Fingerprint

Statistical methods
Semantics

All Science Journal Classification (ASJC) codes

  • Software
  • Hardware and Architecture
  • Computer Networks and Communications

Cite this

@article{44f83fecbf494ea2915cbdf8b373425b,
title = "Unsupervised multi-stage attack detection framework without details on single-stage attacks",
abstract = "Majority of network attacks currently consist of sophisticated multi-stage attacks, which break down network attacks into several single-stage attacks. The early multi-stage attack detection methods focused on describing the detection rule based on the occurrence sequence of each single-stage attacks. That is, such works assumed that after details on single-stage attack behavior are obtained from attack knowledge, attack semantics or attack statistical analysis, the detection rules can be generated from their possible occurrence sequence. However, their practical usage is limited due to the high false negative ratio while detecting multi-stage attack that consists of diverse combinations of single-stage attacks during the long time period. In this paper, we propose a new multi-stage attack detection framework, which consists of multi-stage attack detection rule generation phase and multi-stage attack detection phase. After comparing the incoming traffics with the generated multi-stage attack detection rules, various multi-stage attack patterns are detected without pre-observed details on the single-stage attack behavior. From DARPA LLS DDoS dataset, we show that all the possible multi-stage attack patterns are correctly detected. Also, from datasets in CTU-13 including the large volume of multi-stage attack patterns, we observe F1-measure of 0.938 at maximum.",
author = "Jinmyeong Shin and Choi, {Seok Hwan} and Peng Liu and Choi, {Yoon Ho}",
year = "2019",
month = "11",
day = "1",
doi = "10.1016/j.future.2019.05.032",
language = "English (US)",
volume = "100",
pages = "811--825",
journal = "Future Generation Computer Systems",
issn = "0167-739X",
publisher = "Elsevier",

}

Unsupervised multi-stage attack detection framework without details on single-stage attacks. / Shin, Jinmyeong; Choi, Seok Hwan; Liu, Peng; Choi, Yoon Ho.

In: Future Generation Computer Systems, Vol. 100, 01.11.2019, p. 811-825.

Research output: Contribution to journalArticle

TY - JOUR

T1 - Unsupervised multi-stage attack detection framework without details on single-stage attacks

AU - Shin, Jinmyeong

AU - Choi, Seok Hwan

AU - Liu, Peng

AU - Choi, Yoon Ho

PY - 2019/11/1

Y1 - 2019/11/1

N2 - Majority of network attacks currently consist of sophisticated multi-stage attacks, which break down network attacks into several single-stage attacks. The early multi-stage attack detection methods focused on describing the detection rule based on the occurrence sequence of each single-stage attacks. That is, such works assumed that after details on single-stage attack behavior are obtained from attack knowledge, attack semantics or attack statistical analysis, the detection rules can be generated from their possible occurrence sequence. However, their practical usage is limited due to the high false negative ratio while detecting multi-stage attack that consists of diverse combinations of single-stage attacks during the long time period. In this paper, we propose a new multi-stage attack detection framework, which consists of multi-stage attack detection rule generation phase and multi-stage attack detection phase. After comparing the incoming traffics with the generated multi-stage attack detection rules, various multi-stage attack patterns are detected without pre-observed details on the single-stage attack behavior. From DARPA LLS DDoS dataset, we show that all the possible multi-stage attack patterns are correctly detected. Also, from datasets in CTU-13 including the large volume of multi-stage attack patterns, we observe F1-measure of 0.938 at maximum.

AB - Majority of network attacks currently consist of sophisticated multi-stage attacks, which break down network attacks into several single-stage attacks. The early multi-stage attack detection methods focused on describing the detection rule based on the occurrence sequence of each single-stage attacks. That is, such works assumed that after details on single-stage attack behavior are obtained from attack knowledge, attack semantics or attack statistical analysis, the detection rules can be generated from their possible occurrence sequence. However, their practical usage is limited due to the high false negative ratio while detecting multi-stage attack that consists of diverse combinations of single-stage attacks during the long time period. In this paper, we propose a new multi-stage attack detection framework, which consists of multi-stage attack detection rule generation phase and multi-stage attack detection phase. After comparing the incoming traffics with the generated multi-stage attack detection rules, various multi-stage attack patterns are detected without pre-observed details on the single-stage attack behavior. From DARPA LLS DDoS dataset, we show that all the possible multi-stage attack patterns are correctly detected. Also, from datasets in CTU-13 including the large volume of multi-stage attack patterns, we observe F1-measure of 0.938 at maximum.

UR - http://www.scopus.com/inward/record.url?scp=85066442931&partnerID=8YFLogxK

UR - http://www.scopus.com/inward/citedby.url?scp=85066442931&partnerID=8YFLogxK

U2 - 10.1016/j.future.2019.05.032

DO - 10.1016/j.future.2019.05.032

M3 - Article

VL - 100

SP - 811

EP - 825

JO - Future Generation Computer Systems

JF - Future Generation Computer Systems

SN - 0167-739X

ER -