TY - JOUR
T1 - Unsupervised multi-stage attack detection framework without details on single-stage attacks
AU - Shin, Jinmyeong
AU - Choi, Seok Hwan
AU - Liu, Peng
AU - Choi, Yoon Ho
N1 - Funding Information:
Peng Liu received the B.S. and M.S. degrees from the University of Science and Technology of China and the Ph.D. degree from George Mason University, in 1999. He is a professor of information sciences and technology, founding director of the Center for Cyber-Security, Information Privacy, and Trust, and founding director of the Cyber Security Lab, Penn State University. His research interests include all areas of computer and network security. He has published a monograph and more than 260 refereed technical papers. His research has been sponsored by US National Science Foundation, ARO, AFOSR, DARPA, DHS, DOE, AFRL, NSA, TTC, CISCO, and HP. He has served on more than 100 program committees and reviewed papers for numerous journals. He received the DOE Early Career Principle Investigator Award. He has co-led the effort to make Penn State an NSA-certified National Center of Excellence in Information Assurance Education and Research. He has advised or co-advised more than 30 Ph.D. dissertations to completion. He is a member of the IEEE
Funding Information:
This work was supported by basic science research program through national research foundation Korea (NRF)funded by the ministry of science, ICT and future planning, Republic of Korea (NRF-2018R1D1A3B07043392)and the Information Technology Research Center(ITRC)support program (2014-1-00743)supervised by the Institute for Information communications Technology Promotion(IITP), Republic of Korea. Peng Liu was supported by NSFCNS-1814679, AROW911NF-13-1-0421 (MURI), and AROW911NF-15-1-0576. None. The authors declared that they had no conflicts of interest with respect to their authorship or the publication of this article.
Funding Information:
This work was supported by basic science research program through national research foundation Korea (NRF) funded by the ministry of science, ICT and future planning, Republic of Korea ( NRF-2018R1D1A3B07043392 ) and the Information Technology Research Center(ITRC) support program ( 2014-1-00743 ) supervised by the Institute for Information communications Technology Promotion(IITP), Republic of Korea . Peng Liu was supported by NSF CNS-1814679 , ARO W911NF-13-1-0421 (MURI), and ARO W911NF-15-1-0576 .
Publisher Copyright:
© 2019 Elsevier B.V.
PY - 2019/11
Y1 - 2019/11
N2 - Majority of network attacks currently consist of sophisticated multi-stage attacks, which break down network attacks into several single-stage attacks. The early multi-stage attack detection methods focused on describing the detection rule based on the occurrence sequence of each single-stage attacks. That is, such works assumed that after details on single-stage attack behavior are obtained from attack knowledge, attack semantics or attack statistical analysis, the detection rules can be generated from their possible occurrence sequence. However, their practical usage is limited due to the high false negative ratio while detecting multi-stage attack that consists of diverse combinations of single-stage attacks during the long time period. In this paper, we propose a new multi-stage attack detection framework, which consists of multi-stage attack detection rule generation phase and multi-stage attack detection phase. After comparing the incoming traffics with the generated multi-stage attack detection rules, various multi-stage attack patterns are detected without pre-observed details on the single-stage attack behavior. From DARPA LLS DDoS dataset, we show that all the possible multi-stage attack patterns are correctly detected. Also, from datasets in CTU-13 including the large volume of multi-stage attack patterns, we observe F1-measure of 0.938 at maximum.
AB - Majority of network attacks currently consist of sophisticated multi-stage attacks, which break down network attacks into several single-stage attacks. The early multi-stage attack detection methods focused on describing the detection rule based on the occurrence sequence of each single-stage attacks. That is, such works assumed that after details on single-stage attack behavior are obtained from attack knowledge, attack semantics or attack statistical analysis, the detection rules can be generated from their possible occurrence sequence. However, their practical usage is limited due to the high false negative ratio while detecting multi-stage attack that consists of diverse combinations of single-stage attacks during the long time period. In this paper, we propose a new multi-stage attack detection framework, which consists of multi-stage attack detection rule generation phase and multi-stage attack detection phase. After comparing the incoming traffics with the generated multi-stage attack detection rules, various multi-stage attack patterns are detected without pre-observed details on the single-stage attack behavior. From DARPA LLS DDoS dataset, we show that all the possible multi-stage attack patterns are correctly detected. Also, from datasets in CTU-13 including the large volume of multi-stage attack patterns, we observe F1-measure of 0.938 at maximum.
UR - http://www.scopus.com/inward/record.url?scp=85066442931&partnerID=8YFLogxK
UR - http://www.scopus.com/inward/citedby.url?scp=85066442931&partnerID=8YFLogxK
U2 - 10.1016/j.future.2019.05.032
DO - 10.1016/j.future.2019.05.032
M3 - Article
AN - SCOPUS:85066442931
VL - 100
SP - 811
EP - 825
JO - Future Generation Computer Systems
JF - Future Generation Computer Systems
SN - 0167-739X
ER -