Papers
Topics
Authors
Recent
Gemini 2.5 Flash
Gemini 2.5 Flash
153 tokens/sec
GPT-4o
7 tokens/sec
Gemini 2.5 Pro Pro
45 tokens/sec
o3 Pro
4 tokens/sec
GPT-4.1 Pro
38 tokens/sec
DeepSeek R1 via Azure Pro
28 tokens/sec
2000 character limit reached

IT Intrusion Detection Using Statistical Learning and Testbed Measurements (2402.13081v1)

Published 20 Feb 2024 in cs.LG and cs.CR

Abstract: We study automated intrusion detection in an IT infrastructure, specifically the problem of identifying the start of an attack, the type of attack, and the sequence of actions an attacker takes, based on continuous measurements from the infrastructure. We apply statistical learning methods, including Hidden Markov Model (HMM), Long Short-Term Memory (LSTM), and Random Forest Classifier (RFC) to map sequences of observations to sequences of predicted attack actions. In contrast to most related research, we have abundant data to train the models and evaluate their predictive power. The data comes from traces we generate on an in-house testbed where we run attacks against an emulated IT infrastructure. Central to our work is a machine-learning pipeline that maps measurements from a high-dimensional observation space to a space of low dimensionality or to a small set of observation symbols. Investigating intrusions in offline as well as online scenarios, we find that both HMM and LSTM can be effective in predicting attack start time, attack type, and attack actions. If sufficient training data is available, LSTM achieves higher prediction accuracy than HMM. HMM, on the other hand, requires less computational resources and less training data for effective prediction. Also, we find that the methods we study benefit from data produced by traditional intrusion detection systems like SNORT.

Definition Search Book Streamline Icon: https://streamlinehq.com
References (46)
  1. M. Roesch, “Snort - lightweight intrusion detection for networks,” in Proceedings of the 13th USENIX Conference on System Administration, ser. LISA ’99.   USA: USENIX Association, 1999, p. 229–238.
  2. Khraisat et al., “Survey of intrusion detection systems: techniques, datasets and challenges,” Cybersecurity, vol. 2, no. 1, p. 20, 2019. [Online]. Available: https://doi.org/10.1186/s42400-019-0038-7
  3. K. Hammar and R. Stadler, “Learning near-optimal intrusion responses against dynamic attackers,” IEEE Transactions on Network and Service Management, 2023.
  4. K. Hammar and R. Stadler, “Learning security strategies through game play and optimal stopping,” in Proceedings of the ML4Cyber workshop, ICML 2022, Baltimore, USA, July 17-23, 2022.   PMLR, 2022.
  5. G. D. Forney, “The viterbi algorithm,” Proceedings of the IEEE, vol. 61, no. 3, pp. 268–278, 1973.
  6. A. Srivastava, A. Kundu, S. Sural, and A. Majumdar, “Credit card fraud detection using hidden markov model,” IEEE Transactions on dependable and secure computing, vol. 5, no. 1, pp. 37–48, 2008.
  7. A. ARNES, F. VALEUR, G. VIGNA, and R. A. KEMMERER, “Using hidden markov models to evaluate the risks of intrusions: System architecture and model validation,” Lecture notes in computer science, pp. 145–164, 2006.
  8. Y. Zhang, D. Zhao, and J. Liu, “The application of baum-welch algorithm in multistep attack,” The Scientific World Journal, vol. 2014, 2014.
  9. T. Shawly, A. Elghariani, J. Kobes, and A. Ghafoor, “Architectures for detecting interleaved multi-stage network attacks using hidden markov models,” IEEE Transactions on Dependable and Secure Computing, vol. 18, no. 5, pp. 2316–2330, 2019.
  10. I. Ghafir, K. G. Kyriakopoulos, S. Lambotharan, F. J. Aparicio-Navarro, B. AsSadhan, H. Binsalleeh, and D. M. Diab, “Hidden markov models and alert correlations for the prediction of advanced persistent threats,” IEEE Access, vol. 7, pp. 99 508–99 520, 2019.
  11. P. Holgado, V. A. Villagrá, and L. Vazquez, “Real-time multistep attack prediction based on hidden markov models,” IEEE Transactions on Dependable and Secure Computing, vol. 17, no. 1, pp. 134–147, 2017.
  12. L. R. Rabiner, “A tutorial on hidden markov models and selected applications in speech recognition,” Proceedings of the IEEE, vol. 77, no. 2, pp. 257–286, 1989.
  13. L. Rabiner and B. Juang, “An introduction to hidden markov models,” ieee assp magazine, vol. 3, no. 1, pp. 4–16, 1986.
  14. S. Hochreiter and J. Schmidhuber, “Long short-term memory,” Neural computation, vol. 9, no. 8, pp. 1735–1780, 1997.
  15. M. Rotman and L. Wolf, “Shuffling recurrent neural networks,” in Proceedings of the AAAI Conference on Artificial Intelligence, vol. 35, no. 11, 2021, pp. 9428–9435.
  16. Keras Developers, “Code examples,” [Online]. Available at: https://www.tensorflow.org/guide/keras/rnn, Accessed on: October 5, 2023.
  17. L. Breiman, “Random forests,” Machine learning, vol. 45, pp. 5–32, 2001.
  18. scikit-learn developers, “Decision trees,” 2007-2019. [Online]. Available: http://mldata.org/repository/data/viewslug/realm-cnsm2015-vod-traces/
  19. Sklearn Developers, “Randomforestclassifier,” [Online]. Available at: https://scikit-learn.org/stable/modules/generated/sklearn.ensemble.RandomForestClassifier.html, Accessed on: October 5, 2023.
  20. “Damn vulnerable web application (dvwa),” 2023. [Online]. Available: https://github.com/digininja/DVWA
  21. “Mitre inc,” 2023. [Online]. Available: http://cve.mitre.org/
  22. I. Sharafaldin, A. H. Lashkari, and A. A. Ghorbani, “Toward generating a new intrusion detection dataset and intrusion traffic characterization.” ICISSp, vol. 1, pp. 108–116, 2018.
  23. C. Annachhatre, T. H. Austin, and M. Stamp, “Hidden markov models for malware classification,” Journal of Computer Virology and Hacking Techniques, vol. 11, no. 2, pp. 59–73, 2015.
  24. J. Zhao, G. Huang, T. Liu, and B. Cui, “Software abnormal behavior detection based on hidden markov model,” in International Conference on Innovative Mobile and Internet Services in Ubiquitous Computing.   Springer, 2017, pp. 929–940.
  25. W. Wang, X.-H. Guan, and X.-L. Zhang, “Modeling program behaviors by hidden markov models for intrusion detection,” in Proceedings of 2004 International Conference on Machine Learning and Cybernetics (IEEE Cat. No. 04EX826), vol. 5.   IEEE, 2004, pp. 2830–2835.
  26. A. Sperotto, R. Sadre, P.-T. de Boer, and A. Pras, “Hidden markov model modeling of ssh brute-force attacks,” in Integrated Management of Systems, Services, Processes and People in IT: 20th IFIP/IEEE International Workshop on Distributed Systems: Operations and Management, DSOM 2009, Venice, Italy, October 27-28, 2009. Proceedings 20.   Springer, 2009, pp. 164–176.
  27. X. Zan, F. Gao, J. Han, and Y. Sun, “A hidden markov model based framework for tracking and predicting of attack intention,” in 2009 International Conference on Multimedia Information Networking and Security, vol. 2.   IEEE, 2009, pp. 498–501.
  28. C.-M. Chen, D.-J. Guan, Y.-Z. Huang, and Y.-H. Ou, “Anomaly network intrusion detection using hidden markov model,” Int. J. Innov. Comput. Inform. Control, vol. 12, pp. 569–580, 2016.
  29. “Darpa - intrusion detection evaluation dataset,” 2023. [Online]. Available: https://www.ll.mit.edu/r-d/datasets/2000-darpa-intrusion-detection-scenario-specific-datasets
  30. S. Deshmukh, R. Rade, D. Kazi et al., “Attacker behaviour profiling using stochastic ensemble of hidden markov models,” arXiv preprint arXiv:1905.11824, 2019.
  31. Y. Aoudni, C. Donald, A. Farouk, K. B. Sahay, D. V. Babu, V. Tripathi, and D. Dhabliya, “Cloud security based attack detection using transductive learning integrated with hidden markov model,” Pattern Recognition Letters, vol. 157, pp. 16–26, 2022.
  32. W. Jiang, Y. Xu, and Y. Xu, “A novel intrusions detection method based on hmm embedded neural network,” in Advances in Natural Computation: First International Conference, ICNC 2005, Changsha, China, August 27-29, 2005, Proceedings, Part I 1.   Springer, 2005, pp. 139–148.
  33. S. Dass, P. Datta, and A. S. Namin, “Attack prediction using hidden markov model,” arXiv preprint arXiv:2106.02012, 2021.
  34. R. C. Staudemeyer, “Applying long short-term memory recurrent neural networks to intrusion detection,” South African Computer Journal, vol. 56, no. 1, pp. 136–154, 2015.
  35. A. Diro and N. Chilamkurti, “Leveraging lstm networks for attack detection in fog-to-things communications,” IEEE Communications Magazine, vol. 56, no. 9, pp. 124–130, 2018.
  36. S. A. Althubiti, E. M. Jones, and K. Roy, “Lstm for anomaly-based network intrusion detection,” in 2018 28th International telecommunication networks and applications conference (ITNAC).   IEEE, 2018, pp. 1–3.
  37. F. Laghrissi, S. Douzi, K. Douzi, and B. Hssina, “Intrusion detection systems using long short-term memory (lstm),” Journal of Big Data, vol. 8, no. 1, p. 65, 2021.
  38. P. Sai Charan, T. Gireesh Kumar, and P. Mohan Anand, “Advance persistent threat detection using long short term memory (lstm) neural networks,” in Emerging Technologies in Computer Engineering: Microservices in Big Data Analytics: Second International Conference, ICETCE 2019, Jaipur, India, February 1–2, 2019, Revised Selected Papers 2.   Springer, 2019, pp. 45–54.
  39. P. Zhou, G. Zhou, D. Wu, and M. Fei, “Detecting multi-stage attacks using sequence-to-sequence model,” Computers & Security, vol. 105, p. 102203, 2021.
  40. G. P. Gupta and M. Kulariya, “A framework for fast and efficient cyber security network intrusion detection using apache spark,” Procedia Computer Science, vol. 93, pp. 824–831, 2016.
  41. M. C. Belavagi and B. Muniyal, “Performance evaluation of supervised machine learning algorithms for intrusion detection,” Procedia Computer Science, vol. 89, pp. 117–123, 2016.
  42. Z. Stefanova and K. Ramachandran, “Network attribute selection, classification and accuracy (nasca) procedure for intrusion detection systems,” in 2017 IEEE International Symposium on Technologies for Homeland Security (HST).   IEEE, 2017, pp. 1–7.
  43. V. G. da Costa, S. Barbon, R. S. Miani, J. J. Rodrigues, and B. B. Zarpelão, “Detecting mobile botnets through machine learning and system calls analysis,” in 2017 IEEE International Conference on Communications (ICC).   IEEE, 2017, pp. 1–6.
  44. A. H. Lashkari, G. D. Gil, M. S. I. Mamun, and A. A. Ghorbani, “Characterization of tor traffic using time based features,” in International Conference on Information Systems Security and Privacy, vol. 2.   SciTePress, 2017, pp. 253–262.
  45. S. McElwee, “Active learning intrusion detection using k-means clustering selection,” in SoutheastCon 2017.   IEEE, 2017, pp. 1–7.
  46. M. Choubisa, R. Doshi, N. Khatri, and K. K. Hiran, “A simple and robust approach of random forest for intrusion detection system in cyber security,” in 2022 International Conference on IoT and Blockchain Technology (ICIBT).   IEEE, 2022, pp. 1–5.
Citations (1)
View on Semantic Scholar

Summary

We haven't generated a summary for this paper yet.

Ai Sparkles Streamline Icon: https://streamlinehq.com Summarize Now