Exploiting the Outcome of Outlier Detection for Novel Attack Pattern Recognition on Streaming Data

Future-oriented networking infrastructures are characterized by highly dynamic Streaming Data (SD) whose volume, speed and number of dimensions increased significantly over the past couple of years, energized by trends such as Software-Defined Networking or Artificial Intelligence. As an essential c...

Full description

Bibliographic Details
Main Authors: Michael Heigl, Enrico Weigelt, Andreas Urmann, Dalibor Fiala, Martin Schramm
Format: Article
Language:English
Published: MDPI AG 2021-09-01
Series:Electronics
Subjects:
Online Access:https://www.mdpi.com/2079-9292/10/17/2160
id doaj-f8fc870269c643619bc7bc7afa29fe4f
record_format Article
spelling doaj-f8fc870269c643619bc7bc7afa29fe4f2021-09-09T13:42:22ZengMDPI AGElectronics2079-92922021-09-01102160216010.3390/electronics10172160Exploiting the Outcome of Outlier Detection for Novel Attack Pattern Recognition on Streaming DataMichael Heigl0Enrico Weigelt1Andreas Urmann2Dalibor Fiala3Martin Schramm4Department of Computer Science and Engineering, Faculty of Applied Sciences, University of West Bohemia, Technická 8, 301 00 Plzeň, Czech RepublicInstitute ProtectIT, Faculty of Computer Science, Deggendorf Institute of Technology, Dieter-Görlitz-Platz 1, 94469 Deggendorf, GermanyInstitute ProtectIT, Faculty of Computer Science, Deggendorf Institute of Technology, Dieter-Görlitz-Platz 1, 94469 Deggendorf, GermanyDepartment of Computer Science and Engineering, Faculty of Applied Sciences, University of West Bohemia, Technická 8, 301 00 Plzeň, Czech RepublicInstitute ProtectIT, Faculty of Computer Science, Deggendorf Institute of Technology, Dieter-Görlitz-Platz 1, 94469 Deggendorf, GermanyFuture-oriented networking infrastructures are characterized by highly dynamic Streaming Data (SD) whose volume, speed and number of dimensions increased significantly over the past couple of years, energized by trends such as Software-Defined Networking or Artificial Intelligence. As an essential core component of network security, Intrusion Detection Systems (IDS) help to uncover malicious activity. In particular, consecutively applied alert correlation methods can aid in mining attack patterns based on the alerts generated by IDS. However, most of the existing methods lack the functionality to deal with SD data affected by the phenomenon called concept drift and are mainly designed to operate on the output from signature-based IDS. Although unsupervised Outlier Detection (OD) methods have the ability to detect yet unknown attacks, most of the alert correlation methods cannot handle the outcome of such anomaly-based IDS. In this paper, we introduce a novel framework called Streaming Outlier Analysis and Attack Pattern Recognition, denoted as SOAAPR, which is able to process the output of various online unsupervised OD methods in a streaming fashion to extract information about novel attack patterns. Three different privacy-preserving, fingerprint-like signatures are computed from the clustered set of correlated alerts by SOAAPR, which characterizes and represents the potential attack scenarios with respect to their communication relations, their manifestation in the data’s features and their temporal behavior. Beyond the recognition of known attacks, comparing derived signatures, they can be leveraged to find similarities between yet unknown and novel attack patterns. The evaluation, which is split into two parts, takes advantage of attack scenarios from the widely-used and popular CICIDS2017 and CSE-CIC-IDS2018 datasets. Firstly, the streaming alert correlation capability is evaluated on CICIDS2017 and compared to a state-of-the-art offline algorithm, called Graph-based Alert Correlation (GAC), which has the potential to deal with the outcome of anomaly-based IDS. Secondly, the three types of signatures are computed from attack scenarios in the datasets and compared to each other. The discussion of results, on the one hand, shows that SOAAPR can compete with GAC in terms of alert correlation capability leveraging four different metrics and outperforms it significantly in terms of processing time by an average factor of 70 in 11 attack scenarios. On the other hand, in most cases, all three types of signatures seem to reliably characterize attack scenarios such that similar ones are grouped together, with up to 99.05% similarity between the FTP and SSH Patator attack.https://www.mdpi.com/2079-9292/10/17/2160intrusion detectionalert analysisalert correlationoutlier detectionattack scenariostreaming data
collection DOAJ
language English
format Article
sources DOAJ
author Michael Heigl
Enrico Weigelt
Andreas Urmann
Dalibor Fiala
Martin Schramm
spellingShingle Michael Heigl
Enrico Weigelt
Andreas Urmann
Dalibor Fiala
Martin Schramm
Exploiting the Outcome of Outlier Detection for Novel Attack Pattern Recognition on Streaming Data
Electronics
intrusion detection
alert analysis
alert correlation
outlier detection
attack scenario
streaming data
author_facet Michael Heigl
Enrico Weigelt
Andreas Urmann
Dalibor Fiala
Martin Schramm
author_sort Michael Heigl
title Exploiting the Outcome of Outlier Detection for Novel Attack Pattern Recognition on Streaming Data
title_short Exploiting the Outcome of Outlier Detection for Novel Attack Pattern Recognition on Streaming Data
title_full Exploiting the Outcome of Outlier Detection for Novel Attack Pattern Recognition on Streaming Data
title_fullStr Exploiting the Outcome of Outlier Detection for Novel Attack Pattern Recognition on Streaming Data
title_full_unstemmed Exploiting the Outcome of Outlier Detection for Novel Attack Pattern Recognition on Streaming Data
title_sort exploiting the outcome of outlier detection for novel attack pattern recognition on streaming data
publisher MDPI AG
series Electronics
issn 2079-9292
publishDate 2021-09-01
description Future-oriented networking infrastructures are characterized by highly dynamic Streaming Data (SD) whose volume, speed and number of dimensions increased significantly over the past couple of years, energized by trends such as Software-Defined Networking or Artificial Intelligence. As an essential core component of network security, Intrusion Detection Systems (IDS) help to uncover malicious activity. In particular, consecutively applied alert correlation methods can aid in mining attack patterns based on the alerts generated by IDS. However, most of the existing methods lack the functionality to deal with SD data affected by the phenomenon called concept drift and are mainly designed to operate on the output from signature-based IDS. Although unsupervised Outlier Detection (OD) methods have the ability to detect yet unknown attacks, most of the alert correlation methods cannot handle the outcome of such anomaly-based IDS. In this paper, we introduce a novel framework called Streaming Outlier Analysis and Attack Pattern Recognition, denoted as SOAAPR, which is able to process the output of various online unsupervised OD methods in a streaming fashion to extract information about novel attack patterns. Three different privacy-preserving, fingerprint-like signatures are computed from the clustered set of correlated alerts by SOAAPR, which characterizes and represents the potential attack scenarios with respect to their communication relations, their manifestation in the data’s features and their temporal behavior. Beyond the recognition of known attacks, comparing derived signatures, they can be leveraged to find similarities between yet unknown and novel attack patterns. The evaluation, which is split into two parts, takes advantage of attack scenarios from the widely-used and popular CICIDS2017 and CSE-CIC-IDS2018 datasets. Firstly, the streaming alert correlation capability is evaluated on CICIDS2017 and compared to a state-of-the-art offline algorithm, called Graph-based Alert Correlation (GAC), which has the potential to deal with the outcome of anomaly-based IDS. Secondly, the three types of signatures are computed from attack scenarios in the datasets and compared to each other. The discussion of results, on the one hand, shows that SOAAPR can compete with GAC in terms of alert correlation capability leveraging four different metrics and outperforms it significantly in terms of processing time by an average factor of 70 in 11 attack scenarios. On the other hand, in most cases, all three types of signatures seem to reliably characterize attack scenarios such that similar ones are grouped together, with up to 99.05% similarity between the FTP and SSH Patator attack.
topic intrusion detection
alert analysis
alert correlation
outlier detection
attack scenario
streaming data
url https://www.mdpi.com/2079-9292/10/17/2160
work_keys_str_mv AT michaelheigl exploitingtheoutcomeofoutlierdetectionfornovelattackpatternrecognitiononstreamingdata
AT enricoweigelt exploitingtheoutcomeofoutlierdetectionfornovelattackpatternrecognitiononstreamingdata
AT andreasurmann exploitingtheoutcomeofoutlierdetectionfornovelattackpatternrecognitiononstreamingdata
AT daliborfiala exploitingtheoutcomeofoutlierdetectionfornovelattackpatternrecognitiononstreamingdata
AT martinschramm exploitingtheoutcomeofoutlierdetectionfornovelattackpatternrecognitiononstreamingdata
_version_ 1717760583411957760