Abstract
Cyber-attacks continue to increase worldwide, leading to significant loss or misuse of information assets. Most of the existing intrusion detection systems rely on per-packet inspection, a resource consuming task in today's high speed networks. A recent trend is to analyze netflows (or simply flows) instead of packets, a technique performed at a relative low level leading to high false alarm rates. Since analyzing raw data extracted from flows lacks the semantic information needed to discover attacks, a novel approach is introduced, which uses contextual information to automatically identify and query possible semantic links between different types of suspicious activities extracted from flows. Time, location, and other contextual information mined from flows is applied to generate semantic links among alerts raised in response to suspicious flows. These semantic links are identified through an inference process on probabilistic semantic link networks (SLNs), which receive an initial prediction from a classifier that analyzes incoming flows. The SLNs are then queried at run-time to retrieve other relevant predictions. We show that our approach can be extended to detect unknown attacks in flows as variations of known attacks. An extensive validation of our approach has been performed with a prototype system on several benchmark datasets yielding very promising results in detecting both known and unknown attacks.
Original language | English (US) |
---|---|
Article number | 7562536 |
Pages (from-to) | 207-223 |
Number of pages | 17 |
Journal | IEEE Transactions on Systems, Man, and Cybernetics: Systems |
Volume | 48 |
Issue number | 2 |
DOIs | |
State | Published - Feb 2018 |
Externally published | Yes |
Keywords
- Context
- information security
- intrusion detection
- netflow
- network attacks
- semantic link network (SLN)
ASJC Scopus subject areas
- Software
- Control and Systems Engineering
- Human-Computer Interaction
- Computer Science Applications
- Electrical and Electronic Engineering