ActDetector: A Sequence-based Framework for Network Attack Activity Detection

Abstract

The cyber security situation is not optimistic in recent years due to the rapid growth of security threats. What's more worrying is that threats are tending to be more sophis-ticated, which poses challenges to attack activity analysis. It is quite important for analysts to understand attack activities from a holistic perspective, rather than just pay attention to alerts. Currently, the attack activity analysis generally relies on human resources, which is a heavy workload for manual analysis. Besides, it's difficult to achieve high detection accuracy due to the missing and false-positive alerts. In this paper, we propose a new framework, ActDetector, to detect attack activities automatically from the raw Network Intrusion Detection System (NIDS) alerts, which will greatly reduce the workload of security analysts. We extract attack phase descriptions from alerts and embed attack activity descriptions to obtain their numerical expression. Finally, we use a temporal-sequence-based model to detect potential attack activities. We evaluate ActDetector with three datasets. Experimental results demonstrate that ActDetector can detect attack activities from the raw NIDS alerts with an average of 94.8% Precision, 95.0% Recall, and 94.6% F1-score.