Detecting Anomalies in Firewall Logs Using Artificially Generated Attacks

2023 17th International Conference on Telecommunications (ConTEL) Pub Date : 2023-07-11 DOI:10.1109/ConTEL58387.2023.10198912

A. Komadina, Ivan Kovačević, Bruno Štengl, S. Groš

{"title":"Detecting Anomalies in Firewall Logs Using Artificially Generated Attacks","authors":"A. Komadina, Ivan Kovačević, Bruno Štengl, S. Groš","doi":"10.1109/ConTEL58387.2023.10198912","DOIUrl":null,"url":null,"abstract":"Detecting anomalies in large networks is often a difficult task. Nowadays, many works employ machine learning techniques to address this problem, but much of this work often relies on synthetic or small datasets and uses only some specific machine learning techniques. In this research, we focus on analyzing firewall logs obtained from an industrial control network used in a production environment combined with generated anomalies representing real attacker steps in the network. We compared the results of unsupervised learning based on different models, subsets of attributes, feature construction methods, scaling methods, and aggregation levels, while the results of supervised learning were compared by using different classifiers at different aggregation levels. Based on the results of our experiments, we showed that the unsupervised learning method had a difficult task to detect our injected anomalies, which shows us that they are well integrated with the existing firewall logs. On the other hand, the injected anomalies allowed us to use supervised learning methods, and the results showed that using these methods gave much better results.","PeriodicalId":311611,"journal":{"name":"2023 17th International Conference on Telecommunications (ConTEL)","volume":"12 1","pages":"0"},"PeriodicalIF":0.0000,"publicationDate":"2023-07-11","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":"1","resultStr":null,"platform":"Semanticscholar","paperid":null,"PeriodicalName":"2023 17th International Conference on Telecommunications (ConTEL)","FirstCategoryId":"1085","ListUrlMain":"https://doi.org/10.1109/ConTEL58387.2023.10198912","RegionNum":0,"RegionCategory":null,"ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"","JCRName":"","Score":null,"Total":0}

引用次数: 1

Abstract

Detecting anomalies in large networks is often a difficult task. Nowadays, many works employ machine learning techniques to address this problem, but much of this work often relies on synthetic or small datasets and uses only some specific machine learning techniques. In this research, we focus on analyzing firewall logs obtained from an industrial control network used in a production environment combined with generated anomalies representing real attacker steps in the network. We compared the results of unsupervised learning based on different models, subsets of attributes, feature construction methods, scaling methods, and aggregation levels, while the results of supervised learning were compared by using different classifiers at different aggregation levels. Based on the results of our experiments, we showed that the unsupervised learning method had a difficult task to detect our injected anomalies, which shows us that they are well integrated with the existing firewall logs. On the other hand, the injected anomalies allowed us to use supervised learning methods, and the results showed that using these methods gave much better results.

查看原文本刊更多论文

利用人为攻击检测防火墙日志异常

在大型网络中检测异常通常是一项艰巨的任务。如今，许多工作使用机器学习技术来解决这个问题，但这些工作大多依赖于合成或小数据集，并且只使用一些特定的机器学习技术。在本研究中，我们重点分析了从生产环境中使用的工业控制网络获得的防火墙日志，并结合了代表网络中真实攻击者步骤的生成异常。我们比较了基于不同模型、属性子集、特征构建方法、缩放方法和聚合级别的无监督学习的结果，而在不同的聚合级别上使用不同的分类器对监督学习的结果进行了比较。实验结果表明，无监督学习方法很难检测到我们注入的异常，这表明它们与现有防火墙日志集成得很好。另一方面，注入的异常允许我们使用监督学习方法，结果表明使用这些方法可以获得更好的结果。

本文章由计算机程序翻译，如有差异，请以英文原文为准。

求助全文

约1分钟内获得全文求助全文

来源期刊

2023 17th International Conference on Telecommunications (ConTEL)

自引率

0.00%

发文量