Detecting malicious authentication events trustfully

NOMS 2018 - 2018 IEEE/IFIP Network Operations and Management Symposium Pub Date : 2018-04-23 DOI:10.1109/NOMS.2018.8406295

Georgios Kaiafas, Georgios Varisteas, S. Lagraa, R. State, Duy Cu Nguyen, Thorsten Ries, M. Ourdane

{"title":"Detecting malicious authentication events trustfully","authors":"Georgios Kaiafas, Georgios Varisteas, S. Lagraa, R. State, Duy Cu Nguyen, Thorsten Ries, M. Ourdane","doi":"10.1109/NOMS.2018.8406295","DOIUrl":null,"url":null,"abstract":"Anomaly detection on security logs is receiving more and more attention. Authentication events are an important component of security logs, and being able to produce trustful and accurate predictions minimizes the effort of cyber-experts to stop false attacks. Observed events are classified into Normal, for legitimate user behavior, and Malicious, for malevolent actions. These classes are consistently excessively imbalanced which makes the classification problem harder; in the commonly used Los Alamos dataset, the malicious class comprises only 0.00033% of the total. This work proposes a novel method to extract advanced composite features, and a supervised learning technique for classifying authentication logs trustfully; the models are Random Forest, LogitBoost, Logistic Regression, and ultimately Majority Voting which leverages the predictions of the previous models and gives the final prediction for each authentication event. We measure the performance of our experiments by using the False Negative Rate and False Positive Rate. In overall we achieve 0 False Negative Rate (i.e. no attack was missed), and on average a False Positive Rate of 0.0019.","PeriodicalId":19331,"journal":{"name":"NOMS 2018 - 2018 IEEE/IFIP Network Operations and Management Symposium","volume":null,"pages":null},"PeriodicalIF":0.0000,"publicationDate":"2018-04-23","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":"20","resultStr":null,"platform":"Semanticscholar","paperid":null,"PeriodicalName":"NOMS 2018 - 2018 IEEE/IFIP Network Operations and Management Symposium","FirstCategoryId":"1085","ListUrlMain":"https://doi.org/10.1109/NOMS.2018.8406295","RegionNum":0,"RegionCategory":null,"ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"","JCRName":"","Score":null,"Total":0}

引用次数: 20

Abstract

Anomaly detection on security logs is receiving more and more attention. Authentication events are an important component of security logs, and being able to produce trustful and accurate predictions minimizes the effort of cyber-experts to stop false attacks. Observed events are classified into Normal, for legitimate user behavior, and Malicious, for malevolent actions. These classes are consistently excessively imbalanced which makes the classification problem harder; in the commonly used Los Alamos dataset, the malicious class comprises only 0.00033% of the total. This work proposes a novel method to extract advanced composite features, and a supervised learning technique for classifying authentication logs trustfully; the models are Random Forest, LogitBoost, Logistic Regression, and ultimately Majority Voting which leverages the predictions of the previous models and gives the final prediction for each authentication event. We measure the performance of our experiments by using the False Negative Rate and False Positive Rate. In overall we achieve 0 False Negative Rate (i.e. no attack was missed), and on average a False Positive Rate of 0.0019.

查看原文本刊更多论文

信任地检测恶意身份验证事件

安全日志异常检测越来越受到人们的重视。身份验证事件是安全日志的重要组成部分，能够产生可信和准确的预测，可以最大限度地减少网络专家阻止虚假攻击的努力。观察到的事件分为正常(Normal)和恶意(Malicious)两类，前者代表合法用户行为，后者代表恶意行为。这些类总是极度不平衡，这使得分类问题更加困难;在常用的Los Alamos数据集中，恶意类仅占总数的0.00033%。本文提出了一种提取高级复合特征的新方法，并提出了一种可信分类认证日志的监督学习技术;这些模型是Random Forest、LogitBoost、Logistic Regression和最终的Majority Voting，后者利用之前模型的预测并给出每个身份验证事件的最终预测。我们使用假阴性率和假阳性率来衡量实验的性能。总的来说，我们实现了0假阴性率(即没有错过攻击)，平均假阳性率为0.0019。

本文章由计算机程序翻译，如有差异，请以英文原文为准。

求助全文

约1分钟内获得全文求助全文

来源期刊

NOMS 2018 - 2018 IEEE/IFIP Network Operations and Management Symposium

自引率

0.00%

发文量