A. Komadina, Ivan Kovačević, Bruno Štengl, S. Groš
{"title":"利用人为攻击检测防火墙日志异常","authors":"A. Komadina, Ivan Kovačević, Bruno Štengl, S. Groš","doi":"10.1109/ConTEL58387.2023.10198912","DOIUrl":null,"url":null,"abstract":"Detecting anomalies in large networks is often a difficult task. Nowadays, many works employ machine learning techniques to address this problem, but much of this work often relies on synthetic or small datasets and uses only some specific machine learning techniques. In this research, we focus on analyzing firewall logs obtained from an industrial control network used in a production environment combined with generated anomalies representing real attacker steps in the network. We compared the results of unsupervised learning based on different models, subsets of attributes, feature construction methods, scaling methods, and aggregation levels, while the results of supervised learning were compared by using different classifiers at different aggregation levels. Based on the results of our experiments, we showed that the unsupervised learning method had a difficult task to detect our injected anomalies, which shows us that they are well integrated with the existing firewall logs. On the other hand, the injected anomalies allowed us to use supervised learning methods, and the results showed that using these methods gave much better results.","PeriodicalId":311611,"journal":{"name":"2023 17th International Conference on Telecommunications (ConTEL)","volume":"12 1","pages":"0"},"PeriodicalIF":0.0000,"publicationDate":"2023-07-11","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":"1","resultStr":"{\"title\":\"Detecting Anomalies in Firewall Logs Using Artificially Generated Attacks\",\"authors\":\"A. Komadina, Ivan Kovačević, Bruno Štengl, S. Groš\",\"doi\":\"10.1109/ConTEL58387.2023.10198912\",\"DOIUrl\":null,\"url\":null,\"abstract\":\"Detecting anomalies in large networks is often a difficult task. Nowadays, many works employ machine learning techniques to address this problem, but much of this work often relies on synthetic or small datasets and uses only some specific machine learning techniques. In this research, we focus on analyzing firewall logs obtained from an industrial control network used in a production environment combined with generated anomalies representing real attacker steps in the network. We compared the results of unsupervised learning based on different models, subsets of attributes, feature construction methods, scaling methods, and aggregation levels, while the results of supervised learning were compared by using different classifiers at different aggregation levels. Based on the results of our experiments, we showed that the unsupervised learning method had a difficult task to detect our injected anomalies, which shows us that they are well integrated with the existing firewall logs. On the other hand, the injected anomalies allowed us to use supervised learning methods, and the results showed that using these methods gave much better results.\",\"PeriodicalId\":311611,\"journal\":{\"name\":\"2023 17th International Conference on Telecommunications (ConTEL)\",\"volume\":\"12 1\",\"pages\":\"0\"},\"PeriodicalIF\":0.0000,\"publicationDate\":\"2023-07-11\",\"publicationTypes\":\"Journal Article\",\"fieldsOfStudy\":null,\"isOpenAccess\":false,\"openAccessPdf\":\"\",\"citationCount\":\"1\",\"resultStr\":null,\"platform\":\"Semanticscholar\",\"paperid\":null,\"PeriodicalName\":\"2023 17th International Conference on Telecommunications (ConTEL)\",\"FirstCategoryId\":\"1085\",\"ListUrlMain\":\"https://doi.org/10.1109/ConTEL58387.2023.10198912\",\"RegionNum\":0,\"RegionCategory\":null,\"ArticlePicture\":[],\"TitleCN\":null,\"AbstractTextCN\":null,\"PMCID\":null,\"EPubDate\":\"\",\"PubModel\":\"\",\"JCR\":\"\",\"JCRName\":\"\",\"Score\":null,\"Total\":0}","platform":"Semanticscholar","paperid":null,"PeriodicalName":"2023 17th International Conference on Telecommunications (ConTEL)","FirstCategoryId":"1085","ListUrlMain":"https://doi.org/10.1109/ConTEL58387.2023.10198912","RegionNum":0,"RegionCategory":null,"ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"","JCRName":"","Score":null,"Total":0}
Detecting Anomalies in Firewall Logs Using Artificially Generated Attacks
Detecting anomalies in large networks is often a difficult task. Nowadays, many works employ machine learning techniques to address this problem, but much of this work often relies on synthetic or small datasets and uses only some specific machine learning techniques. In this research, we focus on analyzing firewall logs obtained from an industrial control network used in a production environment combined with generated anomalies representing real attacker steps in the network. We compared the results of unsupervised learning based on different models, subsets of attributes, feature construction methods, scaling methods, and aggregation levels, while the results of supervised learning were compared by using different classifiers at different aggregation levels. Based on the results of our experiments, we showed that the unsupervised learning method had a difficult task to detect our injected anomalies, which shows us that they are well integrated with the existing firewall logs. On the other hand, the injected anomalies allowed us to use supervised learning methods, and the results showed that using these methods gave much better results.
求助内容:
应助结果提醒方式:
京公网安备 11010802042870号
