{"title":"基于有效载荷的异常检测可视化与解释","authors":"Konrad Rieck, P. Laskov","doi":"10.1109/EC2ND.2009.12","DOIUrl":null,"url":null,"abstract":"The threat posed by modern network attacks requires novel means for detection of intrusions, as regular signature-based systems fail to cope with the amount and diversity of attacks. Recently, several methods for detection of anomalies in network payloads have been proposed to counteract this threat and identify novel attacks during their initial propagation. However, intrusion detection systems must not only flag malicious events but also provide information needed for assessment of security incidents. Previous work on payload-based anomaly detection has largely ignored this need for explainable decisions. In this paper, we present instruments for visualization and explanation of anomaly detection which can guide the decisions of a security operator. In particular, we propose two techniques: feature differences, for identifying relevant string features of detected anomalies, and feature shading, for highlighting of anomalous contents in network payloads. Both techniques are empirically evaluated using real attacks and network traces, whereby their ability to emphasize typical patterns of attacks is demonstrated.","PeriodicalId":269435,"journal":{"name":"2009 European Conference on Computer Network Defense","volume":"45 1","pages":"0"},"PeriodicalIF":0.0000,"publicationDate":"2009-11-09","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":"9","resultStr":"{\"title\":\"Visualization and Explanation of Payload-Based Anomaly Detection\",\"authors\":\"Konrad Rieck, P. Laskov\",\"doi\":\"10.1109/EC2ND.2009.12\",\"DOIUrl\":null,\"url\":null,\"abstract\":\"The threat posed by modern network attacks requires novel means for detection of intrusions, as regular signature-based systems fail to cope with the amount and diversity of attacks. Recently, several methods for detection of anomalies in network payloads have been proposed to counteract this threat and identify novel attacks during their initial propagation. However, intrusion detection systems must not only flag malicious events but also provide information needed for assessment of security incidents. Previous work on payload-based anomaly detection has largely ignored this need for explainable decisions. In this paper, we present instruments for visualization and explanation of anomaly detection which can guide the decisions of a security operator. In particular, we propose two techniques: feature differences, for identifying relevant string features of detected anomalies, and feature shading, for highlighting of anomalous contents in network payloads. Both techniques are empirically evaluated using real attacks and network traces, whereby their ability to emphasize typical patterns of attacks is demonstrated.\",\"PeriodicalId\":269435,\"journal\":{\"name\":\"2009 European Conference on Computer Network Defense\",\"volume\":\"45 1\",\"pages\":\"0\"},\"PeriodicalIF\":0.0000,\"publicationDate\":\"2009-11-09\",\"publicationTypes\":\"Journal Article\",\"fieldsOfStudy\":null,\"isOpenAccess\":false,\"openAccessPdf\":\"\",\"citationCount\":\"9\",\"resultStr\":null,\"platform\":\"Semanticscholar\",\"paperid\":null,\"PeriodicalName\":\"2009 European Conference on Computer Network Defense\",\"FirstCategoryId\":\"1085\",\"ListUrlMain\":\"https://doi.org/10.1109/EC2ND.2009.12\",\"RegionNum\":0,\"RegionCategory\":null,\"ArticlePicture\":[],\"TitleCN\":null,\"AbstractTextCN\":null,\"PMCID\":null,\"EPubDate\":\"\",\"PubModel\":\"\",\"JCR\":\"\",\"JCRName\":\"\",\"Score\":null,\"Total\":0}","platform":"Semanticscholar","paperid":null,"PeriodicalName":"2009 European Conference on Computer Network Defense","FirstCategoryId":"1085","ListUrlMain":"https://doi.org/10.1109/EC2ND.2009.12","RegionNum":0,"RegionCategory":null,"ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"","JCRName":"","Score":null,"Total":0}
Visualization and Explanation of Payload-Based Anomaly Detection
The threat posed by modern network attacks requires novel means for detection of intrusions, as regular signature-based systems fail to cope with the amount and diversity of attacks. Recently, several methods for detection of anomalies in network payloads have been proposed to counteract this threat and identify novel attacks during their initial propagation. However, intrusion detection systems must not only flag malicious events but also provide information needed for assessment of security incidents. Previous work on payload-based anomaly detection has largely ignored this need for explainable decisions. In this paper, we present instruments for visualization and explanation of anomaly detection which can guide the decisions of a security operator. In particular, we propose two techniques: feature differences, for identifying relevant string features of detected anomalies, and feature shading, for highlighting of anomalous contents in network payloads. Both techniques are empirically evaluated using real attacks and network traces, whereby their ability to emphasize typical patterns of attacks is demonstrated.
求助内容:
应助结果提醒方式:
京公网安备 11010802042870号
