面向事件聚合,减少APT攻击IKC阶段的日志事件量

Ali Ahmadian Ramaki, A. G. Bafghi, Abbas Rasoolzadegan Barforoush
{"title":"面向事件聚合,减少APT攻击IKC阶段的日志事件量","authors":"Ali Ahmadian Ramaki, A. G. Bafghi, Abbas Rasoolzadegan Barforoush","doi":"10.22042/isecure.2023.319798.730","DOIUrl":null,"url":null,"abstract":"Nowadays, targeted attacks like Advanced Persistent Threats (APTs) has become one of the major concern of many enterprise networks. As a common approach to counter these attacks, security staff deploy a variety of security and non-security sensors at different lines of defense (Network, Host, and Application) to track the attacker's behaviors during their kill chain. However, one of the drawbacks of this approach is the huge amount of events raised by heterogeneous security and non-security sensors which makes it difficult to analyze logged events for later processing i.e. event correlation for timely detection of APT attacks. Till now, some research papers have been published on event aggregation for reducing the volume of logged low-level events. However, most research works have been provided a method to aggregate the events of a single-type and homogeneous event source i.e. NIDS. In addition, their main focus is only on the degree to which the event volume is reduced, while the amount of security information lost during the event aggregation process is also very important. In this paper, we propose a three-phase event aggregation method to reduce the volume of logged heterogeneous events during APT attacks considering the lowest rate of loss of security information. To this aim, at first, low-level events of the sensors are clustered into some similar event groups and then, after filtering noisy event clusters, the remained clusters are summarized based on an Attribute-Oriented Induction (AOI) method in a controllable manner to reduce the unimportant or duplicated events. The method has been evaluated on the three publicly available datasets: SotM34, Bryant, and LANL. The experimental results show that the method is efficient enough in event aggregation and can reduce events volume up to 99.7\\% with an acceptable level of information loss ratio (ILR).","PeriodicalId":436674,"journal":{"name":"ISC Int. J. Inf. Secur.","volume":"28 1","pages":"0"},"PeriodicalIF":0.0000,"publicationDate":"2021-09-29","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":"1","resultStr":"{\"title\":\"Towards event aggregation for reducing the volume of logged events during IKC stages of APT attacks\",\"authors\":\"Ali Ahmadian Ramaki, A. G. Bafghi, Abbas Rasoolzadegan Barforoush\",\"doi\":\"10.22042/isecure.2023.319798.730\",\"DOIUrl\":null,\"url\":null,\"abstract\":\"Nowadays, targeted attacks like Advanced Persistent Threats (APTs) has become one of the major concern of many enterprise networks. As a common approach to counter these attacks, security staff deploy a variety of security and non-security sensors at different lines of defense (Network, Host, and Application) to track the attacker's behaviors during their kill chain. However, one of the drawbacks of this approach is the huge amount of events raised by heterogeneous security and non-security sensors which makes it difficult to analyze logged events for later processing i.e. event correlation for timely detection of APT attacks. Till now, some research papers have been published on event aggregation for reducing the volume of logged low-level events. However, most research works have been provided a method to aggregate the events of a single-type and homogeneous event source i.e. NIDS. In addition, their main focus is only on the degree to which the event volume is reduced, while the amount of security information lost during the event aggregation process is also very important. In this paper, we propose a three-phase event aggregation method to reduce the volume of logged heterogeneous events during APT attacks considering the lowest rate of loss of security information. To this aim, at first, low-level events of the sensors are clustered into some similar event groups and then, after filtering noisy event clusters, the remained clusters are summarized based on an Attribute-Oriented Induction (AOI) method in a controllable manner to reduce the unimportant or duplicated events. The method has been evaluated on the three publicly available datasets: SotM34, Bryant, and LANL. The experimental results show that the method is efficient enough in event aggregation and can reduce events volume up to 99.7\\\\% with an acceptable level of information loss ratio (ILR).\",\"PeriodicalId\":436674,\"journal\":{\"name\":\"ISC Int. J. Inf. Secur.\",\"volume\":\"28 1\",\"pages\":\"0\"},\"PeriodicalIF\":0.0000,\"publicationDate\":\"2021-09-29\",\"publicationTypes\":\"Journal Article\",\"fieldsOfStudy\":null,\"isOpenAccess\":false,\"openAccessPdf\":\"\",\"citationCount\":\"1\",\"resultStr\":null,\"platform\":\"Semanticscholar\",\"paperid\":null,\"PeriodicalName\":\"ISC Int. J. Inf. Secur.\",\"FirstCategoryId\":\"1085\",\"ListUrlMain\":\"https://doi.org/10.22042/isecure.2023.319798.730\",\"RegionNum\":0,\"RegionCategory\":null,\"ArticlePicture\":[],\"TitleCN\":null,\"AbstractTextCN\":null,\"PMCID\":null,\"EPubDate\":\"\",\"PubModel\":\"\",\"JCR\":\"\",\"JCRName\":\"\",\"Score\":null,\"Total\":0}","platform":"Semanticscholar","paperid":null,"PeriodicalName":"ISC Int. J. Inf. Secur.","FirstCategoryId":"1085","ListUrlMain":"https://doi.org/10.22042/isecure.2023.319798.730","RegionNum":0,"RegionCategory":null,"ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"","JCRName":"","Score":null,"Total":0}
引用次数: 1

摘要

如今,像高级持续性威胁(apt)这样的针对性攻击已经成为许多企业网络关注的主要问题之一。作为对付这些攻击的常用方法,安全人员在不同的防线(网络、主机和应用程序)上部署各种安全和非安全传感器,以跟踪攻击者在杀伤链中的行为。然而,这种方法的缺点之一是由异构安全和非安全传感器产生的大量事件,这使得分析日志事件以供后期处理(即事件关联以及时检测APT攻击)变得困难。到目前为止,已经发表了一些关于事件聚合的研究论文,以减少记录的低级事件的数量。然而,大多数研究工作都提供了一种方法来聚合单一类型和同构事件源(即NIDS)的事件。此外,它们主要关注的是事件量减少的程度,而在事件聚合过程中丢失的安全信息的数量也非常重要。在本文中,我们提出了一种三相事件聚合方法,以减少APT攻击期间记录的异构事件的数量,同时考虑到最低的安全信息损失率。为此,首先将传感器的低级事件聚类成一些相似的事件组,然后在过滤有噪声的事件聚类后,基于面向属性的归纳(Attribute-Oriented Induction, AOI)方法以可控的方式对剩余的聚类进行总结,以减少不重要或重复的事件。该方法已经在三个公开可用的数据集上进行了评估:SotM34、Bryant和LANL。实验结果表明,该方法在事件聚合方面具有足够的效率,在可接受的信息失误率(ILR)水平下,可以将事件体积减少99.7%。
本文章由计算机程序翻译,如有差异,请以英文原文为准。
Towards event aggregation for reducing the volume of logged events during IKC stages of APT attacks
Nowadays, targeted attacks like Advanced Persistent Threats (APTs) has become one of the major concern of many enterprise networks. As a common approach to counter these attacks, security staff deploy a variety of security and non-security sensors at different lines of defense (Network, Host, and Application) to track the attacker's behaviors during their kill chain. However, one of the drawbacks of this approach is the huge amount of events raised by heterogeneous security and non-security sensors which makes it difficult to analyze logged events for later processing i.e. event correlation for timely detection of APT attacks. Till now, some research papers have been published on event aggregation for reducing the volume of logged low-level events. However, most research works have been provided a method to aggregate the events of a single-type and homogeneous event source i.e. NIDS. In addition, their main focus is only on the degree to which the event volume is reduced, while the amount of security information lost during the event aggregation process is also very important. In this paper, we propose a three-phase event aggregation method to reduce the volume of logged heterogeneous events during APT attacks considering the lowest rate of loss of security information. To this aim, at first, low-level events of the sensors are clustered into some similar event groups and then, after filtering noisy event clusters, the remained clusters are summarized based on an Attribute-Oriented Induction (AOI) method in a controllable manner to reduce the unimportant or duplicated events. The method has been evaluated on the three publicly available datasets: SotM34, Bryant, and LANL. The experimental results show that the method is efficient enough in event aggregation and can reduce events volume up to 99.7\% with an acceptable level of information loss ratio (ILR).
求助全文
通过发布文献求助,成功后即可免费获取论文全文。 去求助
来源期刊
自引率
0.00%
发文量
0
×
引用
GB/T 7714-2015
复制
MLA
复制
APA
复制
导出至
BibTeX EndNote RefMan NoteFirst NoteExpress
×
提示
您的信息不完整,为了账户安全,请先补充。
现在去补充
×
提示
您因"违规操作"
具体请查看互助需知
我知道了
×
提示
确定
请完成安全验证×
copy
已复制链接
快去分享给好友吧!
我知道了
右上角分享
点击右上角分享
0
联系我们:info@booksci.cn Book学术提供免费学术资源搜索服务,方便国内外学者检索中英文文献。致力于提供最便捷和优质的服务体验。 Copyright © 2023 布克学术 All rights reserved.
京ICP备2023020795号-1
ghs 京公网安备 11010802042870号
Book学术文献互助
Book学术文献互助群
群 号:481959085
Book学术官方微信