Techniques for Improving Host-based Anomaly Detection Performance using Attack Event Types and Occurrence Frequencies (공격 이벤트 유형과 발생 빈도를 활용한 호스트 기반 이상 탐지 성능 향상 기법)

Juyeon Lee (이주연); Daeseon Choi (최대선); Seung-Hyun Kim (김승현)

doi:10.9708/jksci.2023.28.11.089

Techniques for Improving Host-based Anomaly Detection Performance using Attack Event Types and Occurrence Frequencies

Journal of The Korea Society of Computer and Information
Abbr : JKSCI
2023, 28(11), pp.89-101
DOI : 10.9708/jksci.2023.28.11.089
Publisher : The Korean Society Of Computer And Information
Research Area : Engineering > Computer Science
Received : September 13, 2023
Accepted : November 15, 2023
Published : November 30, 2023

Juyeon Lee ¹, Daeseon Choi ², Seung-Hyun Kim ¹

¹한국교원대학교
²숭실대학교

Accredited

ABSTRACT

In order to prevent damages caused by cyber-attacks on nations, businesses, and other entities, anomaly detection techniques for early detection of attackers have been consistently researched. Real-time reduction and false positive reduction are essential to promptly prevent external or internal intrusion attacks. In this study, we hypothesized that the type and frequency of attack events would influence the improvement of anomaly detection true positive rates and reduction of false positive rates. To validate this hypothesis, we utilized the 2015 login log dataset from the Los Alamos National Laboratory. Applying the preprocessed data to representative anomaly detection algorithms, we confirmed that using characteristics that simultaneously consider the type and frequency of attack events is highly effective in reducing false positives and execution time for anomaly detection.

KEYWORDS

Anomaly Detection, LANL2015, HBOS, Feature extraction, Logon Type

Citation status

* References for papers published after 2023 are currently being built.

[journal] 박상민 / 2017 / Study On Identifying Cyber Attack Classification Through The Analysis of Cyber Attack Intention / 정보보호학회논문지 / 한국정보보호학회 27(1) : 103~113

[other] Ministry of SMEs and Startups / 2022 / 2022 Survey on the State of Technology Protection in Small and Medium-sized Enterprises

[other] Min Seonhee / 2023 / Virtual Currency Exchange 'GDAC' Hit by Hacking, 23% of Custodial Assets Stolen / Yonhap News

[report] Sonicwall / 2023 Sonicwall Cyber Threat Report

[journal] Fatma Hachmi / 2019 / Enhancing the Accuracy of Intrusion Detection Systems by Reducing the Rates of False Positives and False Negatives Through Multi-objective Optimization / Journal of Network and Systems Management / Springer Science and Business Media LLC 27(1) : 93~120

[other] A. D. Kent / 2015 / Comprehensive, multi-source cyber-security events data set / Los Alamos National Lab

[journal] 임선영 / 2022 / A Featurization Method to Improve Anomaly Detection Performance Using Login Logs / 한국통신학회논문지 / 한국통신학회 47(1) : 58~65

[journal] Xiaohong Guan / 2009 / Fast intrusion detection based on a non-negative matrix factorization model / Journal of Network and Computer Applications / Elsevier BV 32(1) : 31~44

[thesis] G. Tandon / 2008 / Machine learning for host-based anomaly detection / PhD / Florida Institute of Technology

[confproc] Y. Qing / 2010 / An Intrusion Detection Approach Based on System Call Sequences and Rules Extraction / 2010 2nd International Conference on E-business and Information System Security : 1~4

[journal] Ding Yuxin / 2011 / Feature representation and selection in malicious code detection methods based on static system calls / Computers & Security / Elsevier BV 30(6-7) : 514~524

[journal] Miao Xie / 2014 / Evaluating Host-Based Anomaly Detection Systems: Application of the Frequency-Based Algorithms to ADFA-LD / Network and System Security / Springer International Publishing : 542~549

[journal] Junaid Arshad / 2013 / A novel intrusion severity analysis approach for Clouds / Future Generation Computer Systems / Elsevier BV 29(1) : 416~428

[journal] Wael Khreich / 2018 / Combining heterogeneous anomaly detectors for improved software security / Journal of Systems and Software / Elsevier BV 137 : 415~429

[journal] Dit-Yan Yeung / 2003 / Host-based intrusion detection using dynamic and static behavioral models / Pattern Recognition / Elsevier BV 36(1) : 229~243

[journal] Darren Mutz / 2006 / Anomalous system call detection / ACM Transactions on Information and System Security / Association for Computing Machinery (ACM) 9(1) : 61~93

[journal] 윤지영 / 2021 / An Interpretable Log Anomaly System Using Bayesian Probability and Closed Sequence Pattern Mining / 인터넷정보학회논문지 / 한국인터넷정보학회 22(2) : 77~87

[journal] Yann LeCun / 2015 / Deep learning / Nature / Springer Science and Business Media LLC 521(7553) : 436~444

[confproc] D. Kwon / 2018 / An Empirical Study on Network Anomaly Detection Using Convolutional Neural Networks / ICDSC : 595~1598

[journal] S. Lv / 2018 / Intrusion Prediction With System-Call Sequence-to-Sequence Model / IEEE Access 6 : 71413~71421

[journal] Czangyeob Kim / 2021 / Intrusion Detection Based on Sequential Information Preserving Log Embedding Methods and Anomaly Detection Algorithms / IEEE Access / Institute of Electrical and Electronics Engineers (IEEE) 9 : 58088~58101

[journal] Sang-Hyun. Oh / 2000 / Anomaly Detection based on Clustering User's Behaviors / The transactions of the Korea Information Processing Society 7(8) : 2411~2420

[confproc] G. Kaiafas / 2018 / Detecting malicious authentication events trustfully / NOMS : 1~6

[thesis] E. Aghaei / 2017 / Machine Learning for Host-based Misuse and Anomaly Detection in UNIX Environment / PhD / University of Toledo

[confproc] H. Siadati / 2017 / Detecting structurally anomalous logins within enterprise networks / Proceedings of the 2017ACM SIGSAC Conference on Computer and Communications Security : 273~1284

[confproc] Q. Liu / 2018 / Latte: Large-Scale Lateral Movement Detection / MILCOM : 1~6

[thesis] M. Meijerink / 2019 / Anomaly-based detection of lateral movement in a microsoft windows environment / Master’s / University of Twente

[journal] Elham Besharati / 2018 / LR-HIDS: logistic regression host-based intrusion detection system for cloud environments / Journal of Ambient Intelligence and Humanized Computing / Springer Science and Business Media LLC 10(9) : 3669~3692

[journal] Brian A. Powell / 2020 / Detecting malicious logins as graph anomalies / Journal of Information Security and Applications / Elsevier BV 54 : 102557~

[journal] Gideon Creech / 2014 / A Semantic Approach to Host-Based Intrusion Detection Systems Using Contiguousand Discontiguous System Call Patterns / IEEE Transactions on Computers / Institute of Electrical and Electronics Engineers (IEEE) 63(4) : 807~819

[confproc] K. M. Tan / 2002 / Why 6? Defining the operational limits of stide, an anomaly-based intrusion detector / Proceedings 2002 IEEE Symposium on Security and Privacy : 188~201

[confproc] Miao Xie / 2013 / Evaluating host-based anomaly detection systems: A preliminary analysis of ADFA-LD / CISP 3 : 1711~1716

[confproc] S. A. Maske / 2016 / Advanced anomaly intrusion detection technique for host based system using system call patterns / International Conference on Inventive Computation Technologies 2 : 1~4

[journal] 박경선 / 2021 / Comparative Study of Anomaly Detection Accuracy of Intrusion Detection Systems Based on Various Data Preprocessing Techniques / 정보처리학회 논문지 / 한국정보처리학회 10(11) : 449~456

[journal] 유승태 / 2022 / Comparison of Anomaly Detection Performance based on GRU Model Applying Various Data Preprocessing Techniques and Data Oversampling / 정보보호학회논문지 / 한국정보보호학회 32(2) : 201~211

[journal] Ming Liu / 2018 / Host-Based Intrusion Detection System with System Calls / ACM Computing Surveys / Association for Computing Machinery (ACM) 51(5) : 1~36

[journal] Alexander D. Kent / 2016 / Cyber security data sources for dynamic network research / Dynamic Networks and Cyber-Security / WORLD SCIENTIFIC (EUROPE) : 37~65

[journal] Steven A. Hofmeyr / 1998 / Intrusion detection using sequences of system calls / Journal of Computer Security / IOS Press 6(3) : 151~180

[confproc] R. P. Lippmann / 2000 / Evaluating intrusion detection systems: the 1998 DARPA off-line intrusion detection evaluation / Proceedings DARPA Information Survivability Conference and Exposition 2 : 12~26

[journal] S. S. Murtaza / 2013 / A host-based anomaly detection approach by representing system calls as states of kernel modules / ISSRE : 431~440

[confproc] G. Creech / 2013 / Generation of a new IDS test dataset:Time to retire the KDD collection / 2013 IEEE Wireless Communications and Networking Conference (WCNC)

[journal] W. Haider / 2017 / Generating realistic intrusion detection system dataset based on fuzzy qualitative modeling / Journal of Network and Computer Applications / Elsevier BV 87 : 185~192

[confproc] I. J. King / 2022 / Euler: Detecting Network Lateral Movement via Scalable Temporal Graph Link Prediction / Proceedings 2022 Network and Distributed System Security Symposium

[journal] Eric Muhati / 2022 / Hidden-Markov-Model-Enabled Prediction and Visualization of Cyber Agility in IoT Era / IEEE Internet of Things Journal / Institute of Electrical and Electronics Engineers (IEEE) 9(12) : 9117~9127

[confproc] E. Muhati / 2021 / Adversarial Machine Learning for Inferring Augmented Cyber Agility Prediction / INFOCOM WKSHPS : 1~6

[journal] 윤지영 / 2021 / RDP-based Lateral Movement Detection using PageRank and Interpretable System using SHAP / 인터넷정보학회논문지 / 한국인터넷정보학회 22(4) : 1~11

[confproc] M. T. Wojnowicz / 2022 / Easy Variational Inference for Categorical Models via an Independent Binary Approximation / International Conference on Machine Learning : 23857~23896

[journal] 심기천 / 2023 / Insider Anomaly Behavior Detection Method Using an Unsupervised Learning-Based Autoencoder / 디지털콘텐츠학회논문지 / 한국디지털콘텐츠학회 24(8) : 1929~1936

[journal] Mwamba Kasongo Dahouda / 2021 / A Deep-Learned Embedding Technique for Categorical Features Encoding / IEEE Access / Institute of Electrical and Electronics Engineers (IEEE) 9 : 114381~114391

[web] / 2023 / PassMark / https://www.cpubenchmark.net/compare/2830vs3752/Intel-Xeon-E5-2667-v4-vs-Intel-Xeon-Silver-4210R

[journal] Y. Zhao / 2019 / Pyod : A python toolbox for scalable outlier detection / Journal of Machine Learning Research 20 : 1~7

[journal] F. Pedregosa / 2011 / Scikit-learn : Machine learning in Python / the Journal of machine Learning research 12 : 2825~2830

[journal] Dan Jiang / 2020 / A Novel Framework for Semiconductor Manufacturing Final Test Yield Classification Using Machine Learning Techniques / IEEE Access / Institute of Electrical and Electronics Engineers (IEEE) 8 : 197885~197895

This paper was written with support from the National Research Foundation of Korea.

KJCKorea
Journal Central

Journal of The Korea Society of Computer and Information 2023 KCI Impact Factor : 0.65

Techniques for Improving Host-based Anomaly Detection Performance using Attack Event Types and Occurrence Frequencies

ABSTRACT

KEYWORDS

Citation status

* References for papers published after 2023 are currently being built.

Journal of The Korea Society of Computer and Information 2023 KCI Impact Factor : 0.65

Techniques for Improving Host-based Anomaly Detection Performance using Attack Event Types and Occurrence Frequencies

ABSTRACT

KEYWORDS

Statistics

Tools

Issue List

Citation status

KCI Citation Counts (0)

REFERENCES (53) * References for papers published after 2023 are currently being built.

Search PDF

Citation

* References for papers published after 2023 are currently being built.