scispace - formally typeset
Search or ask a question
Journal ArticleDOI

Data Auditing for Intelligent Network Security Monitoring

01 Mar 2023-IEEE Communications Magazine (IEEE Communications Magazine)-Vol. 61, Iss: 3, pp 74-79
TL;DR: In this article , the authors introduce the problem of inconsistent labeling in network security monitoring and present a new automatic data auditing method to check if any human mistake has occurred for the labeling.
Abstract: Data auditing is a process to consistently keep the quality of data high, but this process is generally missing in network security monitoring. When network-based intrusion detection systems catch any suspicious packet, they generate alert messages that are further investigated by security analysts. An alert is generally assigned to only one analyst at best, and then the analyst determines whether the alert is true or false, called labeling. Therefore, different analysts may label very similar alerts with different labels. In this article, we introduce this problem of inconsistent labeling in network security monitoring and present a new automatic data auditing method to check if any human mistake has occurred for the labeling. Through our experiments on two data sets, a private one from a real security operations center and an open data set for reproducible experiments, we confirm that the new auditing method can catch incorrect labels, and the accuracy of a machine learning model on the data set can be enhanced through the label correction.
References
More filters
Proceedings ArticleDOI
14 Jun 2009
TL;DR: In this article, the authors provide exponential tail bounds for feature hashing and show that the interaction between random subspaces is negligible with high probability, and demonstrate the feasibility of this approach with experimental results for a new use case.
Abstract: Empirical evidence suggests that hashing is an effective strategy for dimensionality reduction and practical nonparametric estimation. In this paper we provide exponential tail bounds for feature hashing and show that the interaction between random subspaces is negligible with high probability. We demonstrate the feasibility of this approach with experimental results for a new use case --- multitask learning with hundreds of thousands of tasks.

955 citations

Proceedings ArticleDOI
01 Feb 2019
TL;DR: NODOZE generates alert dependency graphs that are two orders of magnitude smaller than those generated by traditional tools without sacrificing the vital information needed for the investigation, and decreases the volume of false alarms by 84%, saving analysts’ more than 90 hours of investigation time per week.
Abstract: Large enterprises are increasingly relying on threat detection softwares (e.g., Intrusion Detection Systems) to allow them to spot suspicious activities. These softwares generate alerts which must be investigated by cyber analysts to figure out if they are true attacks. Unfortunately, in practice, there are more alerts than cyber analysts can properly investigate. This leads to a “threat alert fatigue” or information overload problem where cyber analysts miss true attack alerts in the noise of false alarms. In this paper, we present NoDoze to combat this challenge using contextual and historical information of generated threat alert in an enterprise. NoDoze first generates a causal dependency graph of an alert event. Then, it assigns an anomaly score to each event in the dependency graph based on the frequency with which related events have happened before in the enterprise. NoDoze then propagates those scores along the edges of the graph using a novel network diffusion algorithm and generates a subgraph with an aggregate anomaly score which is used to triage alerts. Evaluation on our dataset of 364 threat alerts shows that NoDoze decreases the volume of false alarms by 86%, saving more than 90 hours of analysts’ time, which was required to investigate those false alarms. Furthermore, NoDoze generated dependency graphs of true alerts are 2 orders of magnitude smaller than those generated by traditional tools without sacrificing the vital information needed for the investigation. Our system has a low average runtime overhead and can be deployed with any threat detection software.

144 citations

Proceedings ArticleDOI
06 Nov 2019
TL;DR: This study conducted 18 semi-structured interviews with SOC analysts and managers and found inherent disagreements between SOC managers and their analysts that, if not addressed, could entail a risk to SOC efficiency and effectiveness.
Abstract: Organizations, such as companies and governments, created Security Operations Centers (SOCs) to defend against computer security attacks. SOCs are central defense groups that focus on security incident management with capabilities such as monitoring, preventing, responding, and reporting. They are one of the most critical defense components of a modern organization's defense. Despite their critical importance to organizations, and the high frequency of reported security incidents, only a few research studies focus on problems specific to SOCs. In this study, to understand and identify the issues of SOCs, we conducted 18 semi-structured interviews with SOC analysts and managers who work for organizations from different industry sectors. Through our analysis of the interview data, we identified technical and non-technical issues that exist in SOC. Moreover, we found inherent disagreements between SOC managers and their analysts that, if not addressed, could entail a risk to SOC efficiency and effectiveness. We distill these issues into takeaways that apply both to future academic research and to SOC management. We believe that research should focus on improving the efficiency and effectiveness of SOCs.

53 citations

Proceedings ArticleDOI
06 Jul 2020
TL;DR: In the evaluation using 8 real-world traces of 1.4 billion Web requests, ZeroWall successfully detects real zero-day attacks missed by existing WAFs and achieves high F1-scores over 0.98, which significantly outperforms all baseline approaches.
Abstract: Zero-day Web attacks are arguably the most serious threats to Web security, but are very challenging to detect because they are not seen or known previously and thus cannot be detected by widely-deployed signature-based Web Application Firewalls (WAFs). This paper proposes ZeroWall, an unsupervised approach, which works with an existing WAF in pipeline, to effectively detecting zero-day Web attacks. Using historical Web requests allowed by an existing signature-based WAF, a vast majority of which are assumed to be benign, ZeroWall trains a self-translation machine using an encoder-decoder recurrent neural network to capture the syntax and semantic patterns of benign requests. In real-time detection, a zero-day attack request (which the WAF fails to detect), not understood well by self-translation machine, cannot be translated back to its original request by the machine, thus is declared as an attack. In our evaluation using 8 real-world traces of 1.4 billion Web requests, ZeroWall successfully detects real zero-day attacks missed by existing WAFs and achieves high F1-scores over 0.98, which significantly outperforms all baseline approaches.

42 citations

Journal ArticleDOI
TL;DR: A lightweight dynamic autoencoder network (LDAN) method for NID, which realizes efficient feature extraction through lightweight structure design and achieves high accuracy and robustness while greatly reducing computational cost and model size is proposed.
Abstract: The proliferation of wireless sensor networks (WSNs) and their applications has attracted remarkable growth in unsolicited intrusions and security threats, which disrupt the normal operations of the WSNs. Deep learning (DL)-based network intrusion detection (NID) methods have been widely investigated and developed. However, the high computational complexity of DL seriously hinders the actual deployment of the DL-based model, particularly in the devices of WSNs that do not have powerful processing performance due to power limitation. In this letter, we propose a lightweight dynamic autoencoder network (LDAN) method for NID, which realizes efficient feature extraction through lightweight structure design. Experimental results show that our proposed model achieves high accuracy and robustness while greatly reducing computational cost and model size.

41 citations