Related papers: RANK: AI-assisted End-to-End Architecture for Detecting Persistent Attacks in Enterprise Networks

RANK: AI-assisted End-to-End Architecture for Detecting Persistent Attacks in Enterprise Networks

URL: http://arxiv.org/abs/2101.02573v1
Date: Wed, 6 Jan 2021 15:59:51 GMT
Title: RANK: AI-assisted End-to-End Architecture for Detecting Persistent Attacks in Enterprise Networks
Authors: Hazem M. Soliman, Geoff Salmon, Du\v{s}an Sovilj, Mohan Rao
Abstract summary: We present an end-to-end AI-assisted architecture for detecting Advanced Persistent Threats (APTs) The architecture is composed of four consecutive steps: 1) alert templating and merging, 2) alert graph construction, 3) alert graph partitioning into incidents, and 4) incident scoring and ordering. Extensive results are provided showing a three order of magnitude reduction in the amount of data to be reviewed by the analyst, innovative extraction of incidents and security-wise scoring of extracted incidents.
Score: 2.294014185517203
License: http://creativecommons.org/licenses/by-nc-sa/4.0/
Abstract: Advanced Persistent Threats (APTs) are sophisticated multi-step attacks, planned and executed by skilled adversaries targeting modern government and enterprise networks. Intrusion Detection Systems (IDSs) and User and Entity Behavior Analytics (UEBA) are commonly employed to aid a security analyst in the detection of APTs. The prolonged nature of APTs, combined with the granular focus of UEBA and IDS, results in overwhelming the analyst with an increasingly impractical number of alerts. Consequent to this abundance of data, and together with the crucial importance of the problem as well as the high cost of the skilled personnel involved, the problem of APT detection becomes a perfect candidate for automation through Artificial Intelligence (AI). In this paper, we provide, up to our knowledge, the first study and implementation of an end-to-end AI-assisted architecture for detecting APTs -- RANK. The goal of the system is not to replace the analyst, rather, it is to automate the complete pipeline from data sources to a final set of incidents for analyst review. The architecture is composed of four consecutive steps: 1) alert templating and merging, 2) alert graph construction, 3) alert graph partitioning into incidents, and 4) incident scoring and ordering. We evaluate our architecture against the 2000 DARPA Intrusion Detection dataset, as well as a read-world private dataset from a medium-scale enterprise. Extensive results are provided showing a three order of magnitude reduction in the amount of data to be reviewed by the analyst, innovative extraction of incidents and security-wise scoring of extracted incidents.

Related papers

CICAPT-IIOT: A provenance-based APT attack dataset for IIoT environment [1.841560106836332]
Industrial Internet of Things (IIoT) is a transformative paradigm that integrates smart sensors, advanced analytics, and robust connectivity within industrial processes. Advanced Persistent Threats (APTs) pose a particularly grave concern due to their stealthy, prolonged, and targeted nature. CICAPT-IIoT dataset presents foundation for developing holistic cybersecurity measures.
arXiv Detail & Related papers (2024-07-15T23:08:34Z)
Hack Me If You Can: Aggregating AutoEncoders for Countering Persistent Access Threats Within Highly Imbalanced Data [4.619717316983648]
Advanced Persistent Threats (APTs) are sophisticated, targeted cyberattacks designed to gain unauthorized access to systems and remain undetected for extended periods. We present AE-APT, a deep learning-based tool for APT detection that features a family of AutoEncoder methods ranging from a basic one to a Transformer-based one. The outcomes showed that AE-APT has significantly higher detection rates compared to its competitors, indicating superior performance in detecting and ranking anomalies.
arXiv Detail & Related papers (2024-06-27T14:45:38Z)
A Federated Learning Approach for Multi-stage Threat Analysis in Advanced Persistent Threat Campaigns [25.97800399318373]
Multi-stage threats like advanced persistent threats (APT) pose severe risks by stealing data and destroying infrastructure. APTs use novel attack vectors and evade signature-based detection by obfuscating their network presence. This paper proposes a novel 3-phase unsupervised federated learning (FL) framework to detect APTs.
arXiv Detail & Related papers (2024-06-19T03:34:41Z)
Generative AI for Secure and Privacy-Preserving Mobile Crowdsensing [74.58071278710896]
generative AI has attracted much attention from both academic and industrial fields. Secure and privacy-preserving mobile crowdsensing (SPPMCS) has been widely applied in data collection/ acquirement.
arXiv Detail & Related papers (2024-05-17T04:00:58Z)
Unified Physical-Digital Attack Detection Challenge [70.67222784932528]
Face Anti-Spoofing (FAS) is crucial to safeguard Face Recognition (FR) Systems. UniAttackData is the largest public dataset for Unified Attack Detection. We organized a Unified Physical-Digital Face Attack Detection Challenge to boost the research in Unified Attack Detections.
arXiv Detail & Related papers (2024-04-09T11:00:11Z)
The AI Security Pyramid of Pain [0.18820558426635298]
We introduce the AI Security Pyramid of Pain, a framework that adapts the cybersecurity Pyramid of Pain to categorize and prioritize AI-specific threats. This framework provides a structured approach to understanding and addressing various levels of AI threats.
arXiv Detail & Related papers (2024-02-16T21:14:11Z)
Progressing from Anomaly Detection to Automated Log Labeling and Pioneering Root Cause Analysis [53.24804865821692]
This study introduces a taxonomy for log anomalies and explores automated data labeling to mitigate labeling challenges. The study envisions a future where root cause analysis follows anomaly detection, unraveling the underlying triggers of anomalies.
arXiv Detail & Related papers (2023-12-22T15:04:20Z)
Investigative Pattern Detection Framework for Counterterrorism [0.09999629695552192]
Automated tools are required to extract information to respond queries from analysts, continually scan new information, integrate them with past events, and then alert about emerging threats. We address challenges in investigative pattern detection and develop an Investigative Pattern Detection Framework for Counterterrorism (INSPECT) The framework integrates numerous computing tools that include machine learning techniques to identify behavioral indicators and graph pattern matching techniques to detect risk profiles/groups.
arXiv Detail & Related papers (2023-10-30T00:45:05Z)
AI for IT Operations (AIOps) on Cloud Platforms: Reviews, Opportunities and Challenges [60.56413461109281]
Artificial Intelligence for IT operations (AIOps) aims to combine the power of AI with the big data generated by IT Operations processes. We discuss in depth the key types of data emitted by IT Operations activities, the scale and challenges in analyzing them, and where they can be helpful. We categorize the key AIOps tasks as - incident detection, failure prediction, root cause analysis and automated actions.
arXiv Detail & Related papers (2023-04-10T15:38:12Z)
Towards Automated Classification of Attackers' TTPs by combining NLP with ML Techniques [77.34726150561087]
We evaluate and compare different Natural Language Processing (NLP) and machine learning techniques used for security information extraction in research. Based on our investigations we propose a data processing pipeline that automatically classifies unstructured text according to attackers' tactics and techniques.
arXiv Detail & Related papers (2022-07-18T09:59:21Z)
Towards AIOps in Edge Computing Environments [60.27785717687999]
This paper describes the system design of an AIOps platform which is applicable in heterogeneous, distributed environments. It is feasible to collect metrics with a high frequency and simultaneously run specific anomaly detection algorithms directly on edge devices.
arXiv Detail & Related papers (2021-02-12T09:33:00Z)

This list is automatically generated from the titles and abstracts of the papers in this site.

This site does not guarantee the quality of this site (including all information) and is not responsible for any consequences.