Zero Day Threat Detection Using Graph and Flow Based Security Telemetry
- URL: http://arxiv.org/abs/2205.02298v1
- Date: Wed, 4 May 2022 19:30:48 GMT
- Title: Zero Day Threat Detection Using Graph and Flow Based Security Telemetry
- Authors: Christopher Redino, Dhruv Nandakumar, Robert Schiller, Kevin Choi,
Abdul Rahman, Edward Bowen, Matthew Weeks, Aaron Shaha, Joe Nehila
- Abstract summary: Zero Day Threats (ZDT) are novel methods used by malicious actors to attack and exploit information technology (IT) networks or infrastructure.
In this paper, we introduce a deep learning based approach to Zero Day Threat detection that can generalize, scale, and effectively identify threats in near real-time.
- Score: 3.3029515721630855
- License: http://arxiv.org/licenses/nonexclusive-distrib/1.0/
- Abstract: Zero Day Threats (ZDT) are novel methods used by malicious actors to attack
and exploit information technology (IT) networks or infrastructure. In the past
few years, the number of these threats has been increasing at an alarming rate
and have been costing organizations millions of dollars to remediate. The
increasing expansion of network attack surfaces and the exponentially growing
number of assets on these networks necessitate the need for a robust AI-based
Zero Day Threat detection model that can quickly analyze petabyte-scale data
for potentially malicious and novel activity. In this paper, the authors
introduce a deep learning based approach to Zero Day Threat detection that can
generalize, scale, and effectively identify threats in near real-time. The
methodology utilizes network flow telemetry augmented with asset-level graph
features, which are passed through a dual-autoencoder structure for anomaly and
novelty detection respectively. The models have been trained and tested on four
large scale datasets that are representative of real-world organizational
networks and they produce strong results with high precision and recall values.
The models provide a novel methodology to detect complex threats with low
false-positive rates that allow security operators to avoid alert fatigue while
drastically reducing their mean time to response with near-real-time detection.
Furthermore, the authors also provide a novel, labelled, cyber attack dataset
generated from adversarial activity that can be used for validation or training
of other models. With this paper, the authors' overarching goal is to provide a
novel architecture and training methodology for cyber anomaly detectors that
can generalize to multiple IT networks with minimal to no retraining while
still maintaining strong performance.
Related papers
- CTINEXUS: Leveraging Optimized LLM In-Context Learning for Constructing Cybersecurity Knowledge Graphs Under Data Scarcity [49.657358248788945]
Textual descriptions in cyber threat intelligence (CTI) reports are rich sources of knowledge about cyber threats.
Current CTI extraction methods lack flexibility and generalizability, often resulting in inaccurate and incomplete knowledge extraction.
We propose CTINexus, a novel framework leveraging optimized in-context learning (ICL) of large language models.
arXiv Detail & Related papers (2024-10-28T14:18:32Z) - Federated Learning for Zero-Day Attack Detection in 5G and Beyond V2X Networks [9.86830550255822]
Connected and Automated Vehicles (CAVs) on top of 5G and Beyond networks (5GB) make them vulnerable to increasing vectors of security and privacy attacks.
We propose in this paper a novel detection mechanism that leverages the ability of the deep auto-encoder method to detect attacks relying only on the benign network traffic pattern.
Using federated learning, the proposed intrusion detection system can be trained with large and diverse benign network traffic, while preserving the CAVs privacy, and minimizing the communication overhead.
arXiv Detail & Related papers (2024-07-03T12:42:31Z) - Real-Time Zero-Day Intrusion Detection System for Automotive Controller
Area Network on FPGAs [13.581341206178525]
This paper presents an unsupervised-learning-based convolutional autoencoder architecture for detecting zero-day attacks.
We quantise the model using Vitis-AI tools from AMD/Xilinx targeting a resource-constrained Zynq Ultrascale platform.
The proposed model successfully achieves equal or higher classification accuracy (> 99.5%) on unseen DoS, fuzzing, and spoofing attacks.
arXiv Detail & Related papers (2024-01-19T14:36:01Z) - Few-shot Weakly-supervised Cybersecurity Anomaly Detection [1.179179628317559]
We propose an enhancement to an existing few-shot weakly-supervised deep learning anomaly detection framework.
This framework incorporates data augmentation, representation learning and ordinal regression.
We then evaluated and showed the performance of our implemented framework on three benchmark datasets.
arXiv Detail & Related papers (2023-04-15T04:37:54Z) - Intrusion Detection in Internet of Things using Convolutional Neural
Networks [4.718295605140562]
We propose a novel solution to the intrusion attacks against IoT devices using CNNs.
The data is encoded as the convolutional operations to capture the patterns from the sensors data along time.
The experimental results show significant improvement in both true positive rate and false positive rate compared to the baseline using LSTM.
arXiv Detail & Related papers (2022-11-18T07:27:07Z) - Zero Day Threat Detection Using Metric Learning Autoencoders [3.1965908200266173]
The proliferation of zero-day threats (ZDTs) to companies' networks has been immensely costly.
Deep learning methods are an attractive option for their ability to capture highly-nonlinear behavior patterns.
The models presented here are also trained and evaluated with two more datasets, and continue to show promising results even when generalizing to new network topologies.
arXiv Detail & Related papers (2022-11-01T13:12:20Z) - Anomaly Detection on Attributed Networks via Contrastive Self-Supervised
Learning [50.24174211654775]
We present a novel contrastive self-supervised learning framework for anomaly detection on attributed networks.
Our framework fully exploits the local information from network data by sampling a novel type of contrastive instance pair.
A graph neural network-based contrastive learning model is proposed to learn informative embedding from high-dimensional attributes and local structure.
arXiv Detail & Related papers (2021-02-27T03:17:20Z) - How Robust are Randomized Smoothing based Defenses to Data Poisoning? [66.80663779176979]
We present a previously unrecognized threat to robust machine learning models that highlights the importance of training-data quality.
We propose a novel bilevel optimization-based data poisoning attack that degrades the robustness guarantees of certifiably robust classifiers.
Our attack is effective even when the victim trains the models from scratch using state-of-the-art robust training methods.
arXiv Detail & Related papers (2020-12-02T15:30:21Z) - An Automated, End-to-End Framework for Modeling Attacks From
Vulnerability Descriptions [46.40410084504383]
In order to derive a relevant attack graph, up-to-date information on known attack techniques should be represented as interaction rules.
We present a novel, end-to-end, automated framework for modeling new attack techniques from textual description of a security vulnerability.
arXiv Detail & Related papers (2020-08-10T19:27:34Z) - Cassandra: Detecting Trojaned Networks from Adversarial Perturbations [92.43879594465422]
In many cases, pre-trained models are sourced from vendors who may have disrupted the training pipeline to insert Trojan behaviors into the models.
We propose a method to verify if a pre-trained model is Trojaned or benign.
Our method captures fingerprints of neural networks in the form of adversarial perturbations learned from the network gradients.
arXiv Detail & Related papers (2020-07-28T19:00:40Z) - Graph Backdoor [53.70971502299977]
We present GTA, the first backdoor attack on graph neural networks (GNNs)
GTA departs in significant ways: it defines triggers as specific subgraphs, including both topological structures and descriptive features.
It can be instantiated for both transductive (e.g., node classification) and inductive (e.g., graph classification) tasks.
arXiv Detail & Related papers (2020-06-21T19:45:30Z)
This list is automatically generated from the titles and abstracts of the papers in this site.
This site does not guarantee the quality of this site (including all information) and is not responsible for any consequences.