Sec2graph: Network Attack Detection Based on Novelty Detection on Graph Structured Data - Archive ouverte HAL Access content directly
Conference Papers Year :

Sec2graph: Network Attack Detection Based on Novelty Detection on Graph Structured Data

(1, 2) , (2, 3) , (4) , (2)
1
2
3
4

Abstract

Detecting attacks against information systems is hard because of the highly distributed, heterogeneous and evolving nature of these systems, as well as because the threat landscape is constantly evolving. Being able to timely detect new kinds of attacks without generating too many false alarms is especially challenging. To tackle this challenge, many researchers proposed various anomaly detection techniques, that aim at identifying events that are inconsistent with past observations. Nowadays, supervised learning is often used to that end. Unfortunately, in the wild, security experts generally do not have labeled datasets and labeling their data would be excessively expensive. Unsupervised learning that does not require labeled data should then be used preferably, even if until now unsupervised approaches lead to less pertinent results than supervised ones. We introduce in this paper a representation of log files of various types in a unified and unique graph representation so-called security objects' graphs. This representation that mix and link events of different kinds constitute a rich description of the activities to be analyzed. To detect anomalies in these graphs, we propose an unsupervised learning approach based on auto-encoder. Our hypothesis is that as security objects' graphs bring a rich vision of the normal situation, an auto-encoder is able to build a relevant model of this situation. To validate this hypothesis, we apply this approach to the CICIDS20017 dataset and show that although our approach is unsupervised, its detection results are as good, and even better or much better, than those obtained by many supervised approaches.
Fichier principal
Vignette du fichier
dimva2020.pdf (628.69 Ko) Télécharger le fichier
Origin : Files produced by the author(s)
Loading...

Dates and versions

hal-02950489 , version 1 (28-09-2020)

Identifiers

Cite

Laetitia Leichtnam, Eric Totel, Nicolas Prigent, Ludovic Mé. Sec2graph: Network Attack Detection Based on Novelty Detection on Graph Structured Data. DIMVA 2020: 17th Conference on Detection of Intrusions and Malware, and Vulnerability Assessment, Jun 2020, Lisbon, Portugal. pp.238-258, ⟨10.1007/978-3-030-52683-2_12⟩. ⟨hal-02950489⟩
425 View
550 Download

Altmetric

Share

Gmail Facebook Twitter LinkedIn More