Skip to Main content Skip to Navigation
Conference papers

Sec2graph: Network Attack Detection Based on Novelty Detection on Graph Structured Data

Abstract : Detecting attacks against information systems is hard because of the highly distributed, heterogeneous and evolving nature of these systems, as well as because the threat landscape is constantly evolving. Being able to timely detect new kinds of attacks without generating too many false alarms is especially challenging. To tackle this challenge, many researchers proposed various anomaly detection techniques, that aim at identifying events that are inconsistent with past observations. Nowadays, supervised learning is often used to that end. Unfortunately, in the wild, security experts generally do not have labeled datasets and labeling their data would be excessively expensive. Unsupervised learning that does not require labeled data should then be used preferably, even if until now unsupervised approaches lead to less pertinent results than supervised ones. We introduce in this paper a representation of log files of various types in a unified and unique graph representation so-called security objects' graphs. This representation that mix and link events of different kinds constitute a rich description of the activities to be analyzed. To detect anomalies in these graphs, we propose an unsupervised learning approach based on auto-encoder. Our hypothesis is that as security objects' graphs bring a rich vision of the normal situation, an auto-encoder is able to build a relevant model of this situation. To validate this hypothesis, we apply this approach to the CICIDS20017 dataset and show that although our approach is unsupervised, its detection results are as good, and even better or much better, than those obtained by many supervised approaches.
Complete list of metadatas

Cited literature [33 references]  Display  Hide  Download

https://hal.inria.fr/hal-02950489
Contributor : Ludovic Mé <>
Submitted on : Monday, September 28, 2020 - 8:56:15 AM
Last modification on : Wednesday, October 14, 2020 - 4:06:46 AM

File

dimva2020.pdf
Files produced by the author(s)

Identifiers

  • HAL Id : hal-02950489, version 1

Citation

Laetitia Leichtnam, Eric Totel, Nicolas Prigent, Ludovic Mé. Sec2graph: Network Attack Detection Based on Novelty Detection on Graph Structured Data. Detection of Intrusions and Malware, and Vulnerability Assessment (DIMVA), Jun 2020, Lisbon, Portugal. ⟨hal-02950489⟩

Share

Metrics

Record views

18

Files downloads

151