Visible to the public On the Detection of Persistent Attacks using Alert Graphs and Event Feature Embeddings

TitleOn the Detection of Persistent Attacks using Alert Graphs and Event Feature Embeddings
Publication TypeConference Paper
Year of Publication2020
AuthorsBurr, B., Wang, S., Salmon, G., Soliman, H.
Conference NameNOMS 2020 - 2020 IEEE/IFIP Network Operations and Management Symposium
Date Publishedapr
Keywordsadvanced persistent threat, advanced persistent threats, alert graphs, APT, community detection, computer network security, coordinated attacks, data visualisation, event feature embeddings, feature embeddings, graph model, graph models, Human Behavior, IDS, Intrusion Detection Systems, IP address, IP2Vec, Metrics, Network security, persistent attacks detection, pubcrawl, resilience, Resiliency, Scalability, security analysts, security of data, unsupervised clustering, word embedding
AbstractIntrusion Detection Systems (IDS) generate a high volume of alerts that security analysts do not have the resources to explore fully. Modelling attacks, especially the coordinated campaigns of Advanced Persistent Threats (APTs), in a visually-interpretable way is a useful approach for network security. Graph models combine multiple alerts and are well suited for visualization and interpretation, increasing security effectiveness. In this paper, we use feature embeddings, learned from network event logs, and community detection to construct and segment alert graphs of related alerts and networks hosts. We posit that such graphs can aid security analysts in investigating alerts and may capture multiple aspects of an APT attack. The eventual goal of this approach is to construct interpretable attack graphs and extract causality information to identify coordinated attacks.
Citation Keyburr_detection_2020