TY - GEN
T1 - Correlating intrusion detection alerts on bot malware infections using neural network
AU - Kidmose, Egon
AU - Stevanovic, Matija
AU - Pedersen, Jens Myrup
PY - 2016/7
Y1 - 2016/7
N2 - Millions of computers are infected with bot malware, form botnets and enable botmaster to perform malicious and criminal activities. Intrusion Detection Systems are deployed to detect infections, but they raise many correlated alerts for each infection, requiring a large manual investigation effort. This paper presents a novel method with a goal of determining which alerts are correlated, by applying Neural Networks and clustering, thus reducing the number of alerts to manually process. The main advantage of the method is that no domain knowledge is required for designing feature extraction or any other part, as such knowledge is inferred by Neural Networks. Evaluation has been performed with traffic traces of real bot binaries executed in a lab setup. The method is trained on labelled Intrusion Detection System alerts and is capable of correctly predicting which of seven incidents an alert pertains, 56.15% of the times. Based on the observed performance it is concluded that the task of understanding Intrusion Detection System alerts can be handled by a Neural Network, showing the potential for reducing the need for manual processing of alerts. Finally, it should be noted that, this is achieved without any feature engineering and with no use of domain specific knowledge.
AB - Millions of computers are infected with bot malware, form botnets and enable botmaster to perform malicious and criminal activities. Intrusion Detection Systems are deployed to detect infections, but they raise many correlated alerts for each infection, requiring a large manual investigation effort. This paper presents a novel method with a goal of determining which alerts are correlated, by applying Neural Networks and clustering, thus reducing the number of alerts to manually process. The main advantage of the method is that no domain knowledge is required for designing feature extraction or any other part, as such knowledge is inferred by Neural Networks. Evaluation has been performed with traffic traces of real bot binaries executed in a lab setup. The method is trained on labelled Intrusion Detection System alerts and is capable of correctly predicting which of seven incidents an alert pertains, 56.15% of the times. Based on the observed performance it is concluded that the task of understanding Intrusion Detection System alerts can be handled by a Neural Network, showing the potential for reducing the need for manual processing of alerts. Finally, it should be noted that, this is achieved without any feature engineering and with no use of domain specific knowledge.
KW - Artificial neural networks
KW - Clustering algorithms
KW - Correlation
KW - Intrusion detection
KW - Knowledge engineering
KW - Neurons
KW - Training
UR - http://ieeexplore.ieee.org/xpl/articleDetails.jsp?arnumber=7502344&refinements%3D4225576815%26filter%3DAND%28p_IS_Number%3A7502334%29
U2 - 10.1109/CyberSecPODS.2016.7502344
DO - 10.1109/CyberSecPODS.2016.7502344
M3 - Article in proceeding
SN - 978-1-5090-0710-3
T3 - International Conference On Cyber Security And Protection Of Digital Services (Cyber Security). Proceedings.
BT - Cyber Security And Protection Of Digital Services (Cyber Security), 2016 International Conference On
PB - IEEE
T2 - 2016 International Conference On Cyber Security And Protection Of Digital Services
Y2 - 13 June 2016 through 14 June 2016
ER -