Correlating intrusion detection alerts on bot malware infections using neural network

Egon Kidmose, Matija Stevanovic, Jens Myrup Pedersen

Research output: Contribution to book/anthology/report/conference proceedingArticle in proceedingResearchpeer-review

Abstract

Millions of computers are infected with bot malware, form botnets and enable botmaster to perform malicious and criminal activities. Intrusion Detection Systems are deployed to detect infections, but they raise many correlated alerts for each infection, requiring a large manual investigation effort. This paper presents a novel method with a goal of determining which alerts are correlated, by applying Neural Networks and clustering, thus reducing the number of alerts to manually process. The main advantage of the method is that no domain knowledge is required for designing feature extraction or any other part, as such knowledge is inferred by Neural Networks. Evaluation has been performed with traffic traces of real bot binaries executed in a lab setup. The method is trained on labelled Intrusion Detection System alerts and is capable of correctly predicting which of seven incidents an alert pertains, 56.15% of the times. Based on the observed performance it is concluded that the task of understanding Intrusion Detection System alerts can be handled by a Neural Network, showing the potential for reducing the need for manual processing of alerts. Finally, it should be noted that, this is achieved without any feature engineering and with no use of domain specific knowledge.
Original languageEnglish
Title of host publicationCyber Security And Protection Of Digital Services (Cyber Security), 2016 International Conference On
Number of pages8
PublisherIEEE
Publication dateJul 2016
ISBN (Print)978-1-5090-0710-3
ISBN (Electronic)978-1-5090-0709-7
DOIs
Publication statusPublished - Jul 2016
Event2016 International Conference On Cyber Security And Protection Of Digital Services - Holiday Inn London Mayfair, London, United Kingdom
Duration: 13 Jun 201614 Jun 2016

Conference

Conference2016 International Conference On Cyber Security And Protection Of Digital Services
LocationHoliday Inn London Mayfair
CountryUnited Kingdom
CityLondon
Period13/06/201614/06/2016
SeriesInternational Conference On Cyber Security And Protection Of Digital Services (Cyber Security). Proceedings.

Fingerprint

Intrusion detection
Neural networks
Feature extraction
Processing
Malware

Keywords

  • Artificial neural networks
  • Clustering algorithms
  • Correlation
  • Intrusion detection
  • Knowledge engineering
  • Neurons
  • Training

Cite this

Kidmose, E., Stevanovic, M., & Pedersen, J. M. (2016). Correlating intrusion detection alerts on bot malware infections using neural network. In Cyber Security And Protection Of Digital Services (Cyber Security), 2016 International Conference On IEEE. International Conference On Cyber Security And Protection Of Digital Services (Cyber Security). Proceedings. https://doi.org/10.1109/CyberSecPODS.2016.7502344
Kidmose, Egon ; Stevanovic, Matija ; Pedersen, Jens Myrup. / Correlating intrusion detection alerts on bot malware infections using neural network. Cyber Security And Protection Of Digital Services (Cyber Security), 2016 International Conference On. IEEE, 2016. (International Conference On Cyber Security And Protection Of Digital Services (Cyber Security). Proceedings.).
@inproceedings{182b07f182f64476ac82699fab41da34,
title = "Correlating intrusion detection alerts on bot malware infections using neural network",
abstract = "Millions of computers are infected with bot malware, form botnets and enable botmaster to perform malicious and criminal activities. Intrusion Detection Systems are deployed to detect infections, but they raise many correlated alerts for each infection, requiring a large manual investigation effort. This paper presents a novel method with a goal of determining which alerts are correlated, by applying Neural Networks and clustering, thus reducing the number of alerts to manually process. The main advantage of the method is that no domain knowledge is required for designing feature extraction or any other part, as such knowledge is inferred by Neural Networks. Evaluation has been performed with traffic traces of real bot binaries executed in a lab setup. The method is trained on labelled Intrusion Detection System alerts and is capable of correctly predicting which of seven incidents an alert pertains, 56.15{\%} of the times. Based on the observed performance it is concluded that the task of understanding Intrusion Detection System alerts can be handled by a Neural Network, showing the potential for reducing the need for manual processing of alerts. Finally, it should be noted that, this is achieved without any feature engineering and with no use of domain specific knowledge.",
keywords = "Artificial neural networks, Clustering algorithms, Correlation, Intrusion detection, Knowledge engineering, Neurons, Training",
author = "Egon Kidmose and Matija Stevanovic and Pedersen, {Jens Myrup}",
year = "2016",
month = "7",
doi = "10.1109/CyberSecPODS.2016.7502344",
language = "English",
isbn = "978-1-5090-0710-3",
booktitle = "Cyber Security And Protection Of Digital Services (Cyber Security), 2016 International Conference On",
publisher = "IEEE",
address = "United States",

}

Kidmose, E, Stevanovic, M & Pedersen, JM 2016, Correlating intrusion detection alerts on bot malware infections using neural network. in Cyber Security And Protection Of Digital Services (Cyber Security), 2016 International Conference On. IEEE, International Conference On Cyber Security And Protection Of Digital Services (Cyber Security). Proceedings., 2016 International Conference On Cyber Security And Protection Of Digital Services, London, United Kingdom, 13/06/2016. https://doi.org/10.1109/CyberSecPODS.2016.7502344

Correlating intrusion detection alerts on bot malware infections using neural network. / Kidmose, Egon; Stevanovic, Matija; Pedersen, Jens Myrup.

Cyber Security And Protection Of Digital Services (Cyber Security), 2016 International Conference On. IEEE, 2016. (International Conference On Cyber Security And Protection Of Digital Services (Cyber Security). Proceedings.).

Research output: Contribution to book/anthology/report/conference proceedingArticle in proceedingResearchpeer-review

TY - GEN

T1 - Correlating intrusion detection alerts on bot malware infections using neural network

AU - Kidmose, Egon

AU - Stevanovic, Matija

AU - Pedersen, Jens Myrup

PY - 2016/7

Y1 - 2016/7

N2 - Millions of computers are infected with bot malware, form botnets and enable botmaster to perform malicious and criminal activities. Intrusion Detection Systems are deployed to detect infections, but they raise many correlated alerts for each infection, requiring a large manual investigation effort. This paper presents a novel method with a goal of determining which alerts are correlated, by applying Neural Networks and clustering, thus reducing the number of alerts to manually process. The main advantage of the method is that no domain knowledge is required for designing feature extraction or any other part, as such knowledge is inferred by Neural Networks. Evaluation has been performed with traffic traces of real bot binaries executed in a lab setup. The method is trained on labelled Intrusion Detection System alerts and is capable of correctly predicting which of seven incidents an alert pertains, 56.15% of the times. Based on the observed performance it is concluded that the task of understanding Intrusion Detection System alerts can be handled by a Neural Network, showing the potential for reducing the need for manual processing of alerts. Finally, it should be noted that, this is achieved without any feature engineering and with no use of domain specific knowledge.

AB - Millions of computers are infected with bot malware, form botnets and enable botmaster to perform malicious and criminal activities. Intrusion Detection Systems are deployed to detect infections, but they raise many correlated alerts for each infection, requiring a large manual investigation effort. This paper presents a novel method with a goal of determining which alerts are correlated, by applying Neural Networks and clustering, thus reducing the number of alerts to manually process. The main advantage of the method is that no domain knowledge is required for designing feature extraction or any other part, as such knowledge is inferred by Neural Networks. Evaluation has been performed with traffic traces of real bot binaries executed in a lab setup. The method is trained on labelled Intrusion Detection System alerts and is capable of correctly predicting which of seven incidents an alert pertains, 56.15% of the times. Based on the observed performance it is concluded that the task of understanding Intrusion Detection System alerts can be handled by a Neural Network, showing the potential for reducing the need for manual processing of alerts. Finally, it should be noted that, this is achieved without any feature engineering and with no use of domain specific knowledge.

KW - Artificial neural networks

KW - Clustering algorithms

KW - Correlation

KW - Intrusion detection

KW - Knowledge engineering

KW - Neurons

KW - Training

UR - http://ieeexplore.ieee.org/xpl/articleDetails.jsp?arnumber=7502344&refinements%3D4225576815%26filter%3DAND%28p_IS_Number%3A7502334%29

U2 - 10.1109/CyberSecPODS.2016.7502344

DO - 10.1109/CyberSecPODS.2016.7502344

M3 - Article in proceeding

SN - 978-1-5090-0710-3

BT - Cyber Security And Protection Of Digital Services (Cyber Security), 2016 International Conference On

PB - IEEE

ER -

Kidmose E, Stevanovic M, Pedersen JM. Correlating intrusion detection alerts on bot malware infections using neural network. In Cyber Security And Protection Of Digital Services (Cyber Security), 2016 International Conference On. IEEE. 2016. (International Conference On Cyber Security And Protection Of Digital Services (Cyber Security). Proceedings.). https://doi.org/10.1109/CyberSecPODS.2016.7502344