Abstract
Advanced cyberattacks are often featured by multiple types, layers, and stages, with the goal of cheating the monitors. Existing anomaly detection systems usually search logs or traffics alone for evidence of attacks but ignore further analysis about attack processes. For instance, the traffic detection methods can only detect the attack flows roughly but fail to reconstruct the attack event process and reveal the current network node status. As a result, they cannot fully model the complex multistage attack. To address these problems, we present Traffic-Log Combined Detection (TLCD), which is a multistage intrusion analysis system. Inspired by multiplatform intrusion detection techniques, we integrate traffics with network device logs through association rules. TLCD correlates log data with traffic characteristics to reflect the attack process and construct a federated detection platform. Specifically, TLCD can discover the process steps of a cyberattack attack, reflect the current network status, and reveal the behaviors of normal users. Our experimental results over different cyberattacks demonstrate that TLCD works well with high accuracy and low false positive rate.
Highlights
Cyberattacks usually leave footprints on network devices
We propose to integrate traffics with network device logs for detecting cyberattacks
The main contributions of this paper are listed as follows: (1) We propose a novel combined detection method to reconstruct the attack process
Summary
Cyberattacks usually leave footprints on network devices. An attacker’s attack path jumps through multiple routers or servers and uploads malicious code (e.g., XSS script), implants virus (e.g., botnet), and submits Trojaned software or unofficial patch containing malicious payloads [1,2,3,4,5,6,7]. The footprints left by cyberattacks are spatiotemporally dispersed across logs of different victims’ machines [8]. XSS script attack may leave evidence in server’s weblog. Network traffic can provide complementary evidence for attack-related activities, such as anomalous data about connections from IRC/HTTP/DNS servers to botnet. It is insufficient to precisely detect attack behaviors and grasp a complete view of attacks with only the network traffic data
Sign-in/Register to view highlights & summary Sign-in/Register to access full text options 
Talk to us
Join us for a 30 min session where you can share your feedback and ask us any queries you have
Schedule a call
