on the sequential pattern and rule mining in the analysis
play

ON THE SEQUENTIAL PATTERN AND RULE MINING IN THE ANALYSIS OF CYBER - PowerPoint PPT Presentation

Jan 19, 2024 •582 likes •826 views

ON THE SEQUENTIAL PATTERN AND RULE MINING IN THE ANALYSIS OF CYBER SECURITY ALERTS Thursday 31 st August, 2017 Martin Husk Jaroslav Kapar Elias Bou-Harb Pavel eleda Motivation Cyber Security Alerts Timely information about current

  1. ON THE SEQUENTIAL PATTERN AND RULE MINING IN THE ANALYSIS OF CYBER SECURITY ALERTS Thursday 31 st August, 2017 Martin Husák Jaroslav Kašpar Elias Bou-Harb Pavel Čeleda

  2. Motivation Cyber Security Alerts Timely information about current security issues, e.g., events. Standardized outputs of intrusion detection. Important for information exchange. Information Exchange Emerging topic of security research and practice. Collaborative security – alert sharing platforms. Sequence Mining in the Analysis of Cyber Security Alerts Page 2 / 23

  3. Motivation Data Mining Current trend in cyber security (alongside machine learning). Can find concealed and indistinct patterns in the data. Use Case Analysis of security alerts in the sharing platform. Discovery of common attack progression. Projection of attack continuation. Sequence Mining in the Analysis of Cyber Security Alerts Page 3 / 23

  4. Motivation Sequence Mining Finds statistically relevant patterns between data where values are delivered in a sequence . Interesting choice for cyber security alert analysis - sequences of alerts correspond to attack progression . Sequential pattern mining finds frequent patterns only. Sequential rule mining finds also implications in sequences. Sequence Mining in the Analysis of Cyber Security Alerts Page 4 / 23

  5. Research Questions Question I. What are the use cases of sequence mining in the analysis of cyber security alerts? Question II. Which approaches are the most suitable and effective for mining sequences in security alerts? Question III. What are the effects of optimizations and data reductions? Sequence Mining in the Analysis of Cyber Security Alerts Page 5 / 23

  6. Use Cases Sequence Mining in the Analysis of Cyber Security Alerts Page 6 / 23

  7. Use Cases – Related Work Alert correlation Frequent episode mining (4 papers), Association rule mining (4 papers), Sequential pattern mining (1 paper). Attack prediction Association rule mining (3 papers), Continuous association rule mining (1 paper), Sequential pattern mining (1 paper). Sequence Mining in the Analysis of Cyber Security Alerts Page 7 / 23

  8. Use Cases – Proposals Related Work No consensus on which method to choose. Evaluation on data sets - a few experiments using real data. Association rule mining is the best–known approach. But is it actually suitable for cyber security use cases? Alert Correlation Proposed approach – sequential pattern mining. Attack Prediction Proposed approach – sequential rule mining. Sequence Mining in the Analysis of Cyber Security Alerts Page 8 / 23

  9. Experimental Evaluation Sequence Mining in the Analysis of Cyber Security Alerts Page 9 / 23

  10. Experiment Setup Dataset 16 million alerts collected during 1 week. Collected in SABU alert sharing platform (mostly alerts from campus networks in Czech Republic). Data mining methods 7 sequential pattern mining methods, 3 sequential rule mining methods (all implemented in SPMF library). Sequence Mining in the Analysis of Cyber Security Alerts Page 10 / 23

  11. Example of an Alert { "Format": "IDEA0", "ID": "3ad275e3-559a-45c0-8299-6807148ce157", "DetectTime": "2014-03-22T10:12:56Z", "Category": ["Recon.Scanning"], "ConnCount": 633, "Description": "Ping scan", "Source": [ { "IP4": ["93.184.216.119"], "Proto": ["icmp"] } ], "Target": [ { "Proto": ["icmp"], "IP4": ["93.184.216.0/24"], "Anonymised": true } ] } Sequence Mining in the Analysis of Cyber Security Alerts Page 11 / 23

  12. Sequential Databases Without port numbers Alerts with the same source and target (IP addresses), alerts with the same source (IP address), alerts with the same target (IP address). With port numbers Alerts with the same source and target (IP addresses and ports), alerts with the same source (IP address and port), alerts with the same target (IP address and port). Sequence Mining in the Analysis of Cyber Security Alerts Page 12 / 23

  13. Method Selection Approach Algorithm(s) Sequential pattern mining CM-SPADE Top-K sequential pattern mining TKS Closed sequential pattern mining CM-ClaSP Sequential generator pattern mining VGEN Maximal sequential pattern mining VMSP Compressing sequential pattern mining GoKrimp Sequential pattern mining with time constraints HirateYamana Closed sequential pattern mining with time constraints Fournier08-Closed+time Sequential rule mining RuleGrowth Sequential rule mining with window constraints TRuleGrowth Top-K sequential rule mining TopKRules Sequence Mining in the Analysis of Cyber Security Alerts Page 13 / 23

  14. Example Results Frequent port combinations – sequential rules Scan.1755 ==> Scan.1723 #SUP: 0.00025 #CONF: 0.69553 Scan.37777 ==> Scan.8000 #SUP: 0.00024 #CONF: 0.38748 Scan.1723 ==> Scan.1755 #SUP: 0.00023 #CONF: 0.35531 Scan.3392 ==> Scan.3391 #SUP: 0.00034 #CONF: 0.27006 Scan.3390 ==> Scan.3389 #SUP: 0.00024 #CONF: 0.10841 Scan.443 ==> Scan.80 #SUP: 0.00080 #CONF: 0.09309 Scan.80 ==> Scan.443 #SUP: 0.00066 #CONF: 0.02521 Scan.3389 ==> Scan.3390 #SUP: 0.00039 #CONF: 0.02226 Scan.2323 ==> Scan.23 #SUP: 0.00210 #CONF: 0.02031 Scan.23 ==> Scan.2323 #SUP: 0.00322 #CONF: 0.00461 Sequence Mining in the Analysis of Cyber Security Alerts Page 14 / 23

  15. Result Samples Scanned port groups Some groups of ports are typically scanned simultaneously. (Scan.922, Scan.674) ==> Scan.930 #SUP: 0.02075 #CONF: 0.53690 (Scan.922, Scan.666) ==> Scan.930 #SUP: 0.02003 #CONF: 0.53096 Sequence Mining in the Analysis of Cyber Security Alerts Page 15 / 23

  16. Results Database Sources and Targets Sources only Targets only without ports with ports without ports with ports without ports with ports Method ✩ ✩ Sequential pattern mining 16 min, 100 % <1 min, 1 % 2 min, 100 % <1 min, 5 % ✩ ✩ Top-K sequential pattern mining <1 min, 100 % <1 min, 10 % <1 min, 100 % <1 min, 10 % ✩ Closed seq. pattern mining 3 min, 100 % 2 min, 20 % 2 min, 100 % 2 min, 50 % 2 min, 5 % ✩ Seq. generator pattern mining <1 min, 100 % <1 min, 10 % <1 min, 100 % <1 min, 10 % 6 min, 60 % ✩ Maximal seq. pattern mining <1 min, 100 % <1 min, 10 % <1 min, 100 % <1 min, 10 % 4 min, 60 % ✩ Compressing seq. pattern mining 15 min, 100 % 3 min, 1 % 18 min, 10 % 4 min, 1 % <1 min, 1 % ✩ Sequential pattern mining with 5 min, 100 % 6 min, 100 % 16 min, 100 % 11 min, 100 % <1 min, 100 % time constraints 34 min, ✩ Closed seq. pattern mining with 11 min, 100 % 11 min, 100 % 57 min, 100 % 2 min, 100 % 100 % time constraints ✩ Sequential rule mining 1 min, 100 % 3 min, 100 % <1 min, 100 % <1 min, 100 % <1 min, 100 % ✩ Sequential rule mining with win- 2 min, 100 % 4 min, 100 % 1 min, 100 % 1 min, 100 % <1 min, 100 % dow constraints ✩ Top-K sequential rule mining 1 min, 100 % 3 min, 100 % <1 min, 100 % <1 min, 100 % <1 min, 100 % * Intel Xeon E5520, 8 threads, 16 GB RAM Sequence Mining in the Analysis of Cyber Security Alerts Page 16 / 23

  17. Lessons Learned Sequence Mining in the Analysis of Cyber Security Alerts Page 17 / 23

  18. Lessons Learned Use cases Sequential pattern mining is suitable for alert correlation , more comprehensive results than association rule mining and frequent episode mining. Sequential rule mining is suitable for attack prediction , confidence value can be directly used for predictions. Sequence Mining in the Analysis of Cyber Security Alerts Page 18 / 23

  19. Lessons Learned Performance Most methods show similar performance. Rule mining is faster than pattern mining. Feature selection makes the biggest difference. Beware of too long sequences. Positive impact of optimization on performance (also on soundness of results). Sequence Mining in the Analysis of Cyber Security Alerts Page 19 / 23

  20. Lessons Learned Soundness of the results Source–target interactions are interesting, but provide less patterns and rules than expected. Sequences with the same source are useful as they re fl ect attack progression. Sequences with the same target are hard to process and the results are not worth it. I ncluding ports in the features is de fi nitely useful. Sequence Mining in the Analysis of Cyber Security Alerts Page 20 / 23

  21. Lessons Learned Method extensions I tem intervals provide valuable information about attack timing (for the cost of computation overhead). Effects of optimizations Optimization influence performance as well as result soundness, maximal sequential pattern mining filters the results the most (pattern that are subsets of other patterns are discarded). Sequence Mining in the Analysis of Cyber Security Alerts Page 21 / 23

  22. Conclusion and Future Work Conclusion 2 use cases considered – alert correlation and attack prediction, 11 sequence mining methods were evaluated in an experiment, lessons learned were gathered and summarized in the paper, source codes available at: https://github.com/CSIRT-MU/SecAlertSeqMining Future Work Practical utilization of results – development of data mining component for SABU alert sharing platform. Detailed study of actual attack sequences from real world. Sequence Mining in the Analysis of Cyber Security Alerts Page 22 / 23

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Week 5 Video 4 Relationship Mining Sequential Pattern Mining Association Rule Mining Try to

Week 5 Video 4 Relationship Mining Sequential Pattern Mining Association Rule Mining Try to

Week 5 Video 4 Relationship Mining Sequential Pattern Mining Association Rule Mining Try to automatically find if-then rules within the data set Sequential Pattern Mining Try to automatically find temporal patterns within the data set

1.77k views • 45 slides
Mining Patterns in Sequential Data Sequential Pattern Mining: Definition Given a set of

Mining Patterns in Sequential Data Sequential Pattern Mining: Definition Given a set of

Part 2 Mining Patterns in Sequential Data Sequential Pattern Mining: Definition Given a set of sequences, where each sequence consists of a list of elements and each element consists of a set of items, and given a user- specified min_support

454 views • 32 slides
Outline ` Mining Sequential Patterns PrefixSpan: Mining Sequential Patterns Problem

Outline ` Mining Sequential Patterns PrefixSpan: Mining Sequential Patterns Problem

Outline ` Mining Sequential Patterns PrefixSpan: Mining Sequential Patterns Problem statement Efficiently by Prefix-Projected Pattern Definitions &amp; examples Growth Strategies PrefixSpan algorithm Authors: Motivation

490 views • 7 slides
Frequent Pattern Mining Frequent Sequence Mining Frequent Tree Mining Christian Borgelt

Frequent Pattern Mining Frequent Sequence Mining Frequent Tree Mining Christian Borgelt

Overview Frequent Pattern Mining comprises Frequent Item Set Mining and Association Rule Induction Frequent Pattern Mining Frequent Sequence Mining Frequent Tree Mining Christian Borgelt Frequent Graph Mining Dept. of Mathematics

1.52k views • 135 slides
CS145: INTRODUCTION TO DATA MINING Sequence Data: Sequential Pattern Mining Instructor: Yizhou

CS145: INTRODUCTION TO DATA MINING Sequence Data: Sequential Pattern Mining Instructor: Yizhou

CS145: INTRODUCTION TO DATA MINING Sequence Data: Sequential Pattern Mining Instructor: Yizhou Sun yzsun@cs.ucla.edu November 27, 2017 Methods to Learn Vector Data Set Data Sequence Data Text Data Logistic Regression; Nave Bayes for

616 views • 42 slides
Association Rule Mining 1 What Is Association Rule Mining? Association rule mining is finding

Association Rule Mining 1 What Is Association Rule Mining? Association rule mining is finding

Association Rule Mining 1 What Is Association Rule Mining? Association rule mining is finding frequent patterns or associations among sets of items or objects, usually amongst transactional data Applications include Market Basket

1.19k views • 49 slides
Automatic Sequential Pattern Mining in Data Streams Koki Kawabata*, Yasuko Matsubara &amp;

Automatic Sequential Pattern Mining in Data Streams Koki Kawabata*, Yasuko Matsubara &amp;

Automatic Sequential Pattern Mining in Data Streams Koki Kawabata*, Yasuko Matsubara &amp; Yasushi Sakurai ISIR-AIRC, Osaka University *Supported by SIGIR Student Travel Grants Motivation Given: time-evolving data streams e.g., IoT

1.48k views • 49 slides
Course Content Week 2 (March 17) and Week 3 (March 24) 33459-01 Principles of Knowledge Discovery

Course Content Week 2 (March 17) and Week 3 (March 24) 33459-01 Principles of Knowledge Discovery

Lecture 2 Course Content Week 2 (March 17) and Week 3 (March 24) 33459-01 Principles of Knowledge Discovery Introduction to Data Mining in Data Association Analysis Association Rule Mining Sequential Pattern Analysis

570 views • 13 slides
CS570 Data Mining Frequent Pattern Mining and Association Analysis 2 Cengiz Gunay Slide

CS570 Data Mining Frequent Pattern Mining and Association Analysis 2 Cengiz Gunay Slide

CS570 Data Mining Frequent Pattern Mining and Association Analysis 2 Cengiz Gunay Slide credits: Li Xiong, Jiawei Han and Micheline Kamber George Kollios 1 Mining Frequent Patterns and Association Analysis Basic concepts Efficient and

766 views • 49 slides
Association Rules Extracting Patterns from Large Data Sets Content Introduction to Pattern

Association Rules Extracting Patterns from Large Data Sets Content Introduction to Pattern

Association Rules Extracting Patterns from Large Data Sets Content Introduction to Pattern and Rule Analysis A-priori Algorithm Generalized Rule Induction Sequential Patterns Other WEKA algorithms Outlook Introduction

303 views • 11 slides
CS570 Introduction to Data Mining Frequent Pattern Mining and Association Analysis Cengiz Gunay

CS570 Introduction to Data Mining Frequent Pattern Mining and Association Analysis Cengiz Gunay

CS570 Introduction to Data Mining Frequent Pattern Mining and Association Analysis Cengiz Gunay Partial slide credits: Li Xiong, Jiawei Han and Micheline Kamber George Kollios 1 Mining Frequent Patterns, Association and Correlations Basic

505 views • 25 slides
Introduction to Data Mining Frequent Pattern Mining and Association Analysis Li Xiong Slide

Introduction to Data Mining Frequent Pattern Mining and Association Analysis Li Xiong Slide

Introduction to Data Mining Frequent Pattern Mining and Association Analysis Li Xiong Slide credits: Jiawei Han and Micheline Kamber George Kollios 1 Mining Frequent Patterns, Association and Correlations Basic concepts Frequent

897 views • 74 slides
Introduction to Data Mining Frequent Pattern Mining and Association Analysis Li Xiong Slide

Introduction to Data Mining Frequent Pattern Mining and Association Analysis Li Xiong Slide

Introduction to Data Mining Frequent Pattern Mining and Association Analysis Li Xiong Slide credits: Jiawei Han and Micheline Kamber George Kollios 1 Mining Frequent Patterns, Association and Correlations Basic concepts Frequent

889 views • 59 slides
Stream Sequential Pattern Mining with Precise Error Bounds Luiz F. Mendes 1,2 Bolin Ding 1 Jiawei

Stream Sequential Pattern Mining with Precise Error Bounds Luiz F. Mendes 1,2 Bolin Ding 1 Jiawei

Stream Sequential Pattern Mining with Precise Error Bounds Luiz F. Mendes 1,2 Bolin Ding 1 Jiawei Han 1 1 University of Illinois at Urbana-Champaign 2 Google Inc. lmendes@google.com {bding3,hanj}@illinois.edu 1 Outline Introduction

706 views • 34 slides
Association rule mining Association rule induction: Originally designed for market basket analysis

Association rule mining Association rule induction: Originally designed for market basket analysis

Association rule mining Association rule induction: Originally designed for market basket analysis . Aims at finding patterns in the shopping behavior of customers of supermarkets, mail-order companies, on-line shops etc. More specifically: Find

378 views • 34 slides
Relationship Mining Association Rule Mining Association Rule Mining Try to automatically find

Relationship Mining Association Rule Mining Association Rule Mining Try to automatically find

Week 5 Video 3 Relationship Mining Association Rule Mining Association Rule Mining Try to automatically find simple if-then rules within the data set Example Famous (and fake) example: People who buy more diapers buy more beer

671 views • 45 slides
Mammoth Scale Machine Learning Speaker: Robin Anil, Apache Mahout PMC Member OSCON 10

Mammoth Scale Machine Learning Speaker: Robin Anil, Apache Mahout PMC Member OSCON 10

Mammoth Scale Machine Learning Speaker: Robin Anil, Apache Mahout PMC Member OSCON 10 Portland, OR July 2010 Quick Show of Hands Are you fascinated about ML? Have you used ML? Do you have Gigabytes

431 views • 42 slides
Parallel Thinking * Guy Blelloch Carnegie Mellon University * PROBE as part of the Center for

Parallel Thinking * Guy Blelloch Carnegie Mellon University * PROBE as part of the Center for

Parallel Thinking * Guy Blelloch Carnegie Mellon University * PROBE as part of the Center for Computational Thinking PPoPP, 2/16/2009 1 Andrew Chien, 2008 PPoPP, 2/16/2009 2 Parallel Thinking How to deal with teaching parallelism? Option I :

730 views • 37 slides
Top-K Sequential Patterns Philippe Fournier-Viger 1 , Antonio Gomariz 2 , Ted Gueniche 1 ,

Top-K Sequential Patterns Philippe Fournier-Viger 1 , Antonio Gomariz 2 , Ted Gueniche 1 ,

TKS: Efficient Mining of Top-K Sequential Patterns Philippe Fournier-Viger 1 , Antonio Gomariz 2 , Ted Gueniche 1 , Esprance Mwamikazi 1 , Rincy Thomas 3 1 University of Moncton, Canada 2 University of Murcia, Spain 3 Sha-Shib College of

627 views • 26 slides
Zolgensma Approval and Access June 2019 After Approval - Access 1. Key Issues: A. Sites and

Zolgensma Approval and Access June 2019 After Approval - Access 1. Key Issues: A. Sites and

Zolgensma Approval and Access June 2019 After Approval - Access 1. Key Issues: A. Sites and capacity B. Insurance coverage C. Data 2. Broader Approval: A. Label vs Trials B. FDA did more than usual again (extrapolated for SMA) 3. Rules and

527 views • 17 slides
Observational Methods and NATM NATM System for Observational approach to tunnel design Eurocode

Observational Methods and NATM NATM System for Observational approach to tunnel design Eurocode

Observational Methods and NATM NATM System for Observational approach to tunnel design Eurocode 7 (EC7) includes the following remarks concerning an observational method. Four requirements shall all be made before construction is started:

789 views • 50 slides
Introduction This article discusses the development of standards for user-centred design and

Introduction This article discusses the development of standards for user-centred design and

Introduction This article discusses the development of standards for user-centred design and the implications of their application, it also discusses the outcomes challenges of the process standard for user-centred design. Key words: By

483 views • 12 slides
New ways of teaching DockSideProject Cambodia: 30. + 31.10. 2018 Judith Andrea Parus 1 October

New ways of teaching DockSideProject Cambodia: 30. + 31.10. 2018 Judith Andrea Parus 1 October

DEPARTMENT OF SOCIOLOGY, ENVIRONMENTAL AND BUSINESS ECONOMICS DEPARTMENT OF SOCIOLOGY, ENVIRONMENTAL AND BUSINESS ECONOMICS New ways of teaching DockSideProject Cambodia: 30. + 31.10. 2018 Judith Andrea Parus 1 October 2018 1 2 Judith

1.77k views • 92 slides
Counting the Population M More Accurately using A t l i Administrative Data Administrative

Counting the Population M More Accurately using A t l i Administrative Data Administrative

Counting the Population M More Accurately using A t l i Administrative Data Administrative Data Understanding Population Trends and Processes: Building Capacity through User-Academic Collaboration City Hall, London 9 October 2009 9

708 views • 31 slides

More recommend