Which packet did they catch? Associating NIDs alerts with their communication sessions

Ryosuke Ishibashi, Hiroki Goto, Chansu Han, Tao Ban, Takeshi Takahashi, Jun'ichi Takeuchi

Research output: Chapter in Book/Report/Conference proceedingConference contribution

Abstract

Virtually every enterprise network has deployed intrusion detection systems (NIDSes) for security threats detection, prevention, and response. To defend against cyberattacks with increasing diversity and intensity, there is a pressing need to implement artificial intelligence (AI)-powered NIDS system which can unify the strength of existing solutions. In this paper, we explore the feasibility of leveraging existing security solutions to generate labeled datasets that can facilitate the development of such an advanced AI-powered NIDS. Assigning proper labels to communication sessions that are detected as suspicious by NIDSes are carried out in the following steps. First, from the captured packet file, we locate the communication sessions that trigger the detection rules of deployed NIDSes. Second, for each located communication session, we investigate the causal factors in the session packets and assign a unified alert-type label to it by taking account of information presented in multiple NIDS alerts associated with it. Finally, we output the packet data of the investigated communication sessions and their corresponding alert-type labels, which will be taken as input by AI-powered analysis engines. We demonstrate case studies to apply the proposed method to solve tasks such as creating labeled NIDS datasets, performance evaluation between different NIDSes, and automation of the security triage process.

Original languageEnglish
Title of host publicationProceedings - 2021 16th Asia Joint Conference on Information Security, AsiaJCIS 2021
PublisherInstitute of Electrical and Electronics Engineers Inc.
Pages9-16
Number of pages8
ISBN (Electronic)9781665417884
DOIs
Publication statusPublished - Aug 2021
Event16th Asia Joint Conference on Information Security, AsiaJCIS 2021 - Seoul, Korea, Republic of
Duration: Aug 19 2021Aug 20 2021

Publication series

NameProceedings - 2021 16th Asia Joint Conference on Information Security, AsiaJCIS 2021

Conference

Conference16th Asia Joint Conference on Information Security, AsiaJCIS 2021
Country/TerritoryKorea, Republic of
CitySeoul
Period8/19/218/20/21

All Science Journal Classification (ASJC) codes

  • Computer Networks and Communications
  • Information Systems and Management
  • Safety, Risk, Reliability and Quality

Fingerprint

Dive into the research topics of 'Which packet did they catch? Associating NIDs alerts with their communication sessions'. Together they form a unique fingerprint.

Cite this