TY - GEN
T1 - Which packet did they catch? Associating NIDs alerts with their communication sessions
AU - Ishibashi, Ryosuke
AU - Goto, Hiroki
AU - Han, Chansu
AU - Ban, Tao
AU - Takahashi, Takeshi
AU - Takeuchi, Jun'ichi
N1 - Funding Information:
ACKNOWLEDGMENTS This research was conducted under a contract of “MITIGATE” among “Research and Development for Expansion of Radio Wave Resources (JPJ000254)”, which was supported by the Ministry of Internal Affairs and Communications, Japan.
Publisher Copyright:
© 2021 IEEE.
PY - 2021/8
Y1 - 2021/8
N2 - Virtually every enterprise network has deployed intrusion detection systems (NIDSes) for security threats detection, prevention, and response. To defend against cyberattacks with increasing diversity and intensity, there is a pressing need to implement artificial intelligence (AI)-powered NIDS system which can unify the strength of existing solutions. In this paper, we explore the feasibility of leveraging existing security solutions to generate labeled datasets that can facilitate the development of such an advanced AI-powered NIDS. Assigning proper labels to communication sessions that are detected as suspicious by NIDSes are carried out in the following steps. First, from the captured packet file, we locate the communication sessions that trigger the detection rules of deployed NIDSes. Second, for each located communication session, we investigate the causal factors in the session packets and assign a unified alert-type label to it by taking account of information presented in multiple NIDS alerts associated with it. Finally, we output the packet data of the investigated communication sessions and their corresponding alert-type labels, which will be taken as input by AI-powered analysis engines. We demonstrate case studies to apply the proposed method to solve tasks such as creating labeled NIDS datasets, performance evaluation between different NIDSes, and automation of the security triage process.
AB - Virtually every enterprise network has deployed intrusion detection systems (NIDSes) for security threats detection, prevention, and response. To defend against cyberattacks with increasing diversity and intensity, there is a pressing need to implement artificial intelligence (AI)-powered NIDS system which can unify the strength of existing solutions. In this paper, we explore the feasibility of leveraging existing security solutions to generate labeled datasets that can facilitate the development of such an advanced AI-powered NIDS. Assigning proper labels to communication sessions that are detected as suspicious by NIDSes are carried out in the following steps. First, from the captured packet file, we locate the communication sessions that trigger the detection rules of deployed NIDSes. Second, for each located communication session, we investigate the causal factors in the session packets and assign a unified alert-type label to it by taking account of information presented in multiple NIDS alerts associated with it. Finally, we output the packet data of the investigated communication sessions and their corresponding alert-type labels, which will be taken as input by AI-powered analysis engines. We demonstrate case studies to apply the proposed method to solve tasks such as creating labeled NIDS datasets, performance evaluation between different NIDSes, and automation of the security triage process.
UR - http://www.scopus.com/inward/record.url?scp=85116735700&partnerID=8YFLogxK
UR - http://www.scopus.com/inward/citedby.url?scp=85116735700&partnerID=8YFLogxK
U2 - 10.1109/AsiaJCIS53848.2021.00012
DO - 10.1109/AsiaJCIS53848.2021.00012
M3 - Conference contribution
AN - SCOPUS:85116735700
T3 - Proceedings - 2021 16th Asia Joint Conference on Information Security, AsiaJCIS 2021
SP - 9
EP - 16
BT - Proceedings - 2021 16th Asia Joint Conference on Information Security, AsiaJCIS 2021
PB - Institute of Electrical and Electronics Engineers Inc.
T2 - 16th Asia Joint Conference on Information Security, AsiaJCIS 2021
Y2 - 19 August 2021 through 20 August 2021
ER -