With cyber incidents and data breaches becoming increasingly common, being able to predict a cyberattack has never been more crucial. The ability of Network Anomaly Detection Systems (NADS) to identify unusual behavior makes them useful in predicting such attacks. However, NADS often suffer from high false positive rates. In this paper, we introduce a novel framework called Honeyboost that enhances the performance of honeypot aided NADS. Using data from the LAN Security Monitoring Project, Honeyboost identifies most anomalous nodes before they access the honeypot aiding early detection and prediction. Furthermore, using extreme value theory, we achieve the highly desirable low false positive rates. Honeyboost is an unsupervised method comprising two approaches: horizontal and vertical. The horizontal approach constructs a time series from the communications of each node, with node-level features encapsulating their behavior over time. The vertical approach finds anomalies in each protocol space. Using a window-based model, which is typically used in online scenarios, the horizontal and vertical approaches are combined to identify anomalies and gain useful insights. Experimental results indicate the efficacy of our framework in identifying suspicious activities of nodes.
翻译:随着网络事件和数据破坏日益普遍,能够预测网络攻击的网络事件和数据破坏比以往任何时候都更加重要。网络异常探测系统(NADS)识别异常行为的能力使其在预测此类攻击时有用。然而,NADS常常受到高假正率的影响。在本文中,我们引入了一个名为“蜂蜜靴”的新框架,它能提高蜂蜜罐辅助NADS的性能。使用局域网安全监测项目的数据,Honeboost在进入蜜罐之前确定了大多数异常节点,以便进行早期检测和预测。此外,利用极端价值理论,我们实现了极理想的低假正率。蜜靴是一种不受监督的方法,包括两种方法:横向和纵向。横向方法从每个节点的通信中构建了一个时间序列,其中的节点特征将随着时间的推移而包罗出它们的行为。垂直方法在每一个协议空间都发现了异常之处。使用基于窗口的模式,通常用于在线情景,横向和纵向方法可以结合,以发现异常现象并获得有用的洞察力。实验结果表明我们框架在确定节点可疑的活动方面的效力。