التفاصيل البيبلوغرافية
| العنوان: |
Stream clustering guided supervised learning for classifying NIDS alerts. |
| المؤلفون: |
Vaarandi, Risto1 (AUTHOR) risto.vaarandi@taltech.ee, Guerra-Manzanares, Alejandro2 (AUTHOR) alejandro.guerra@nyu.edu |
| المصدر: |
Future Generation Computer Systems. Jun2024, Vol. 155, p231-244. 14p. |
| مصطلحات موضوعية: |
*BOTNETS, *SECURITIES analysts, *CYBERTERRORISM, SUPERVISED learning, MACHINE learning, HUMAN security |
| مستخلص: |
A Network Intrusion Detection System (NIDS) is a network monitoring technology for identifying cyber attacks, botnet command and control traffic, and other unwanted network activity. Unfortunately, organizational NIDS solutions can often generate tens or hundreds of thousands of alerts on a daily basis, with a significant part of them having low importance or being false positives. Therefore, high priority alerts become hard to spot, which overloads security analysts and complicates their work. The current paper addresses this problem and introduces a machine learning framework for classifying NIDS alerts with the help of stream clustering and supervised learning. We propose a stream-clustering-guided method for creating labeled NIDS alert data sets. The small data sets created using this method can be used for training high-performance supervised NIDS alert classifiers. This significantly reduces the human labeling effort and eases the application of supervised machine learning for NIDS alert classification. The proposed machine learning framework was evaluated on NIDS alerts collected over 2 months from the network of a large academic organization. The experimental results indicate that combining stream clustering and supervised learning into a NIDS alert classification framework significantly decreases the number of false positives, and thus reduces the workload of human security analysts. The framework also features low CPU time and memory consumption and can thus be run on commodity hardware. In conclusion, the proposed framework provides a cost-effective means of integrating machine learning into Security Operation Centers (SOCs). This enables the identification of critical NIDS alerts using high-performance classifiers, thereby assisting in the automation of alert handling tasks for SOC personnel. To address the lack of public data sets in the problem domain and foster further research, we publicly share the large labeled NIDS alert data set used in our experimental setup. • Novel NIDS alert processing framework. • The pipeline of low-cost unsupervised stream clustering and supervised machine learning. • Method for the creation of labeled NIDS alert training data sets. • Large publicly available NIDS alert data set. [ABSTRACT FROM AUTHOR] |
|
Copyright of Future Generation Computer Systems is the property of Elsevier B.V. and its content may not be copied or emailed to multiple sites or posted to a listserv without the copyright holder's express written permission. However, users may print, download, or email articles for individual use. This abstract may be abridged. No warranty is given about the accuracy of the copy. Users should refer to the original published version of the material for the full abstract. (Copyright applies to all Abstracts.) |
| قاعدة البيانات: |
Business Source Index |