Browse > Article
http://dx.doi.org/10.3837/tiis.2020.12.016

Semi-supervised based Unknown Attack Detection in EDR Environment  

Hwang, Chanwoong (Department of Information Security, Hoseo University)
Kim, Doyeon (Department of Information Security, Hoseo University)
Lee, Taejin (Department of Information Security, Hoseo University)
Publication Information
KSII Transactions on Internet and Information Systems (TIIS) / v.14, no.12, 2020 , pp. 4909-4926 More about this Journal
Abstract
Cyberattacks penetrate the server and perform various malicious acts such as stealing confidential information, destroying systems, and exposing personal information. To achieve this, attackers perform various malicious actions by infecting endpoints and accessing the internal network. However, the current countermeasures are only anti-viruses that operate in a signature or pattern manner, allowing initial unknown attacks. Endpoint Detection and Response (EDR) technology is focused on providing visibility, and strong countermeasures are lacking. If you fail to respond to the initial attack, it is difficult to respond additionally because malicious behavior like Advanced Persistent Threat (APT) attack does not occur immediately, but occurs over a long period of time. In this paper, we propose a technique that detects an unknown attack using an event log without prior knowledge, although the initial response failed with anti-virus. The proposed technology uses a combination of AutoEncoder and 1D CNN (1-Dimention Convolutional Neural Network) based on semi-supervised learning. The experiment trained a dataset collected over a month in a real-world commercial endpoint environment, and tested the data collected over the next month. As a result of the experiment, 37 unknown attacks were detected in the event log collected for one month in the actual commercial endpoint environment, and 26 of them were verified as malicious through VirusTotal (VT). In the future, it is expected that the proposed model will be applied to EDR technology to form a secure endpoint environment and reduce time and labor costs to effectively detect unknown attacks.
Keywords
Endpoint Security; EDR; Unknown Attack Detection; AutoEncoder; 1D CNN;
Citations & Related Records
Times Cited By KSCI : 2  (Citation Analysis)
연도 인용수 순위
1 CISCO, Cisco Annual Internet Report (2018-2023) White Paper. [Online]. Available: https://www.cisco.com/c/en/us/solutions/collateral/executive-perspectives/annual-internetreport/white-paper-c11-741490.html
2 H. H. Pajouh, R. Javidan, R. Khayami, A. Dehghantanha, and K. R. Choo, "A Two-Layer Dimension Reduction and Two-Tier Classification Model for Anomaly-Based Intrusion Detection in IoT Backbone Networks," IEEE Transactions on Emerging Topics in Computing, vol. 7, no. 2, pp. 314-323, 2019.   DOI
3 T. Li, Y. Jiang, C. Zeng, B. Xia, Z. Liu, W. Zhou, X. Zhu, W. Wang, L. Zhang, J. Wu, L. Xue, and D. Bao, "FLAP: An end-to-end event log analysis platform for system management," in Proc. of the 23rd ACM SIGKDD International Conference on Knowledge Discovery and Data Mining, pp. 1547-1556, 2017.
4 M. Zaman, T. Siddiqui, M. R. Amin, and M. S. Hossain, "Malware detection in Android by network traffic analysis," in Proc. of 2015 International Conference on Networking Systems and Security (NSysS), pp. 1-5, 2015.
5 T. Isohara, K. Takemori, and A. Kubota, "Kernel-based Behavior Analysis for Android Malware Detection," in Proc. of 2011 Seventh International Conference on Computational Intelligence and Security, pp. 1011-1015, 2011.
6 J. Sun, T. Jeng, C. Chen, H. Huang, and K. Chou, "MD-Miner: Behavior-Based Tracking of Network Traffic for Malware-Control Domain Detection," in Proc. of 2017 IEEE Third International Conference on Big Data Computing Service and Applications, pp. 96-105, 2017.
7 P. Malhotra, L. Vig, G. Shroff, and P. Agarwal, "Long Short Term Memory Networks for Anomaly Detection in Time Series," in Proc. of 23rd European Symposium on Artificial Neural Networks, p. 89, 2015.
8 R. J. Gutierrez, B. C. Boehmke, K. W. Bauer, C. M Saie, and T. J Bihl, "anomalyDetection: Implementation of augmented network log anomaly detection procedures," The R Journal, vol. 9, no. 2, pp. 354-365, 2017.   DOI
9 M, Toledano, I. Cohen, Y. Ben-Simhon, and I. Tadeski, "Real-time anomaly detection system for time series at scale," Proceedings of Machine Learning Research, vol. 71, pp. 56-65, 2017.
10 S. He, J. Zhu, P. He, and M. R. Lyu, "Experience report: System log analysis for anomaly detection," in Proc. of the 2016 IEEE 27th International Symposium on Software Reliability Engineering (ISSRE), pp. 207-218, 2016.
11 M. Kravchik and A. Shabtai, "Detecting cyberattacks in industrial control systems using convolutional neural networks," in Proc. of the 2018 Workshop on Cyber-Physical Systems Security and PrivaCy, pp. 72-83, 2018.
12 S. Garg, K. Kaur, N. Kumar, G. Kaddoum, A. Y. Zomaya, and R. Ranjan, "A Hybrid Deep Learning-Based Model for Anomaly Detection in Cloud Datacenter Networks," IEEE Transactions on Network and Service Management, vol. 16, no. 3, pp. 924-935, 2019.   DOI
13 M. Ahmed, A. N. Mahmood, and J. Hu, "A survey of network anomaly detection techniques," Journal of Network and Computer Applications, vol. 60, pp. 19-31, 2016.   DOI
14 B. I. Kwak, M. R. Han, A. R. Kang, and H. K. Kim, "A study on detection methodology of threat on cars from the viewpoint of IoT," Journal of the Korea Institute of Information Security & Cryptology, vol. 25, no. 2, pp. 441-421, 2015.
15 K. Kim, "Status of abnormal sign detection technology in smart manufacturing environment," Review of Korea Institute of Information Security and Cryptology, vol. 29, no. 2, pp. 36-47, 2019.
16 I. Alrashdi, A. Alqazzaz, E. Aloufi, R. Alharthi, M. Zohdy, and H. Ming, "AD-IoT: Anomaly Detection of IoT Cyberattacks in Smart City Using Machine Learning," in Proc. of 2019 IEEE 9th Annual Computing and Communication Workshop and Conference (CCWC), pp. 0305-0310, 2019.
17 S. Kim, C. Hwang, and T. Lee, "Anomaly Based Unknown Intrusion Detection in Endpoint Environments," Electronics, vol. 9, no. 6, 2020.
18 T. Andrade, J. Gama, and P. Ribeiro, "W. Sousa and A. Carvalho, Anomaly Detection in Sequential Data: Principles and Case Studies," Widly Online Library, 2019.
19 L. Bontemps, V. L. Cao, J. McDermott, and L. K. L. Na, "Collective Anomaly Detection Based on Long Short-Term Memory Recurrent Neural Networks," Future Data and Security Engineering, vol. 10018, pp 141-152, 2016.   DOI
20 M. Ahmed and A. N. Mahmood, "Network traffic analysis based on collective anomaly detection," in Proc. of 2014 9th IEEE Conference on Industrial Electronics and Applications, pp. 1141-1146, 2014.
21 VirusTotal. [Online]. Available: https://www.virustotal.com/gui/home/search
22 C. Zhou and R. C. Paffenroth, "Anomaly detection with robust deep autoencoders," in Proc. of the 23rd ACM SIGKDD International Conference on Knowledge Discovery and Data Mining, pp. 665-674, 2017.
23 J. Chen, S. Sathe, C. Aggarwal, and D. Turaga, "Outlier detection with autoencoder ensembles," in Proc. of the 2017 SIAM International Conference on Data Mining, pp. 90-98, April 2017.