Abstract
Computer network intrusions are of increasing concern to governments, companies, and other institutions. While technologies such as Intrusion Detection Systems (IDS) are growing in sophistication and adoption, early warning of intrusion attempts could help cybersecurity practitioners put defenses in place early and mitigate the effects of cyberattacks. It is widely known that cyberattacks progress through stages, which suggests that forecasting network intrusions may be possible if we are able to identify certain precursors. Despite this potential, forecasting intrusions remains a difficult problem. By leveraging the rapidly growing and widely varying data available from network monitoring and Security Information and Event Management (SIEM) systems, as well as recent advances in deep learning, we introduce a novel intrusion forecasting application. Using six months of data from a real, large organization, we demonstrate that this provides improved intrusion forecasting accuracy compared to existing methods.
This is a preview of subscription content, log in via an institution to check access.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Notes
References
Althubiti, S.A., Jones, E.M., Roy, K.: LSTM for anomaly-based network intrusion detection. In: 2018 28th International Telecommunication Networks and Applications Conference (ITNAC), pp. 1–3. IEEE (2018)
Bengio, Y., Frasconi, P., Simard, P.: The problem of learning long-term dependencies in recurrent networks. In: IEEE International Conference on Neural Networks, pp. 1183–1188. IEEE (1993)
Filonov, P., Lavrentyev, A., Vorontsov, A.: Multivariate industrial time series with cyber-attack simulation: fault detection using an LSTM-based predictive data model. arXiv preprint arXiv:1612.06676 (2016)
Goyal, P., et al.: Discovering signals from web sources to predict cyber attacks. arXiv preprint arXiv:1806.03342 (2018)
Hochreiter, S., Schmidhuber, J.: Long short-term memory. Neural Comput. 9(8), 1735–1780 (1997)
Hutchins, E.M., Cloppert, M.J., Amin, R.M.: Intelligence-driven computer network defense informed by analysis of adversary campaigns and intrusion kill chains. In: Leading Issues in Information Warfare & Security Research, vol. 1, no. 1, p. 80 (2011)
Hyndman, R., Khandakar, Y.: Automatic time series forecasting: the forecast package for r 7, 2008 (2007). http://www.jstatsoft.org/v27/i03
Kaspersky: DDoS Breach Costs Rise to over $2M for Enterprises finds Kaspersky Lab Report | Kaspersky. https://usa.kaspersky.com/about/press-releases/2018_ddos-breach-costs-rise-to-over-2m-for-enterprises-finds-kaspersky-lab-report
Khan, M.A., Karim, M., Kim, Y., et al.: A scalable and hybrid intrusion detection system based on the convolutional-LSTM network. Symmetry 11(4), 583 (2019)
Kim, G., Yi, H., Lee, J., Paek, Y., Yoon, S.: LSTM-based system-call language modeling and robust ensemble method for designing host-based intrusion detection systems. arXiv preprint arXiv:1611.01726 (2016)
Memory, A., Mueller, W.G.: Sensor fusion and structured prediction for cyberattack event networks. In: 15th International Workshop on Mining and Learning with Graphs (MLG) (2019)
Mirza, A.H., Cosan, S.: Computer network intrusion detection using sequential LSTM neural networks autoencoders. In: 2018 26th Signal Processing and Communications Applications Conference (SIU), pp. 1–4. IEEE (2018)
Mueller, W.G., Memory, A., Bartrem, K.: Causal discovery of cyber attack phases. In: 2019 18th IEEE International Conference On Machine Learning And Applications (ICMLA), pp. 1348–1352. IEEE (2019)
Okutan, A., Yang, S.J., McConky, K.: Forecasting cyber attacks with imbalanced data sets and different time granularities. arXiv preprint arXiv:1803.09560 (2018)
Okutan, A., Yang, S.J., McConky, K., Werner, G.: Capture: cyberattack forecasting using non-stationary features with time lags. In: 2019 IEEE Conference on Communications and Network Security (CNS), pp. 205–213. IEEE (2019)
Perera, I., Hwang, J., Bayas, K., Dorr, B., Wilks, Y.: Cyberattack prediction through public text analysis and mini-theories. In: 2018 IEEE International Conference on Big Data (Big Data), pp. 3001–3010. IEEE (2018)
Ponemon Institute: 2018 cost of a data breach study: global overview. Technical report, Ponemon Institute LLC (2018)
Sarkar, S., Almukaynizi, M., Shakarian, J., Shakarian, P.: Predicting enterprise cyber incidents using social network analysis on dark web hacker forums. In: International Conference on Cyber Conflict (CYCON U.S.), 14-15 November 2018, Cyber Conflict During Competition, pp. 87–102 (2019). The Cyber Defense Review, Special Edition
Simonyan, K., Vedaldi, A., Zisserman, A.: Deep inside convolutional networks: visualising image classification models and saliency maps. arXiv preprint arXiv:1312.6034 (2013)
Tavabi, N., Abeliuk, A., Mokhberian, N., Abramson, J., Lerman, K.: Challenges in forecasting malicious events from incomplete data. In: Companion Proceedings of the Web Conference 2020, pp. 603–610 (2020)
Acknowledgments
Development of the datasets described in this paper was part of the ELLIPSE project. Exploiting Leading Indicators Latent Indicators in Predictive Sensor Environments (ELLIPSE) was supported by the Office of the Director of National Intelligence (ODNI) and the Intelligence Advanced Research Projects Activity (IARPA) via the Air Force Research Laboratory (AFRL) contract number FA8750-16-C-0114. The U.S. Government is authorized to reproduce and distribute reprints for Governmental purposes notwithstanding any copyright annotation thereon.
Disclaimer: The views and conclusions contained herein are those of the authors and should not be interpreted as necessarily representing the official policies or endorsements, either expressed or implied, of ODNI, IARPA, AFRL, or the U.S. Government.
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2020 Springer Nature Switzerland AG
About this paper
Cite this paper
Mueller, W.G., Memory, A., Bartrem, K. (2020). Forecasting Network Intrusions from Security Logs Using LSTMs. In: Wang, G., Ciptadi, A., Ahmadzadeh, A. (eds) Deployable Machine Learning for Security Defense. MLHat 2020. Communications in Computer and Information Science, vol 1271. Springer, Cham. https://doi.org/10.1007/978-3-030-59621-7_7
Download citation
DOI: https://doi.org/10.1007/978-3-030-59621-7_7
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-030-59620-0
Online ISBN: 978-3-030-59621-7
eBook Packages: Computer ScienceComputer Science (R0)