Process mining-based approach for investigating malicious login events

LAGRAA, Sofiane; STATE, Radu

Download

Paper published in a book (Scientific congresses, symposiums and conference proceedings)

Process mining-based approach for investigating malicious login events

LAGRAA, Sofiane; STATE, Radu

2020 • In IEEE/IFIP Network Operations and Management Symposium, Budapest, Hungary, April 20-24, 2020

Peer reviewed

Permalink
https://hdl.handle.net/10993/43588

Files (1)Send to Details Statistics Bibliography Similar publications

Files

Full Text

PID6402799.pdf

Publisher postprint (213.24 kB)

Download

All documents in ORBilu are protected by a user license.

Send to

RIS BibTex APA Chicago Permalink X Linkedin

Details

Abstract :

[en] A large body of research has been accomplished on prevention and detection of malicious events, attacks, threats, or botnets. However, there is a lack of automatic and sophisticated methods for investigating malicious events/users, understanding the root cause of attacks, and discovering what is really hap- pening before an attack. In this paper, we propose an attack model discovery approach for investigating and mining malicious authentication events across user accounts. The approach is based on process mining techniques on event logs reaching attacks in order to extract the behavior of malicious users. The evaluation is performed on a publicly large dataset, where we extract models of the behavior of malicious users via authentication events. The results are useful for security experts in order to improve defense tools by making them robust and develop attack simulations.

Disciplines :

Computer science

Author, co-author :

LAGRAA, Sofiane ; University of Luxembourg > Interdisciplinary Centre for Security, Reliability and Trust (SNT)

STATE, Radu ; University of Luxembourg > Interdisciplinary Centre for Security, Reliability and Trust (SNT)

External co-authors :

Language :

English

Title :

Process mining-based approach for investigating malicious login events

Publication date :

2020

Event name :

IEEE/IFIP Network Operations and Management Symposium (NOMS)

Event date :

20-24 April 2020

Audience :

International

Main work title :

IEEE/IFIP Network Operations and Management Symposium, Budapest, Hungary, April 20-24, 2020

Peer reviewed :

Peer reviewed

Available on ORBilu :

since 29 June 2020

Statistics

Number of views

164 (2 by Unilu)

Number of downloads

485 (3 by Unilu)

More statistics

Scopus citations^®

Scopus citations^®
without self-citations

Bibliography

Process mining and security: Detecting anomalous process executions and checking process conformance. Electronic Notes in Theoretical Computer Science, 121:3-21, 2005.
R. Accorsi and T. Stocker. On the exploitation of process mining for security audits: The conformance checking case. In Proceedings of the 27th Annual ACM Symposium on Applied Computing, sac '12, pages 1709-1716, 2012.
R. Accorsi, T. Stocker, and G. Müller. On the exploitation of process mining for security audits: The process discovery case. In Proceedings of the 28th Annual ACM Symposium on Applied Computing, sac '13, pages 1462-1468, 2013.
F. Amrouche, S. Lagraa, G. Kaiafas, and R. State. Graph-based malicious login events investigation. In IFIP/IEEE International Symposium on Integrated Network Management, IM 2019, Washington, DC, USA, April 09-11, 2019., pages 63-66, 2019.
A. Berti, S. J. van Zelst, and W. van der Aalst. Process Mining for Python (PM4Py): Bridging the Gap Between Process-And Data Science. page 13-16, 2019.
B. Caswell, J. C. Foster, R. Russell, J. Beale, and J. Posluns. Snort 2.0 Intrusion Detection. Syngress Publishing, 2003.
N. Duffield, P. Haffner, B. Krishnamurthy, and H. Ringberg. Rule-based anomaly detection on ip flows. In IEEE INFOCOM 2009, pages 424-432, 2009.
N. Hubballi and V. Suryanarayanan. Review: False alarm minimization techniques in signature-based intrusion detection systems: a survey. Comput. Commun., 49:1-17, Aug. 2014.
G. Kaiafas, G. Varisteas, S. Lagraa, R. State, C. D. Nguyen, T. Ries, and M. Ourdane. Detecting malicious authentication events trustfully. In 2018 IEEE/IFIP Network Operations and Management Symposium, NOMS, pages 1-6, 2018.
A. D. Kent. Comprehensive, Multi-Source Cyber-Security Events. Los Alamos National Laboratory, 2015.
A. D. Kent. Cybersecurity data sources for dynamic network research. In Dynamic Networks in Cybersecurity. Imperial College Press, 2015.
S. Lagraa, Y. Chen, and J. François. Deep mining port scans from darknet. Int. Journal of Network Management, 29(3), 2019.
E. Lopze and K. Sartipi. feature engineering in big data for detection of information system misuse. ibm/acm, 2018.
C. C. Machado, L. Z. Granville, and A. Schaeffer-Filho. Answer: Combining nfv and sdn features for network resilience strategies. In 2016 IEEE Symposium on Computers and Communication (ISCC), pages 391-396, 2016.
H. Mustapha and A. M. Alghamdi. Ddos attacks on the internet of things and their prevention methods. In Proceedings of the 2Nd International Conference on Future Networks and Distributed Systems, icfnds '18, pages 4:1-4:5, 2018.
J. Navarro, V. Legrand, S. Lagraa, J. François, A. Lahmadi, G. D. Santis, O. Festor, N. Lammari, F. Hamdi, A. Deruyver, Q. Goux, M. Allard, and P. Parrend. Huma: a multi-layer framework for threat analysis in a heterogeneous log environment. In Foundations and Practice of Security-10th International Symposium, FPS, pages 144-159, 2017.
B. Négrevergne, A. Termier, M. Rousset, and J. Méhaut. Para miner: a generic pattern mining algorithm for multi-core architectures. Data Min. Knowl. Discov., 28(3):593-633, 2014.
P. Ning and D. Xu. Learning attack strategies from intrusion alerts. In Proceedings of the 10th ACM Conference on Computer and Communications Security, ccs '03, pages 200-209, 2003.
V. Paxson. Bro: a system for detecting network intruders in real-time. Comput. Netw., 31(23-24):2435-2463, Dec. 1999.
M. M. A. Pritom, C. Li, B. Chu, and X. Niu. a study on log analysis approaches using sandia dataset. In Computer Communication and Networks (ICCCN), 2017 26th International Conference on, pages 1-6. ieee, 2017.
M. Roesch. Snort-lightweight intrusion detection for networks. In Proceedings of the 13th USENIX Conference on System Administration, lisa '99, pages 229-238, 1999.
R. Sean, L. Sofiane, N.-R. Cristina, B. Sheila, and S. Radu. Ros-defender: Dynamic security policy enforcement for robotic applications. In Proceedings of the ACM Workshop on the Internet of Safe Things, SafeThings'19, 2019.
K. K. Sindhu and B. B. Meshram. Digital forensics and cyber crime datamining. J. Information Security, 3(3):196-201, 2012.
W. M. P. van der Aalst. Process Mining-Discovery, Conformance and Enhancement of Business Processes. Springer, 2011.
B. F. van Dongen, A. K. A. de Medeiros, H. M. W. Verbeek, A. J. M. M. Weijters, and W. M. P. van der Aalst. The prom framework: A new era in process mining tool support. In Proceedings of the 26th International Conference on Applications and Theory of Petri Nets, ICATPN'05, pages 444-454, 2005.
H. Wang, L. Xu, and G. Gu. Floodguard: A dos attack prevention extension in software-defined networks. In Proceedings of the 2015 45th Annual IEEE/IFIP International Conference on Dependable Systems and Networks, DSN '15, pages 239-250, 2015.
W. Zhang, W. Zhou, and J. Luo. Mining and application of user behavior pattern based on operation and maintenance data. In IFIP/IEEE International Symposium on Integrated Network Management, IM 2019, Washington, DC, USA, April 09-11, 2019., pages 614-618, 2019.