Process mining-based approach for investigating malicious login events

[en] A large body of research has been accomplished on prevention and detection of malicious events, attacks, threats, or botnets. However, there is a lack of automatic and sophisticated methods for investigating malicious events/users, understanding the root cause of attacks, and discovering what is really hap- pening before an attack. In this paper, we propose an attack model discovery approach for investigating and mining malicious authentication events across user accounts. The approach is based on process mining techniques on event logs reaching attacks in order to extract the behavior of malicious users. The evaluation is performed on a publicly large dataset, where we extract models of the behavior of malicious users via authentication events. The results are useful for security experts in order to improve defense tools by making them robust and develop attack simulations.

Disciplines :

Sciences informatiques

Auteur, co-auteur :

LAGRAA, Sofiane ; University of Luxembourg > Interdisciplinary Centre for Security, Reliability and Trust (SNT)

STATE, Radu ; University of Luxembourg > Interdisciplinary Centre for Security, Reliability and Trust (SNT)

Co-auteurs externes :

Langue du document :

Anglais

Titre :

Process mining-based approach for investigating malicious login events

Date de publication/diffusion :

2020

Nom de la manifestation :

IEEE/IFIP Network Operations and Management Symposium (NOMS)

Date de la manifestation :

20-24 April 2020

Manifestation à portée :

International

Titre de l'ouvrage principal :

IEEE/IFIP Network Operations and Management Symposium, Budapest, Hungary, April 20-24, 2020

Peer reviewed :

Peer reviewed

Disponible sur ORBilu :

depuis le 29 juin 2020

Statistiques

Nombre de vues

256 (dont 2 Unilu)

Nombre de téléchargements

555 (dont 3 Unilu)

Voir plus de statistiques

citations Scopus^®

citations Scopus^®
sans auto-citations

Bibliographie

Process mining and security: Detecting anomalous process executions and checking process conformance. Electronic Notes in Theoretical Computer Science, 121:3-21, 2005.
R. Accorsi and T. Stocker. On the exploitation of process mining for security audits: The conformance checking case. In Proceedings of the 27th Annual ACM Symposium on Applied Computing, sac '12, pages 1709-1716, 2012.
R. Accorsi, T. Stocker, and G. Müller. On the exploitation of process mining for security audits: The process discovery case. In Proceedings of the 28th Annual ACM Symposium on Applied Computing, sac '13, pages 1462-1468, 2013.
F. Amrouche, S. Lagraa, G. Kaiafas, and R. State. Graph-based malicious login events investigation. In IFIP/IEEE International Symposium on Integrated Network Management, IM 2019, Washington, DC, USA, April 09-11, 2019., pages 63-66, 2019.
A. Berti, S. J. van Zelst, and W. van der Aalst. Process Mining for Python (PM4Py): Bridging the Gap Between Process-And Data Science. page 13-16, 2019.
B. Caswell, J. C. Foster, R. Russell, J. Beale, and J. Posluns. Snort 2.0 Intrusion Detection. Syngress Publishing, 2003.
N. Duffield, P. Haffner, B. Krishnamurthy, and H. Ringberg. Rule-based anomaly detection on ip flows. In IEEE INFOCOM 2009, pages 424-432, 2009.
N. Hubballi and V. Suryanarayanan. Review: False alarm minimization techniques in signature-based intrusion detection systems: a survey. Comput. Commun., 49:1-17, Aug. 2014.
G. Kaiafas, G. Varisteas, S. Lagraa, R. State, C. D. Nguyen, T. Ries, and M. Ourdane. Detecting malicious authentication events trustfully. In 2018 IEEE/IFIP Network Operations and Management Symposium, NOMS, pages 1-6, 2018.
A. D. Kent. Comprehensive, Multi-Source Cyber-Security Events. Los Alamos National Laboratory, 2015.
A. D. Kent. Cybersecurity data sources for dynamic network research. In Dynamic Networks in Cybersecurity. Imperial College Press, 2015.
S. Lagraa, Y. Chen, and J. François. Deep mining port scans from darknet. Int. Journal of Network Management, 29(3), 2019.
E. Lopze and K. Sartipi. feature engineering in big data for detection of information system misuse. ibm/acm, 2018.
C. C. Machado, L. Z. Granville, and A. Schaeffer-Filho. Answer: Combining nfv and sdn features for network resilience strategies. In 2016 IEEE Symposium on Computers and Communication (ISCC), pages 391-396, 2016.
H. Mustapha and A. M. Alghamdi. Ddos attacks on the internet of things and their prevention methods. In Proceedings of the 2Nd International Conference on Future Networks and Distributed Systems, icfnds '18, pages 4:1-4:5, 2018.
J. Navarro, V. Legrand, S. Lagraa, J. François, A. Lahmadi, G. D. Santis, O. Festor, N. Lammari, F. Hamdi, A. Deruyver, Q. Goux, M. Allard, and P. Parrend. Huma: a multi-layer framework for threat analysis in a heterogeneous log environment. In Foundations and Practice of Security-10th International Symposium, FPS, pages 144-159, 2017.
B. Négrevergne, A. Termier, M. Rousset, and J. Méhaut. Para miner: a generic pattern mining algorithm for multi-core architectures. Data Min. Knowl. Discov., 28(3):593-633, 2014.
P. Ning and D. Xu. Learning attack strategies from intrusion alerts. In Proceedings of the 10th ACM Conference on Computer and Communications Security, ccs '03, pages 200-209, 2003.
V. Paxson. Bro: a system for detecting network intruders in real-time. Comput. Netw., 31(23-24):2435-2463, Dec. 1999.
M. M. A. Pritom, C. Li, B. Chu, and X. Niu. a study on log analysis approaches using sandia dataset. In Computer Communication and Networks (ICCCN), 2017 26th International Conference on, pages 1-6. ieee, 2017.
M. Roesch. Snort-lightweight intrusion detection for networks. In Proceedings of the 13th USENIX Conference on System Administration, lisa '99, pages 229-238, 1999.
R. Sean, L. Sofiane, N.-R. Cristina, B. Sheila, and S. Radu. Ros-defender: Dynamic security policy enforcement for robotic applications. In Proceedings of the ACM Workshop on the Internet of Safe Things, SafeThings'19, 2019.
K. K. Sindhu and B. B. Meshram. Digital forensics and cyber crime datamining. J. Information Security, 3(3):196-201, 2012.
W. M. P. van der Aalst. Process Mining-Discovery, Conformance and Enhancement of Business Processes. Springer, 2011.
B. F. van Dongen, A. K. A. de Medeiros, H. M. W. Verbeek, A. J. M. M. Weijters, and W. M. P. van der Aalst. The prom framework: A new era in process mining tool support. In Proceedings of the 26th International Conference on Applications and Theory of Petri Nets, ICATPN'05, pages 444-454, 2005.
H. Wang, L. Xu, and G. Gu. Floodguard: A dos attack prevention extension in software-defined networks. In Proceedings of the 2015 45th Annual IEEE/IFIP International Conference on Dependable Systems and Networks, DSN '15, pages 239-250, 2015.
W. Zhang, W. Zhou, and J. Luo. Mining and application of user behavior pattern based on operation and maintenance data. In IFIP/IEEE International Symposium on Integrated Network Management, IM 2019, Washington, DC, USA, April 09-11, 2019., pages 614-618, 2019.