Collaborative Federated Learning-Based Model for Alert Correlation and Attack Scenario Recognition
-
Published:2023-11-02
Issue:21
Volume:12
Page:4509
-
ISSN:2079-9292
-
Container-title:Electronics
-
language:en
-
Short-container-title:Electronics
Author:
Alkhpor Hadeel K.1, Alserhani Faeiz M.2ORCID
Affiliation:
1. Department of Computer Science and Technology, Al-Jouf University, Al-Jouf 72311, Saudi Arabia 2. Department of Computer Engineering and Networks, Al-Jouf University, Al-Jouf 72311, Saudi Arabia
Abstract
Planned and targeted attacks, such as the advanced persistent threat (APT), are highly sophisticated forms of attack. They involve numerous steps and are intended to remain within a system for an extended length of period before progressing to the next stage of action. Anticipating the next behaviors of attackers is a challenging and crucial task due to the stealthy nature of advanced attack scenarios, in addition to the possible high volumes of false positive alerts generated by different security tools such as intrusion detection systems (IDSs). Intelligent models that are capable of establishing a correlation individual between individual security alerts in order to reconstruct attack scenarios and to extract a holistic view of intrusion activities are required to exploit hidden links between different attack stages. Federated learning models performed in distributed settings have achieved successful and reliable implementations. Alerts from distributed security devices can be utilized in a collaborative manner based on several learning models to construct a federated model. Therefore, we propose an intelligent detection system that employs federated learning models to identify advanced attack scenarios such as APT. Features extracted from alerts are preprocessed and engineered to produce a model with high accuracy and fewer false positives. We conducted training on four machine learning models in a centralized learning; these models are XGBoost, Random Forest, CatBoost, and an ensemble learning model. To maintain privacy and ensure the integrity of the global model, the proposed model has been implemented using conventional neural network federated learning (CNN_FL) across several clients during the process of updating weights. The experimental findings indicate that ensemble learning achieved the highest accuracy of 88.15% in the context of centralized learning. CNN_FL has demonstrated an accuracy of 90.18% in detecting various attacks of APTs while maintaining a low false alarm rate.
Subject
Electrical and Electronic Engineering,Computer Networks and Communications,Hardware and Architecture,Signal Processing,Control and Systems Engineering
Reference46 articles.
1. Bhattacharya, S., Maddikunta, P.K., Kaluri, R., Singh, S., Gadekallu, T.R., Alazab, M., and Tariq, U. (2020). A Novel PCA-Firefly Based XGBoost Classification Model for Intrusion Detection in Networks Using GPU. Electronics, 9. 2. Preuveneers, D., Rimmer, V., Tsingenopoulos, I., Spooren, J., Joosen, W., and Ilie-Zudor, E. (2018). Chained Anomaly Detection Models for Federated Learning: An Intrusion Detection Case Study. Appl. Sci., 8. 3. Bhatti, D.G., and Virparia, P.V. (2020). Design and Analysis of Security Protocol for Communication, Wiley. 4. Anwar, S., Mohamad Zain, J., Zolkipli, M.F., Inayat, Z., Khan, S., Anthony, B., and Chang, V. (2017). From Intrusion Detection to an Intrusion Response System: Fundamentals, Requirements, and Future Directions. Algorithms, 10. 5. Multi-step attack detection in industrial control systems using causal analysis;Jadidi;Comput. Ind.,2022
|
|