Comparative Analysis of Anomaly Detection Approaches in Firewall Logs: Integrating Light-Weight Synthesis of Security Logs and Artificially Generated Attack Detection
Author:
Komadina Adrian1ORCID, Kovačević Ivan1ORCID, Štengl Bruno1ORCID, Groš Stjepan1ORCID
Affiliation:
1. Faculty of Electrical Engineering and Computing, University of Zagreb, 10000 Zagreb, Croatia
Abstract
Detecting anomalies in large networks is a major challenge. Nowadays, many studies rely on machine learning techniques to solve this problem. However, much of this research depends on synthetic or limited datasets and tends to use specialized machine learning methods to achieve good detection results. This study focuses on analyzing firewall logs from a large industrial control network and presents a novel method for generating anomalies that simulate real attacker actions within the network without the need for a dedicated testbed or installed security controls. To demonstrate that the proposed method is feasible and that the constructed logs behave as one would expect real-world logs to behave, different supervised and unsupervised learning models were compared using different feature subsets, feature construction methods, scaling methods, and aggregation levels. The experimental results show that unsupervised learning methods have difficulty in detecting the injected anomalies, suggesting that they can be seamlessly integrated into existing firewall logs. Conversely, the use of supervised learning methods showed significantly better performance compared to unsupervised approaches and a better suitability for use in real systems.
Funder
European Union’s European Regional Development Fund, Operational Programme Competitiveness
Reference107 articles.
1. Komadina, A., Kovačević, I., Štengl, B., and Groš, S. (2023, January 11–13). Detecting Anomalies in Firewall Logs Using Artificially Generated Attacks. Proceedings of the 2023 17th International Conference on Telecommunications (ConTEL), Graz, Austria. 2. Kovačević, I., Komadina, A., Štengl, B., and Groš, S. (2023, January 8–12). Light-Weight Synthesis of Security Logs for Evaluation of Anomaly Detection and Security Related Experiments. Proceedings of the 16th European Workshop on System Security, Rome, Italy. 3. Ferragut, E.M., Laska, J., and Bridges, R.A. (2012, January 12–15). A new, principled approach to anomaly detection. Proceedings of the 2012 11th International Conference on Machine Learning and Applications, Boca Raton, FL, USA. 4. Bezerra, F., Wainer, J., and van der Aalst, W.M. (2009). Enterprise, Business-Process and Information Systems Modeling, Proceedings of the 10th International Workshop, BPMDS 2009, and 14th International Conference, EMMSAD 2009, Amsterdam, The Netherlands, 8–9 June 2009, Springer. 5. Wu, H.S. (2016, January 16–18). A survey of research on anomaly detection for time series. Proceedings of the 2016 13th International Computer Conference on Wavelet Active Media Technology and Information Processing (ICCWAMTIP), Chengdu, China.
|
|