Title : ( Towards Event Aggregation for Reducing the Volume of Logged Events During IKC Stages of APT Attacks )
Authors: Ali Ahmadian Ramaki , Abbas Ghaemi Bafghi , Abbas Rasoolzadegan ,Access to full-text not allowed by authors
Abstract
Nowadays, targeted attacks like Advanced Persistent Threats (APTs) have become a primary concern of many enterprise networks. As a common approach to counter these attacks, security staff deploy various security and non-security sensors at different lines of defense (Network, Host, and Application) to track the attacker\\\\\\\\\\\\\\\'s behaviors during their kill chain. However, one of the drawbacks of this approach is the massive amount of events raised by heterogeneous security and non-security sensors. This makes it challenging to analyze logged events for later processing, i.e., event correlation for timely detection of APT attacks. Some research papers have been published on event aggregation to reduce the volume of logged low-level events. However, most research works have provided a method to aggregate the events of a single-type and homogeneous event source, i.e., NIDS. In addition, their main focus is only on the degree to which the event volume is reduced, while the amount of security information lost during the event aggregation process is also significant. In this paper, we propose a three-phase event aggregation method to reduce the volume of logged heterogeneous events during APT attacks, considering the lowest rate of loss of security information. To this aim, at first, the sensors\\\\\\\\\\\\\\\' low-level events are clustered into similar event groups. Then, after filtering noisy event clusters, the remaining clusters are summarized based on an Attribute-Oriented Induction (AOI) method in a controllable manner to reduce the unimportant or duplicated events. The method has been evaluated on the three publicly available datasets: SotM34, Bryant, and LANL. The experimental results show that the method is efficient enough in event aggregation and can reduce events volume up to 99.7% with an acceptable information loss ratio (ILR) level.
Keywords
, Security event management, Event aggregation, Advanced persistent threat, Intrusion kill chain, Heterogeneous event logs@article{paperid:1090753,
author = {Ahmadian Ramaki, Ali and Ghaemi Bafghi, Abbas and Rasoolzadegan, Abbas},
title = {Towards Event Aggregation for Reducing the Volume of Logged Events During IKC Stages of APT Attacks},
journal = {ISeCure},
year = {2023},
month = {June},
issn = {2008-2045},
keywords = {Security event management; Event aggregation; Advanced persistent threat; Intrusion kill chain; Heterogeneous event logs},
}
%0 Journal Article
%T Towards Event Aggregation for Reducing the Volume of Logged Events During IKC Stages of APT Attacks
%A Ahmadian Ramaki, Ali
%A Ghaemi Bafghi, Abbas
%A Rasoolzadegan, Abbas
%J ISeCure
%@ 2008-2045
%D 2023