Situation Awareness-Based Network Security Event Prediction Method Analysis

Situation Awareness-Based Network Security Event Prediction Method Analysis

Machine Learning is applied in the security field, especially in various attack detection (external intrusion detection and internal threat detection). I believe many people have become accustomed to it. The focus of current machine learning applications is to detect attack threats in the system/organization in a timely manner, thus reducing the time difference between attacks and emergency response.

However, even in the most ideal threat detection system, when a threat alarm is detected, most of the threats have already occurred, causing harm to the system/organization.DetectionIt can always be used as a relatively passive security mechanism. Therefore, academic circles and the industry have begun to focus on the advance defense of attack threats, that isPredictionMechanism Research.

Today, we will introduce you to a network security event prediction method based on the security situation awareness technology. We believe that it will inspire a large number of attacking lions and programmers who are interested in it.

0 × 00 Outline

Introduction to (Introduction) Data Collection (Data Pre-processing) Feature Set Training and Test Procedure event Prediction (Incident Prediction) summary references)

0 × 01 Introduction

The network security incidents reported in recent years have an increasing social and economic impact. For example, the JPMorgan Chase Hack incident that caused a sensation in the world has been designed to reach 76,000,000 ordinary families, the search engine can find nearly 120,000 related entries, 1:

 

 

There are still many similar security incidents. The common cause is that they have far more social and economic impact than micro-Hack attacks that were previously confined to systems/organizations. Existing security research focuses on the use of machine learning-based Proactive Defense mechanisms to protect systems/organizations from such threats. However, the essence of the existing active defense mechanism isDetectionTherefore, even if the alarm takes emergency measures, the actual loss is inevitable. Research on advance defensePredictionMethod is imperative.

The "prediction" method we introduced today simply predicts possible network security events of the system by making public system/organization information externally, as a beneficial supplement to the original detection mechanism, the system is able to prevent network threat attacks.

Before continuing our discussion today, let's give a brief introduction.Security situation.

Brief Introduction to security situation

Security situationThe concept comes fromSituation AwarenessIt was first originated from the study of space flight human factors and then widely studied in military, nuclear reaction control, air traffic supervision and other fields, because in a dynamic and complex environment, the decision makers must use situational awareness tools to display the continuous changes in the current environment in order to make accurate decisions.Network SituationIt refers to the current status and change trend of the entire network composed of various factors such as the running status, network behavior, and user behavior of network devices.Network Situation AwarenessIn a large-scale network environment, security elements that can cause changes in the network situation are obtained, understood, displayed, and predicted in the future.

The general network security situation is divided into three layers: 2:

 

0 × 02 data collection

As a practical situation evaluation and prediction method, all the data used in our method today comes from publicly available data sources. These data sources are mainly divided:

1. Security Posture Data)

Many measurement methods can be used for network security situation. Two methods are used here. One is to measure the misconfiguration of the network or the difference with the standard/Recommended configuration; the other is to measure the malicious behavior of the network. Specifically:

1.1 Mismanagement Symptoms)

This type of data mainly includes the following five types of data, which are derived from a subset of data features in document [1:

> Open Recurisive Resolvers: incorrectly configured DNS servers are easily used for * DNS amplification * attacks. This part of data comes from an Open-source Project, Open Resovler Project [2]. this project automatically search, record improperly configured DNS server information;> DNS Source Port Randomization: The RFC-5452 suggests that for security reasons, the DNS Source Port and query ID should be Randomization, however, in practice, many DNS do not follow this suggestion, which is very vulnerable to * Cache Poisoning * attacks. This part of the data also comes from the document [1];> BGP Misconfiguration: incorrect BGP configuration or reconfiguration may result in unnecessary route protocol updates and temporary route table items with short lifetime. This part of the data also comes from [1];> Untrusted HTTPS Certificates: x509 certificates are used to implement d client authentication in TLS, but many of them are not correctly configured. The configuration error of March 22, 2013 hosts in 10,300,000 was obtained through network scanning [1];> Open SMTP Mail Relays: This is often used to send spam, in this paper, the information of the July 23, 2013 open mail relay servers collected in 22,284 is used [1].

1.2 Malicious Activity Data)

Malicious behavior data mainly refers to malicious behaviors observed outside the organization. Here we only focus on three types of malicious behaviors:Spam, Phishing, and ScanAction.

This part of data mainly comes from the following databases:

> SPAM: CBL, SBL, SpamCop, WPBL, and UCEPROTECT;> Phishing: SURBL, PhishTank, and hpHosts;> Scanning: Darknet scanners list, Dshield, and OpenBL;

2. Security Event Data

Security Event data mainly comes from three open network security databases:

>VERIS Commnunity Database(VCDB)[3]; >Hackmageddon[4];>The Web Hacing Incidents Database(WHID)[5];

The following figure 3 shows an example of a security event in the VCDB database:

 

 

To test the network security event Prediction Method Based on Security Situation Awareness, when collecting security event data, the event occurrence event should be later than the network security situation data collected, the situation data (the first two types) is used for training, and the last event data is used for prediction testing.

In the event set, 700 security events are selected to exclude physical attacks, theft, internal attacks, and unknown event reports. 5:

 

0 × 03 data preprocessing

After the security situation data is collected, preprocessing is usually required before actual use. The main preprocessing work here is to combine security situation data with security event data, that is, Mapping Process and Aggregation Process ).

The biggest problem with the combination of the security situation data and security event data we have collected is that the security situation data is based on the host IP layer, security Event data is based on the organization/enterprise level. How can we use IP-based security situation data to predict security events based on the organization/enterprise level?

One feasible method is to determineSample IPDetermine the actual owner (Organization/enterprise) of the attack target, and then obtain all IP address blocks related to the attack target by querying the public RIR database, these IP address blocks are then combined as an aggregation unit with security situation data.

RIR (Reginal Internet Registry) is responsible for allocating IP address blocks to one of multiple ISP international organizations. The five global RIR groups are RIPE (Europe), LACNIC, and ARIN (USA), AFRINIC, and APNIC (Asia Pacific ).Sample IPThe idea is to use a reverse lookup RIR on behalf of the IP address to obtain all the relevant IP address blocks, so as to obtain the IP address set information corresponding to an organization/enterprise. That is:

Attack Target's Sample IP --->RIR--->Owner ID--->IP Block with the Owner--->Corporate IP Set

3.1 Sample IP Extraction Algorithm

To demonstrate how to obtain the target in an attack eventSample IP, We briefly describe the algorithm:

Obtain a security event report. Extract the website of the company associated with the event from the security report. If the website is the start point/intrusion point of the Security Event, use the IP address of the website Sample IPFor example, in the document [6], the official website is an intrusion point. If the website is not an intrusion point, it can represent an attack target, that is, the owner ID of the website is the attacker of the attack event. You can also use the IP address of the website as Sample IPIn other cases Sample IPNot considered for the moment; Sample IPManual Analysis and Determination of security event reports are required; 3.2 aggregation Analysis

After obtaining the targetSample IPThen, query the RIR to obtain the relevant IP block, specifically:

Pass Sample IPQuery the RIR database, learn its owner ID, and then use all IP addresses belonging to the ID in the RIR database as an aggregation unit. global aggregation: the organization that has not been attacked is also processed into an aggregation unit model. The complete set of aggregation units of the attacker and the non-attacker is obtained (the attack targets and non-targets must be analyzed );

Aggregate Analysis:

Calculate the percentage of hit IP addresses in an aggregation unit (fraction) for poorly managed data in security situation data );

For malicious behavior data in security situation data, calculate the number of IP addresses included in the attack blacklist in the aggregation unit;

Perform the above analysis for both the principal party and non-principal party;

0 × 04 feature set

We classify the processed data into two types for feature extraction. One is the Primary Set, which is used to represent the original data; the second type is the Secondary dataset, which is used to represent the statistical data obtained from the original data analysis.

The experiment shares 258 feature attributes, including 180 feature attributes in the master dataset and 72 feature attributes in the secondary dataset.

4.1 Primary Features Mismanagement Features: these five data Features are derived from the aforementioned poor management. The feature calculation method is to calculate the number of improperly configured IP addresses/The number of IP addresses of aggregation units. The value ranges from 0 to 1. Malicious activity time series: each organization (aggregation Unit) collects the time series of three malicious behaviors, namely spam, phish, and scan. The time characteristics of the three malicious behaviors in the I-organization are 6, and the data collection cycle is 60 days, each organization has a total of 180 record features and the size of aggregation units SizeIt is also used as a feature, and the data collection cycle is 60 days, each organization has a total of 180 record features, the size of the aggregation Unit SizeAlso as a feature;

For ease of understanding, we provide three examples of malicious behavior time series in an organization. In 7, the Y axis indicates the 60-day cycle, the number of unique IP addresses that appear on all Spam blacklists per day:

 

4.2 dataset Features (Secondary Features)

The statistical features obtained from raw data analysis are used as sub-dataset features.Region, Concept, used to indicate a specific area in the image, the area below Normal is Normal (Good), the area above Normaal is abnormal (Bad), 8:

 

The red solid line indicates the Normal quasi-line, the area above the red solid line is Bad, the low is the Good area, and the Persistency is used to indicate the time in the same region.

Each Region has four basic statistical features:

Normalized average magnsquared (normalized average) Non-normalized mean amplitude; time in the region; frequency of entering the region; a time series has three areas: good, bad, and normal, therefore, there are a total of 12 Statistical Features. Each aggregation unit consists of three event sequences (three malicious behaviors). Therefore, 36 statistical features are recorded as Fi; the data collection time (60 days and 14 days) is divided into two categories: Recent-60 and Recent-14, with a total of 72 statistical features;

Example 9:

 

0 × 05 training and testing

After the data processing is completed and extracted to the required feature set, useRandom ForestBuild classifier.

5.1 training set Construction

The dataset used in the training is composed of two parts: Group (1) and Group (0). The feature data of the attack target in the security event is used as Group (1 ), that is, security events occur. The target feature data is randomly selected from non-attack targets as Group (0), that is, security events do not occur;

Group (1) feature set extraction has different proportions, such as 50: 50, meaning that half of the data is used for training, the other half is used for testing, or 70: 30;

Group (0) the process of selecting data will be repeated multiple times, and each time a classifier is learned through RF, the final prediction result of the experiment is the average value of all the classifier predictions;

5.2 random Forest Classifier)

Randome Forest, called the random Forest algorithm, is a joint prediction model composed of multiple decision trees. It can naturally be used as a fast and effective multiclass classification model;

Brief Introduction to learning algorithms:

1. Use N to represent the number of training examples, and M to represent the number of variables. 2. Select a number m to determine how many variables are used for decision-making on a node. Select the Security Event data that is not included in Group (1) to join the test set, and randomly extract the data of non-attack targets to build the test set. In the experiment, Short-term Forecasting and Long-term Forecasting are divided based on the predicted duration. 10:

 

 

To predict the occurrence of a security event, the training set used must be at a certain stage before the event occurs. Set each stage to one month (30 days). Generally, for short-term prediction, you can use this phase of the first security event (30 days). For long-term prediction, the training set should begin before the first phase of the test set security time.

0 × 06 event Prediction

The experiment prediction result is as follows. Figure 11 shows the relationship between TP and FP in event prediction in different security event sets:

 

Figure 12 shows the optimal (TP, FP) value, 12:

 

Figure 13 shows the comparison of the ratio of training set/test set with 50-50/70-30 on the same event set VCDB and the effect of long-term and short-term prediction:

 

0 × 07 Summary

Today, we introduced a security situation-Based Network Security Event prediction method. Its goal is to be able to only observe information outside the organization's network, an alert system that predicts possible network security events in an organization.

The prediction uses external measurable feature attributes of 258 target organizations/enterprise networks. The first is poorly managed features, such as misconfigured DNS or BGP, the other type is the time series of malicious behaviors, such as spam, phishing, and scanning behaviors from within the Organization.

Using these tree features to establish a random forest classifier, the experiment tests the accuracy of the prediction method for about 1000 event training, the best way to achieve a 90% correct detection rate and a 10% false positive rate.