Detecting Reconnaissance and Discovery Tactics from the MITRE ATT&CK Framework in Zeek Conn Logs Using Spark’s Machine Learning in the Big Data Framework

While computer networks and the massive amount of communication taking place on these networks grow, the amount of damage that can be done by network intrusions grows in tandem. The need is for an effective and scalable intrusion detection system (IDS) to address these potential damages that come wi...

Descripción completa

Detalles Bibliográficos
Autores principales: Bagui, Sikha, Mink, Dustin, Bagui, Subhash, Ghosh, Tirthankar, McElroy, Tom, Paredes, Esteban, Khasnavis, Nithisha, Plenkers, Russell
Formato: Online Artículo Texto
Lenguaje:English
Publicado: MDPI 2022
Materias:
Article
Acceso en línea:https://www.ncbi.nlm.nih.gov/pmc/articles/PMC9610873/
https://www.ncbi.nlm.nih.gov/pubmed/36298351
http://dx.doi.org/10.3390/s22207999
_version_ 1784819386151862272
author Bagui, Sikha
Mink, Dustin
Bagui, Subhash
Ghosh, Tirthankar
McElroy, Tom
Paredes, Esteban
Khasnavis, Nithisha
Plenkers, Russell
author_facet Bagui, Sikha
Mink, Dustin
Bagui, Subhash
Ghosh, Tirthankar
McElroy, Tom
Paredes, Esteban
Khasnavis, Nithisha
Plenkers, Russell
author_sort Bagui, Sikha
collection PubMed
description While computer networks and the massive amount of communication taking place on these networks grow, the amount of damage that can be done by network intrusions grows in tandem. The need is for an effective and scalable intrusion detection system (IDS) to address these potential damages that come with the growth of these networks. A great deal of contemporary research on near real-time IDS focuses on applying machine learning classifiers to labeled network intrusion datasets, but these datasets need be relevant pertaining to the currency of the network intrusions. This paper focuses on a newly created dataset, UWF-ZeekData22, that analyzes data from Zeek’s Connection Logs collected using Security Onion 2 network security monitor and labelled using the MITRE ATT&CK framework TTPs. Due to the volume of data, Spark, in the big data framework, was used to run many of the well-known classifiers (naïve Bayes, random forest, decision tree, support vector classifier, gradient boosted trees, and logistic regression) to classify the reconnaissance and discovery tactics from this dataset. In addition to looking at the performance of these classifiers using Spark, scalability and response time were also analyzed.
format Online
Article
Text
id pubmed-9610873
institution National Center for Biotechnology Information
language English
publishDate 2022
publisher MDPI
record_format MEDLINE/PubMed
spelling pubmed-96108732022-10-28 Detecting Reconnaissance and Discovery Tactics from the MITRE ATT&CK Framework in Zeek Conn Logs Using Spark’s Machine Learning in the Big Data Framework Bagui, Sikha Mink, Dustin Bagui, Subhash Ghosh, Tirthankar McElroy, Tom Paredes, Esteban Khasnavis, Nithisha Plenkers, Russell Sensors (Basel) Article While computer networks and the massive amount of communication taking place on these networks grow, the amount of damage that can be done by network intrusions grows in tandem. The need is for an effective and scalable intrusion detection system (IDS) to address these potential damages that come with the growth of these networks. A great deal of contemporary research on near real-time IDS focuses on applying machine learning classifiers to labeled network intrusion datasets, but these datasets need be relevant pertaining to the currency of the network intrusions. This paper focuses on a newly created dataset, UWF-ZeekData22, that analyzes data from Zeek’s Connection Logs collected using Security Onion 2 network security monitor and labelled using the MITRE ATT&CK framework TTPs. Due to the volume of data, Spark, in the big data framework, was used to run many of the well-known classifiers (naïve Bayes, random forest, decision tree, support vector classifier, gradient boosted trees, and logistic regression) to classify the reconnaissance and discovery tactics from this dataset. In addition to looking at the performance of these classifiers using Spark, scalability and response time were also analyzed. MDPI 2022-10-20 /pmc/articles/PMC9610873/ /pubmed/36298351 http://dx.doi.org/10.3390/s22207999 Text en © 2022 by the authors. https://creativecommons.org/licenses/by/4.0/Licensee MDPI, Basel, Switzerland. This article is an open access article distributed under the terms and conditions of the Creative Commons Attribution (CC BY) license (https://creativecommons.org/licenses/by/4.0/).
spellingShingle Article
Bagui, Sikha
Mink, Dustin
Bagui, Subhash
Ghosh, Tirthankar
McElroy, Tom
Paredes, Esteban
Khasnavis, Nithisha
Plenkers, Russell
Detecting Reconnaissance and Discovery Tactics from the MITRE ATT&CK Framework in Zeek Conn Logs Using Spark’s Machine Learning in the Big Data Framework
title Detecting Reconnaissance and Discovery Tactics from the MITRE ATT&CK Framework in Zeek Conn Logs Using Spark’s Machine Learning in the Big Data Framework
title_full Detecting Reconnaissance and Discovery Tactics from the MITRE ATT&CK Framework in Zeek Conn Logs Using Spark’s Machine Learning in the Big Data Framework
title_fullStr Detecting Reconnaissance and Discovery Tactics from the MITRE ATT&CK Framework in Zeek Conn Logs Using Spark’s Machine Learning in the Big Data Framework
title_full_unstemmed Detecting Reconnaissance and Discovery Tactics from the MITRE ATT&CK Framework in Zeek Conn Logs Using Spark’s Machine Learning in the Big Data Framework
title_short Detecting Reconnaissance and Discovery Tactics from the MITRE ATT&CK Framework in Zeek Conn Logs Using Spark’s Machine Learning in the Big Data Framework
title_sort detecting reconnaissance and discovery tactics from the mitre att&ck framework in zeek conn logs using spark’s machine learning in the big data framework
topic Article
url https://www.ncbi.nlm.nih.gov/pmc/articles/PMC9610873/
https://www.ncbi.nlm.nih.gov/pubmed/36298351
http://dx.doi.org/10.3390/s22207999
work_keys_str_mv AT baguisikha detectingreconnaissanceanddiscoverytacticsfromthemitreattckframeworkinzeekconnlogsusingsparksmachinelearninginthebigdataframework
AT minkdustin detectingreconnaissanceanddiscoverytacticsfromthemitreattckframeworkinzeekconnlogsusingsparksmachinelearninginthebigdataframework
AT baguisubhash detectingreconnaissanceanddiscoverytacticsfromthemitreattckframeworkinzeekconnlogsusingsparksmachinelearninginthebigdataframework
AT ghoshtirthankar detectingreconnaissanceanddiscoverytacticsfromthemitreattckframeworkinzeekconnlogsusingsparksmachinelearninginthebigdataframework
AT mcelroytom detectingreconnaissanceanddiscoverytacticsfromthemitreattckframeworkinzeekconnlogsusingsparksmachinelearninginthebigdataframework
AT paredesesteban detectingreconnaissanceanddiscoverytacticsfromthemitreattckframeworkinzeekconnlogsusingsparksmachinelearninginthebigdataframework
AT khasnavisnithisha detectingreconnaissanceanddiscoverytacticsfromthemitreattckframeworkinzeekconnlogsusingsparksmachinelearninginthebigdataframework
AT plenkersrussell detectingreconnaissanceanddiscoverytacticsfromthemitreattckframeworkinzeekconnlogsusingsparksmachinelearninginthebigdataframework

Ejemplares similares