Integrating Traffics with Network Device Logs for Anomaly Detection

الملخص EN

Advanced cyberattacks are often featured by multiple types, layers, and stages, with the goal of cheating the monitors.

Existing anomaly detection systems usually search logs or traffics alone for evidence of attacks but ignore further analysis about attack processes.

For instance, the traffic detection methods can only detect the attack flows roughly but fail to reconstruct the attack event process and reveal the current network node status.

As a result, they cannot fully model the complex multistage attack.

To address these problems, we present Traffic-Log Combined Detection (TLCD), which is a multistage intrusion analysis system.

Inspired by multiplatform intrusion detection techniques, we integrate traffics with network device logs through association rules.

TLCD correlates log data with traffic characteristics to reflect the attack process and construct a federated detection platform.

Specifically, TLCD can discover the process steps of a cyberattack attack, reflect the current network status, and reveal the behaviors of normal users.

Our experimental results over different cyberattacks demonstrate that TLCD works well with high accuracy and low false positive rate.