skip to main content
10.1145/3064814.3064822acmotherconferencesArticle/Chapter ViewAbstractPublication PagescisrcConference Proceedingsconference-collections
short-paper

Using sequential pattern mining for common event format (CEF) cyber data

Published: 04 April 2017 Publication History

Abstract

This paper describes our initial results achieved using an unsupervised approach for finding suspicious behavior in enterprise networks. We are using sequential pattern mining (SPM) to extract sequences of events for all IPs in a network. The premise of this work is that sequences which describe malicious behavior will be rare. To our knowledge there are no other works that use SPM to identify malicious behavior in Common Event Format (CEF) datasets of the type we are using. Our initial results show promise: when the sequences are built per source IP a cyber analyst would have to look at less than 0.4% of all IPs in order to find all the malicious ones.

References

[1]
Agrawal R. & Srikant R. (1995). Mining sequential patterns. In Data Engineering, 1995. Proceedings of the Eleventh International Conference on (pp. 3--14). IEEE.
[2]
ArcSight. Common Event Format. July 2010. Available at https://kc.mcafee.com/resources/sites/MCAFEE/content/live/CORP_KNOWLEDGEBASE/78000/KB78712/en_US/CEF_White_Paper_20100722.pdf
[3]
Yuan E. & Malek S. Mining Software Component Interactions to Detect Security Threats at the Architectural Level. 13th Working IEEE/IFIP Conference on Software Architecture. Venice, Italy, Apr 2016.
[4]
Bahareth F.A. & Bamasak O.O. Constructing Attack Scenario using Sequential Pattern Mining with Correlated Candidate Sequences. The Research Bulletin of JORDAN ACM - ISWSA, 2013.
[5]
Kondaveeti, A. & Yu, J. Sequential Pattern Mining Approach for Watering Hole Attack Detection. Pivotal Blog Oct 22, 2015, Available at: https://content.pivotal.io/blog/sequential-pattern-mining-approach-for-watering-hole-attack-detection
[6]
Shengyi P. Cybersecurity testing and intrusion detection for cyber-physical power systems. Ph.D. Dissertation, Mississippi State University, Dec 2014.
[7]
Watkins L., Beck S., Zook J., Buczak A.L., Chavis J., Robinson W.H., Morales J.A., & Mishra S. Using Semi-supervised Machine Learning to Address the Big Data Problem in DNS Networks. To Appear in IEEE Computing and Communication Workshop and Conference. Jan 2017.
[8]
Buczak A.L., Hanke P., Cancro G., Toma M., Watkins L. & Chavis J. Detection of DNS Tunnels in PCAP Data by Random Forests. In Proceedings of CIRSC'16. Apr 2016.
[9]
Han J., Pei J., Mortazavi-Asl B., Pinto H., Chen Q., Dayal U., & Hsu, M.C. Prefixspan: Mining sequential patterns efficiently by prefix-projected pattern growth. In Proceedings of the 17th international conference on data engineering (pp. 215--224), Apr 2001.
[10]
Zaki M.J. Sequence mining in categorical domains: incorporating constraints. In Proceedings of the ninth international conference on Information and knowledge management (pp. 422--429). ACM, 2000.
[11]
Buchta C., Hahsler M., & Diaz D. (2013). arulesSequences: Mining frequent sequences. R package version 0.2--4.

Cited By

View all
  • (2021)BEDIM: Lateral Movement Detection In Enterprise Network Through Behavior Deviation Measurement2021 IEEE 23rd Int Conf on High Performance Computing & Communications; 7th Int Conf on Data Science & Systems; 19th Int Conf on Smart City; 7th Int Conf on Dependability in Sensor, Cloud & Big Data Systems & Application (HPCC/DSS/SmartCity/DependSys)10.1109/HPCC-DSS-SmartCity-DependSys53884.2021.00076(391-398)Online publication date: Dec-2021
  • (2019)Network Log Anomaly Detection Based on GRU and SVDD2019 IEEE Intl Conf on Parallel & Distributed Processing with Applications, Big Data & Cloud Computing, Sustainable Computing & Communications, Social Computing & Networking (ISPA/BDCloud/SocialCom/SustainCom)10.1109/ISPA-BDCloud-SustainCom-SocialCom48970.2019.00177(1244-1249)Online publication date: Dec-2019
  • (2019)Batch-Free Event Sequence Pattern Mining for Communication Stream Data with Instant and Persistent EventsWireless Personal Communications: An International Journal10.1007/s11277-018-5985-x105:2(673-689)Online publication date: 1-Mar-2019
  • Show More Cited By

Index Terms

  1. Using sequential pattern mining for common event format (CEF) cyber data

    Recommendations

    Comments

    Information & Contributors

    Information

    Published In

    cover image ACM Other conferences
    CISRC '17: Proceedings of the 12th Annual Conference on Cyber and Information Security Research
    April 2017
    106 pages
    ISBN:9781450348553
    DOI:10.1145/3064814
    © 2017 Association for Computing Machinery. ACM acknowledges that this contribution was authored or co-authored by an employee, contractor or affiliate of the United States government. As such, the United States Government retains a nonexclusive, royalty-free right to publish or reproduce this article, or to allow others to do so, for Government purposes only.

    Publisher

    Association for Computing Machinery

    New York, NY, United States

    Publication History

    Published: 04 April 2017

    Permissions

    Request permissions for this article.

    Check for updates

    Author Tags

    1. anomaly detection
    2. cyber attacks
    3. sequential pattern mining

    Qualifiers

    • Short-paper

    Conference

    CISRC'17

    Acceptance Rates

    CISRC '17 Paper Acceptance Rate 8 of 22 submissions, 36%;
    Overall Acceptance Rate 69 of 136 submissions, 51%

    Contributors

    Other Metrics

    Bibliometrics & Citations

    Bibliometrics

    Article Metrics

    • Downloads (Last 12 months)11
    • Downloads (Last 6 weeks)0
    Reflects downloads up to 12 Feb 2025

    Other Metrics

    Citations

    Cited By

    View all
    • (2021)BEDIM: Lateral Movement Detection In Enterprise Network Through Behavior Deviation Measurement2021 IEEE 23rd Int Conf on High Performance Computing & Communications; 7th Int Conf on Data Science & Systems; 19th Int Conf on Smart City; 7th Int Conf on Dependability in Sensor, Cloud & Big Data Systems & Application (HPCC/DSS/SmartCity/DependSys)10.1109/HPCC-DSS-SmartCity-DependSys53884.2021.00076(391-398)Online publication date: Dec-2021
    • (2019)Network Log Anomaly Detection Based on GRU and SVDD2019 IEEE Intl Conf on Parallel & Distributed Processing with Applications, Big Data & Cloud Computing, Sustainable Computing & Communications, Social Computing & Networking (ISPA/BDCloud/SocialCom/SustainCom)10.1109/ISPA-BDCloud-SustainCom-SocialCom48970.2019.00177(1244-1249)Online publication date: Dec-2019
    • (2019)Batch-Free Event Sequence Pattern Mining for Communication Stream Data with Instant and Persistent EventsWireless Personal Communications: An International Journal10.1007/s11277-018-5985-x105:2(673-689)Online publication date: 1-Mar-2019
    • (2019)Scalable Data Processing Approach and Anomaly Detection Method for User and Entity Behavior Analytics PlatformIntelligent Distributed Computing XIII10.1007/978-3-030-32258-8_40(344-349)Online publication date: 2-Oct-2019

    View Options

    Login options

    View options

    PDF

    View or Download as a PDF file.

    PDF

    eReader

    View online with eReader.

    eReader

    Figures

    Tables

    Media

    Share

    Share

    Share this Publication link

    Share on social media