ChainSpot: Mining service logs for cyber security threat detection

Jain Shing Wu, Yuh-Jye Lee, Te En Wei, Chih Hung Hsieh*, Chia Min Lai

*Corresponding author for this work

Research output: Chapter in Book/Report/Conference proceedingConference contributionpeer-review

2 Scopus citations

Abstract

Given service logs of who used what service, and when, how can we find intrusions and anomalies? In this paper, a cyber threat detection framework-ChainSpot was proposed, in which the novelty is to build graphical patterns by summarizing user's sequential behaviors of using application-layer services, and to discover deviations against one's normal patterns. Besides modeling, the issue of justifying trade-off between feature explicity and computation complexity is properly addressed, as well. Effectiveness and performance of proposed method are evaluated using dataset collected in real circumstance. Experiments show that ChainSpot can provide very good supports for awaring abnormal behaivors which is starting point of threat detection. The detection results are highly correlated to expert-labeled ground truth, therefore, ChainSpot is proven helpful for saving forensics efforts significantly. Even more, case investigations demonstrate that the differences between benign and suspicious patterns can be further interpreted to reconstruct the attack scenarios. Then the analytic findings may be treated as indicators of compromise for threat detection and in-depth clues for digital forensics.

Original languageEnglish
Title of host publicationProceedings - 15th IEEE International Conference on Trust, Security and Privacy in Computing and Communications, 10th IEEE International Conference on Big Data Science and Engineering and 14th IEEE International Symposium on Parallel and Distributed Processing with Applications, IEEE TrustCom/BigDataSE/ISPA 2016
PublisherInstitute of Electrical and Electronics Engineers Inc.
Pages1867-1874
Number of pages8
ISBN (Electronic)9781509032051
DOIs
StatePublished - 1 Jan 2016
EventJoint 15th IEEE International Conference on Trust, Security and Privacy in Computing and Communications, 10th IEEE International Conference on Big Data Science and Engineering and 14th IEEE International Symposium on Parallel and Distributed Processing with Applications, IEEE TrustCom/BigDataSE/ISPA 2016 - Tianjin, China
Duration: 23 Aug 201626 Aug 2016

Publication series

NameProceedings - 15th IEEE International Conference on Trust, Security and Privacy in Computing and Communications, 10th IEEE International Conference on Big Data Science and Engineering and 14th IEEE International Symposium on Parallel and Distributed Processing with Applications, IEEE TrustCom/BigDataSE/ISPA 2016

Conference

ConferenceJoint 15th IEEE International Conference on Trust, Security and Privacy in Computing and Communications, 10th IEEE International Conference on Big Data Science and Engineering and 14th IEEE International Symposium on Parallel and Distributed Processing with Applications, IEEE TrustCom/BigDataSE/ISPA 2016
CountryChina
CityTianjin
Period23/08/1626/08/16

Fingerprint Dive into the research topics of 'ChainSpot: Mining service logs for cyber security threat detection'. Together they form a unique fingerprint.

Cite this