The Influences of Feature Sets on the Detection of Advanced Persistent Threats
This paper investigates the influences of different statistical network traffic feature sets on detecting advanced persistent threats. The selection of suitable features for detecting targeted cyber attacks is crucial to achieving high performance and to address limited computational and storage cos...
Main Authors: | , , |
---|---|
Format: | Article |
Language: | English |
Published: |
MDPI AG
2021-03-01
|
Series: | Electronics |
Subjects: | |
Online Access: | https://www.mdpi.com/2079-9292/10/6/704 |
id |
doaj-5e36d78af7e74d039789c1394191dd75 |
---|---|
record_format |
Article |
spelling |
doaj-5e36d78af7e74d039789c1394191dd752021-03-18T00:04:47ZengMDPI AGElectronics2079-92922021-03-011070470410.3390/electronics10060704The Influences of Feature Sets on the Detection of Advanced Persistent ThreatsKatharina Hofer-Schmitz0Ulrike Kleb1Branka Stojanović2DIGITAL—Institute for Information and Communication Technologies, JOANNEUM RESEARCH Forschungsgesellschaft mbH, 17 Steyrergasse, 8010 Graz, AustriaPOLICIES—Institute for Economic and Innovation Research, JOANNEUM RESEARCH Forschungsgesellschaft mbH, 59 Leonhardstraße, 8010 Graz, AustriaDIGITAL—Institute for Information and Communication Technologies, JOANNEUM RESEARCH Forschungsgesellschaft mbH, 17 Steyrergasse, 8010 Graz, AustriaThis paper investigates the influences of different statistical network traffic feature sets on detecting advanced persistent threats. The selection of suitable features for detecting targeted cyber attacks is crucial to achieving high performance and to address limited computational and storage costs. The evaluation was performed on a semi-synthetic dataset, which combined the CICIDS2017 dataset and the Contagio malware dataset. The CICIDS2017 dataset is a benchmark dataset in the intrusion detection field and the Contagio malware dataset contains real advanced persistent threat (APT) attack traces. Several different combinations of datasets were used to increase variety in background data and contribute to the quality of results. For the feature extraction, the CICflowmeter tool was used. For the selection of suitable features, a correlation analysis including an in-depth feature investigation by boxplots is provided. Based on that, several suitable features were allocated into different feature sets. The influences of these feature sets on the detection capabilities were investigated in detail with the local outlier factor method. The focus was especially on attacks detected with different feature sets and the influences of the background on the detection capabilities with respect to the local outlier factor method. Based on the results, we could determine a superior feature set, which detected most of the malicious flows.https://www.mdpi.com/2079-9292/10/6/704APTlocal outlier detectionfeature selectionstatistical network traffic features |
collection |
DOAJ |
language |
English |
format |
Article |
sources |
DOAJ |
author |
Katharina Hofer-Schmitz Ulrike Kleb Branka Stojanović |
spellingShingle |
Katharina Hofer-Schmitz Ulrike Kleb Branka Stojanović The Influences of Feature Sets on the Detection of Advanced Persistent Threats Electronics APT local outlier detection feature selection statistical network traffic features |
author_facet |
Katharina Hofer-Schmitz Ulrike Kleb Branka Stojanović |
author_sort |
Katharina Hofer-Schmitz |
title |
The Influences of Feature Sets on the Detection of Advanced Persistent Threats |
title_short |
The Influences of Feature Sets on the Detection of Advanced Persistent Threats |
title_full |
The Influences of Feature Sets on the Detection of Advanced Persistent Threats |
title_fullStr |
The Influences of Feature Sets on the Detection of Advanced Persistent Threats |
title_full_unstemmed |
The Influences of Feature Sets on the Detection of Advanced Persistent Threats |
title_sort |
influences of feature sets on the detection of advanced persistent threats |
publisher |
MDPI AG |
series |
Electronics |
issn |
2079-9292 |
publishDate |
2021-03-01 |
description |
This paper investigates the influences of different statistical network traffic feature sets on detecting advanced persistent threats. The selection of suitable features for detecting targeted cyber attacks is crucial to achieving high performance and to address limited computational and storage costs. The evaluation was performed on a semi-synthetic dataset, which combined the CICIDS2017 dataset and the Contagio malware dataset. The CICIDS2017 dataset is a benchmark dataset in the intrusion detection field and the Contagio malware dataset contains real advanced persistent threat (APT) attack traces. Several different combinations of datasets were used to increase variety in background data and contribute to the quality of results. For the feature extraction, the CICflowmeter tool was used. For the selection of suitable features, a correlation analysis including an in-depth feature investigation by boxplots is provided. Based on that, several suitable features were allocated into different feature sets. The influences of these feature sets on the detection capabilities were investigated in detail with the local outlier factor method. The focus was especially on attacks detected with different feature sets and the influences of the background on the detection capabilities with respect to the local outlier factor method. Based on the results, we could determine a superior feature set, which detected most of the malicious flows. |
topic |
APT local outlier detection feature selection statistical network traffic features |
url |
https://www.mdpi.com/2079-9292/10/6/704 |
work_keys_str_mv |
AT katharinahoferschmitz theinfluencesoffeaturesetsonthedetectionofadvancedpersistentthreats AT ulrikekleb theinfluencesoffeaturesetsonthedetectionofadvancedpersistentthreats AT brankastojanovic theinfluencesoffeaturesetsonthedetectionofadvancedpersistentthreats AT katharinahoferschmitz influencesoffeaturesetsonthedetectionofadvancedpersistentthreats AT ulrikekleb influencesoffeaturesetsonthedetectionofadvancedpersistentthreats AT brankastojanovic influencesoffeaturesetsonthedetectionofadvancedpersistentthreats |
_version_ |
1724217948320563200 |