skip to main content
US FlagAn official website of the United States government
dot gov icon
Official websites use .gov
A .gov website belongs to an official government organization in the United States.
https lock icon
Secure .gov websites use HTTPS
A lock ( lock ) or https:// means you've safely connected to the .gov website. Share sensitive information only on official, secure websites.

Explore Research Products in the PAR
It may take a few hours for recently added research products to appear in PAR search results.


Title: On the Variety and Veracity of Cyber Intrusion Alerts Synthesized by Generative Adversarial Networks
Many cyber attack actions can be observed but the observables often exhibit intricate feature dependencies, non-homogeneity, and potential for rare yet critical samples. This work tests the ability to model and synthesize cyber intrusion alerts through Generative Adversarial Networks (GANs), which explore the feature space through reconciling between randomly generated samples and the given data that reflects a mixture of diverse attack behaviors. Through a comprehensive analysis using Jensen-Shannon Divergence (JSD), conditional and joint entropy, and mode drops and additions, we show that the Wasserstein-GAN with Gradient Penalty and Mutual Information (WGAN-GPMI) is more effective in learning to generate realistic alerts than models without Mutual Information constraints. The added Mutual Information constraint pushes the model to explore the feature space more thoroughly and increases the generation of low probability yet critical alert features. By mapping alerts to a set of attack stages it is shown that the output of these low probability alerts has a direct contextual meaning for cyber security analysts. Overall, our results show the promising novel use of GANs to learn from limited yet diverse intrusion alerts to generate synthetic ones that emulate critical dependencies, opening the door to data driven network threat models.  more » « less
Award ID(s):
1742789 1526383
PAR ID:
10190255
Author(s) / Creator(s):
; ;
Date Published:
Journal Name:
ACM Transactions on Management Information Systems
ISSN:
2158-656X
Format(s):
Medium: X
Sponsoring Org:
National Science Foundation
More Like this
  1. ; ; (, Proceedings of IEEE MILCOM)
    Cyber Intrusion alerts are commonly collected by corporations to analyze network traffic and glean information about attacks perpetrated against the network. However, datasets of true malignant alerts are rare and generally only show one potential attack scenario out of many possible ones. Furthermore, it is difficult to expand the analysis of these alerts through artificial means due to the complexity of feature dependencies within an alert and lack of rare yet critical samples. This work proposes the use of a Mutual Information constrained Generative Adversarial Network as a means to synthesize new alerts from historical data. Histogram Intersection and Conditional Entropy are used to show the performance of this model as well as its ability to learn intricate feature dependencies. The proposed models are able to capture a much wider domain of alert feature values than standard Generative Adversarial Networks. Finally, we show that when looking at alerts from the perspective of attack stages, the proposed models are able to capture critical attacker behavior providing direct semantic meaning to generated samples. 
    more » « less
  2. ; ; (, Journal of Future Artificial Intelligence and Technologies)
    This research presents a hybrid intrusion detection approach that integrates Generative Adversarial Networks (GANs) for synthetic data generation with Random Forest (RF) as the primary classifier. The study aims to improve detection performance in cybersecurity applications by enhancing dataset diversity and addressing challenges in traditional models, particularly in detecting minority attack classes often underrepresented in real-world datasets. The proposed method employs GANs to generate synthetic attack samples that mimic real-world intrusions, which are then combined with real data from the UNSW-NB15 dataset to create a more balanced training set. By leveraging synthetic data augmentation, our approach mitigates issues related to class imbalance and enhances the generalization capability of the classifier. Extensive experiments demonstrate that RF trained on the combined dataset of real and synthetic data achieves superior detection performance compared to models trained exclusively on real data. Specifically, RF trained solely on the original dataset achieves an accuracy of 97.58%, whereas integrating GAN-generated synthetic data improves accuracy to 98.27%. The proposed methodology is further evaluated through comparative analysis against alternative classifiers, including Support Vector Machine (SVM), XGBoost, Gated Recurrent Unit (GRU), and related studies in the field. Our findings indicate that GAN-augmented training significantly enhances detection rates, particularly for rare attack types, while maintaining computational efficiency. Furthermore, RF outperforms other classifiers, including deep learning models, demonstrating its effectiveness as a lightweight yet robust classification method. Integrating GANs with RF offers a scalable and adaptable framework for intrusion detection, ensuring improved resilience against evolving cyber threats. 
    more » « less
  3. ; ; ; ; ; ; (, Network and Distributed Systems Security Symposium)
    Large enterprises are increasingly relying on threat detection softwares (e.g., Intrusion Detection Systems) to allow them to spot suspicious activities. These softwares generate alerts which must be investigated by cyber analysts to figure out if they are true attacks. Unfortunately, in practice, there are more alerts than cyber analysts can properly investigate. This leads to a “threat alert fatigue” or information overload problem where cyber analysts miss true attack alerts in the noise of false alarms. In this paper, we present NoDoze to combat this challenge using contextual and historical information of generated threat alert in an enterprise. NoDoze first generates a causal dependency graph of an alert event. Then, it assigns an anomaly score to each event in the dependency graph based on the frequency with which related events have happened before in the enterprise. NoDoze then propagates those scores along the edges of the graph using a novel network diffusion algorithm and generates a subgraph with an aggregate anomaly score which is used to triage alerts. Evaluation on our dataset of 364 threat alerts shows that NoDoze decreases the volume of false alarms by 86%, saving more than 90 hours of analysts’ time, which was required to investigate those false alarms. Furthermore, NoDoze generated dependency graphs of true alerts are 2 orders of magnitude smaller than those generated by traditional tools without sacrificing the vital information needed for the investigation. Our system has a low average runtime overhead and can be deployed with any threat detection software. 
    more » « less
  4. ; ; ; (, Design Science)
    Generative adversarial networks (GANs) have recently been proposed as a potentially disruptive approach to generative design due to their remarkable ability to generate visually appealing and realistic samples. Yet, we show that the current generator-discriminator architecture inherently limits the ability of GANs as a design concept generation (DCG) tool. Specifically, we conduct a DCG study on a large-scale dataset based on a GAN architecture to advance the understanding of the performance of these generative models in generating novel and diverse samples. Our findings, derived from a series of comprehensive and objective assessments, reveal that while the traditional GAN architecture can generate realistic samples, the generated and style-mixed samples closely resemble the training dataset, exhibiting significantly low creativity. We propose a new generic architecture for DCG with GANs (DCG-GAN) that enables GAN-based generative processes to be guided by geometric conditions and criteria such as novelty, diversity and desirability. We validate the performance of the DCG-GAN model through a rigorous quantitative assessment procedure and an extensive qualitative assessment involving 89 participants. We conclude by providing several future research directions and insights for the engineering design community to realize the untapped potential of GANs for DCG. 
    more » « less
  5. ; (, ACM)
    Modern smart vehicles have a Controller Area Network (CAN) that supports intra-vehicle communication between intelligent Electronic Control Units (ECUs). The CAN is known to be vulnerable to various cyber attacks. In this paper, we propose a unified framework that can detect multiple types of cyber attacks (viz., Denial of Service, Fuzzy, Impersonation) affecting the CAN. Specifically, we construct a feature by observing the timing information of CAN packets exchanged over the CAN bus network over partitioned time windows to construct a low dimensional representation of the entire CAN network as a time series latent space. Then, we apply a two tier anomaly based intrusion detection model that keeps track of short term and long term memory of deviations in the initial time series latent space, to create a 'stateful latent space'. Then, we learn the boundaries of the benign stateful latent space that specify the attack detection criterion. To find hyper-parameters of our proposed model, we formulate a preference based multi-objective optimization problem that optimizes security objectives tailored for a network-wide time series anomaly based intrusion detector by balancing trade-offs between false alarm count, time to detection, and missed detection rate. We use real benign and attack datasets collected from a Kia Soul vehicle to validate our framework and show how our performance outperforms existing works. 
    more » « less
  • Citation Formats
  • MLA
  • APA
  • Chicago
  • BibTeX
  • Text Encoded Conversion
  • XML
  • Save / Share this Record
  • Send to Email