Latent Dirichlet Allocation for the Detection of Multi-Stage Attacks

Lefoane, Moemedi; Ghafir, Ibrahim; Kabir, Sohag; Awan, Irfan U.

Publication

Latent Dirichlet Allocation for the Detection of Multi-Stage Attacks

Lefoane, Moemedi
;
Ghafir, Ibrahim
;
Kabir, Sohag
;
Awan, Irfan U.

Publication Date

2023-12

Keywords

Multi-stage attack, Network security, Intrusion detection system, Latent dirichlet allocation, Topic modelling

Peer-Reviewed

Yes

Open Access status

closedAccess

Accepted for publication

2023-10-29

Collections

Engineering and Digital Technology Publications

Show all metadata

Files

Latent_Dirichlet_Allocation_for_the_Detection_of_Multi_Stage_Attacks_acceptedmanuscript.pdf

Adobe PDF, 520.66 KB

Abstract

The rapid shift and increase in remote access to organisation resources have led to a significant increase in the number of attack vectors and attack surfaces, which in turn has motivated the development of newer and more sophisticated cyber-attacks. Such attacks include Multi-Stage Attacks (MSAs). In MSAs, the attack is executed through several stages. Classifying malicious traffic into stages to get more information about the attack life-cycle becomes a challenge. This paper proposes a malicious traffic clustering approach based on Latent Dirichlet Allocation (LDA). LDA is a topic modelling approach used in natural language processing to address similar problems. The proposed approach is unsupervised learning and therefore will be beneficial in scenarios where traffic data is not labeled and analysis needs to be performed. The proposed approach uncovers intrinsic contexts that relate to different categories of attack stages in MSAs. These are vital insights needed across different areas of cybersecurity teams like Incident Response (IR) within the Security Operations Center (SOC), the insights uncovered could have a positive impact in ensuring that attacks are detected at early stages in MSAs. Besides, for IR, these insights help to understand the attack behavioural patterns and lead to reduced time in recovery following an incident. The proposed approach is evaluated on a publicly available MSAs dataset. The performance results are promising as evidenced by over 99% accuracy in identified malicious traffic clusters.

URI

http://hdl.handle.net/10454/19768

Version

No full-text in the repository

Citation

Lefoane M, Ghafir I, Kabir S et al (2023) Latent Dirichlet Allocation for the Detection of Multi-Stage Attacks. The 24th International Arab Conference on Information Technology. 6-8 Dec, Ajman, UAE.

Link to published version

https://www.acit2k.org/ACIT/index.php/about-acit-2023

Type

Conference paper

Latent Dirichlet Allocation for the Detection of Multi-Stage Attacks

Lefoane, Moemedi
;
Ghafir, Ibrahim
;
Kabir, Sohag
;
Awan, Irfan U.

Publication Date

End of Embargo

Supervisor

Keywords

Rights

Peer-Reviewed

Open Access status

Accepted for publication

Institution

Department

Awarded

Embargo end date

Collections

Files

Additional title

Abstract

URI

Version

Citation

Link to publisher’s version

Link to published version

Link to Version of Record

Type

Qualification name

Notes

Latent Dirichlet Allocation for the Detection of Multi-Stage Attacks

Lefoane, Moemedi ; Ghafir, Ibrahim ; Kabir, Sohag; Awan, Irfan U.

Publication Date

End of Embargo

Supervisor

Keywords

Rights

Peer-Reviewed

Open Access status

Accepted for publication

Institution

Department

Awarded

Embargo end date

Collections

Files

Additional title

Abstract

URI

Version

Citation

Link to publisher’s version

Link to published version

Link to Version of Record

Type

Qualification name

Notes

Lefoane, Moemedi
;
Ghafir, Ibrahim
;
Kabir, Sohag
;
Awan, Irfan U.