FNF: Flow-net based fingerprinting and its applications

Relationships among events in conventional system and network logs are not explicitly recorded and can only be determined from examining ancillary attributes of the events, such as, time stamps and event identifiers, or sometimes the semantics of the event attributes with some learning algorithms. T...

Full description

Saved in:
Bibliographic Details
Published inComputers & security Vol. 75; pp. 167 - 181
Main Authors Fu, Bo, Xiao, Yang, Chen, Hui
Format Journal Article
LanguageEnglish
Published Amsterdam Elsevier Ltd 01.06.2018
Elsevier Sequoia S.A
Subjects
Algorithms
Anomalies
Behavior
Computer networks
Computer systems
Computing time
Fingerprint
Fingerprinting
Fingerprints
Flow-net
Intrusion detection
Intrusion detection systems
IP (Internet Protocol)
Logging
Machine learning
Network security
Semantics
Studies
TCP/IP (protocol)
Logging
Fingerprint
Computer systems
Computer networks
Intrusion detection
Flow-net
Online AccessGet full text

Cover

More Information
Summary:Relationships among events in conventional system and network logs are not explicitly recorded and can only be determined from examining ancillary attributes of the events, such as, time stamps and event identifiers, or sometimes the semantics of the event attributes with some learning algorithms. The accuracy of the event relations is subject to the design of the algorithms, the experience of the users of the algorithms, and the completeness and accuracy of the attributes and the semantics. On the other hand, a flow-net based logging approach builds comprehensive system and network logs in the forms of direct acyclic graph. Specifically, it records both flows of events and intersections of the flows, and the flows capture relations among the events explicitly in real time and allow tracking the events and analyzing event relation efficiently. Taking advantage of flow-net based logs, we propose a flow-net based fingerprinting (FNF) scheme to capture system or network behaviors, and design a fingerprint lookup algorithm to solve the fingerprint matching problem, i.e., to determine whether a flow-net log contains the behavior characterized by some behavior fingerprints. To demonstrate the effectiveness of the flow-net based fingerprinting scheme, we conduct evaluation experiments where we apply the FNF to detecting a few known malicious behaviors in TCP/IP networks. The evaluation results demonstrate that FNF has superior computational efficiency to those based on conventional logging schemes.
Bibliography:ObjectType-Article-1
SourceType-Scholarly Journals-1
ObjectType-Feature-2
content type line 14
ISSN:0167-4048
1872-6208
DOI:10.1016/j.cose.2018.02.005