Print Email Facebook Twitter Mining Attack Strategy Title Mining Attack Strategy: Using Process Mining to extract attacker strategy from IDS alerts Author Habben Jansen, Geert (TU Delft Electrical Engineering, Mathematics and Computer Science) Contributor Verwer, S.E. (mentor) Reinders, M.J.T. (graduation committee) Nadeem, A. (graduation committee) Degree granting institution Delft University of Technology Date 2021-07-01 Abstract Ever since the invention of the Internet, more and more computers are connected throughout the world. Though this has brought numerous new inventions used every day, like social media, e-commerce, and video conferencing, it also opens up new opportunities for cyber criminals. As the intrusion detection systems used to identify malicious behavior in a computer network can generate large amounts of alerts, methods have been developed to aid security analysts in gaining insights into what is happening on the network. Of course, there is always room to improve these methods, which is the topic of this thesis. Currently, one of the state-of-the-art methods uses state machines to model the alert sequences. State machines are a good fit as they can extract the context of different alerts, but they cannot extract information like parallelism between different alerts. That is where field process mining comes in, with process mining algorithms being able to extract parallelism from sequential data. In this thesis, state-of-the-art algorithms from process mining are evaluated for modeling alert datasets from intrusion detection systems with the aim of improving the current methods. As a comparison, different methods for learning state machines also tested for the same data. The results of the evaluation and comparison show that the state machines perform better in modeling the alert datasets with respect to explaining the data. On the other hand, thee process mining algorithms were not able to construct sound models for the datasets, and a fourth mining algorithm gave false implications about the data. Furthermore, the possibility of combining state machines with process mining was also tested, with the idea that the combination can use the state machines to extract context and the process miner to extract parallelism. This method did not yield any improvements for the alert datasets tested, but that does not mean it is not viable in other cases. Subject Process MiningState MachinesIDS alerts To reference this document use: http://resolver.tudelft.nl/uuid:226be13e-1f26-4ed4-98e5-441bfd0c2006 Part of collection Student theses Document type master thesis Rights © 2021 Geert Habben Jansen Files PDF Thesis_Geert_Habben_Jansen.pdf 29.54 MB Close viewer /islandora/object/uuid:226be13e-1f26-4ed4-98e5-441bfd0c2006/datastream/OBJ/view