close
Skip to main content

Automatic Alert Categories Standardization for Heterogeneous Devices with Incomplete Semantic Knowledge Based on LSTM

  • Conference paper
  • First Online:
Science of Cyber Security (SciSec 2024)

Part of the book series: Lecture Notes in Computer Science ((LNCS,volume 15441))

Included in the following conference series:

  • 649 Accesses

Abstract

In the realm of cybersecurity situational awareness, systems compile alert logs from diverse network monitors. These logs exhibit large-scale dimensions, numerous alert types, and autonomous alert categories. Ensuring precise and efficacious analysis necessitates the standardization and incorporation of these logs into a unified alert type categorization. Conventionally, security experts can manually categorize and standardize alert types by scrutinizing their semantic descriptions. However, this approach is inherently subjective and limited to alerts with comprehensive descriptions already known to the experts. To confront these challenges, we pioneer a groundbreaking method that automates alert type standardization without dependence on semantic information, harnessing solely the inherent attack behavior attributes and attacker-victim ratios extracted from the logs themselves. Specifically, we commence by encapsulating each alert type within a 27-dimensional feature vector, derived from its corresponding alert logs over a defined time frame. Subsequently, we utilize Long Short-Term Memory (LSTM) neural networks to homogenize these alert types. We undertake experiments on online alert logs, achieving an outstanding 92.308% accuracy in automatically categorizing 223 distinct alert types into 12 standardized classifications. These outcomes attest to the significant enhancement in efficiency and precision engendered by our method in alert categorization. Given that the alert logs encompass data from multiple NDR (Network Detection and Response Device) devices, this experimentation further substantiates the robustness of the proposed methodology.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Subscribe and save

Springer+
from $39.99 /Month
  • Starting from 10 chapters or articles per month
  • Access and download chapters and articles from more than 300k books and 2,500 journals
  • Cancel anytime
View plans

Buy Now

Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD 69.99
Price excludes VAT (USA)
  • Available as EPUB and PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD 89.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Free shipping worldwide - view details

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

Similar content being viewed by others

References

  1. Endsley, M.R.: Design and evaluation for situation awareness enhancement. In: Proceedings of the Human Factors Society Annual Meeting, pp. 97–101 (1988)

    Google Scholar 

  2. Wellens, A.R.: Group situation awareness and distributed decision making: from military to civilian application. In: Individual and Group Decision Making: Current Issues, pp. 267–291 (1993)

    Google Scholar 

  3. Stiawan, D., et al.: An improved LSTM-PCA ensemble classifier for SQL injection and XSS attack detection. Comput. Syst. Sci. Eng. 46(2), 1759–1774 (2023)

    Article  Google Scholar 

  4. Wang, C., et al.: State prediction using LSTM with optimized PMU deployment against DoS attacks. J. Intell. Fuzzy Syst. 42(6), 5957–5971 (2022)

    Google Scholar 

  5. Cheng, Z., Sun, D., Wang, L., Lv, Q., Wang, Y.: MMSP: a LSTM based framework for multi-step attack prediction in mixed scenarios. In: ISCC 2022, pp. 1–6 (2022)

    Google Scholar 

  6. Poornima, R., Elangovan, M., Nagarajan, G.: Network attack classification using LSTM with XGBoost feature selection. J. Intell. Fuzzy Syst. 43(1), 971–984 (2022)

    Google Scholar 

  7. Kulikov, D.A., Platonov, V.V.: Adversarial attacks on intrusion detection systems using the LSTM classifier. Autom. Control Comput. Sci. 55(8), 1080–1086 (2021)

    Article  Google Scholar 

  8. Srinivasan, S., Deepalakshmi, P.: An innovative malware detection methodology employing the amalgamation of stacked BiLSTM and CNN+LSTM-based classification networks with the assistance of Mayfly metaheuristic optimization algorithm in cyber-attack. Concurr. Comput. Pract. Exp. 35(10) (2023)

    Google Scholar 

  9. MITRE. Adversarial Tactics, Techniques & Common Knowledge (ATT &CK) (2024). https://attack.mitre.org/

  10. Al-Sada, B., Sadighian, A., Oligeri, G.: Analysis and characterization of cyber threats leveraging the MITRE ATT &CK database. IEEE Access 12, 1217–1234 (2024)

    Article  Google Scholar 

  11. Kim, Y., Lee, I., Kwon, H., Lee, K., Yoon, J.: BAN: predicting APT attack based on Bayesian network with MITRE ATT &CK framework. IEEE Access 11, 91949–91968 (2023)

    Article  Google Scholar 

  12. Amazon Web Services: NIST Cybersecurity Framework-Aligning to the NIST CSF in the AWS Cloud (2017)

    Google Scholar 

  13. Ibrahim, A., Valli, C., McAteer, I., Chaudhry, J.: A security review of local government using NIST CSF: a case study. J. Supercomput. 74(10), 5171–5186 (2018)

    Article  Google Scholar 

  14. Roy, P.P.: A high-level comparison between the NIST cyber security framework and the ISO 27001 information security standard. In: 2020 National Conference on Emerging Trends on Sustainable Technology and Engineering Applications, NCETSTEA 2020, vol. 53, pp. 27001–27003 (2020)

    Google Scholar 

  15. Benz, M., Chatterjee, D.: Calculated risk? A cybersecurity evaluation tool for SMEs. Bus. Horiz. 63(4), 531–540 (2020)

    Article  Google Scholar 

  16. Kohnke, A., Sigler, K., Shoemaker, D.: Implementing Cybersecurity: A Guide to the National Institute of Standards and Technology Risk Management Framework. CRC Press (2017)

    Google Scholar 

  17. National Institute of Standards and Technology. Framework for Improving Critical Infrastructure Cybersecurity [NIST Cybersecurity Framework]. National Institute of Standards and Technology, Gaithersburg, MD (2018). https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf

  18. Carvalho, C., Marques, E.: Adapting ISO 27001 to a public institution. In: Iberian Conference on Information Systems and Technologies, CIST, vol. 2019-June, no. June, pp. 19–22 (2019)

    Google Scholar 

  19. Phirke, A., Ghorpade-Aher, J.: Best practices of auditing in an organization using ISO 27001 standard. Int. J. Recent Technol. Eng. 8(2), 691–695 (2019). Special Issue 3

    Google Scholar 

  20. Disterer, G.: ISO/IEC 27000, 27001 and 27002 for information security management. J. Inf. Secur. 04(02), 92–100 (2013)

    Google Scholar 

  21. Leszczyna, R.: A review of standards with cybersecurity requirements for smart grid. Comput. Secur. 77, 262–276 (2018)

    Article  Google Scholar 

  22. Leszczyna, R.: Cybersecurity and privacy in standards for smart grids – a comprehensive survey. Comput. Stand. Interfaces 56(2017), 62–73 (2018)

    Google Scholar 

  23. Hao, X., Zhou, F., Chen, X.: Analysis on security standards for industrial control system and enlightenment on relevant Chinese standards. In: Proceedings of 2016 IEEE 11th Conference on Industrial Electronics and Applications, ICIEA 2016, pp. 1967–1971 (2016)

    Google Scholar 

  24. https://oasis-open.org/committees/tc_home.php?wg_abbrev=cti

  25. Apoorva, M., Eswarawaka, R., Reddy, P.V.B.: A latest comprehensive study on structured threat information expression (STIX) and trusted automated exchange of indicator information (TAXII). In: Satapathy, S.C., Bhateja, V., Udgata, S.K., Pattnaik, P.K. (eds.) Proceedings of the 5th International Conference on Frontiers in Intelligent Computing: Theory and Applications. AISC, vol. 516, pp. 477–482. Springer, Singapore (2017). https://doi.org/10.1007/978-981-10-3156-4_49

    Chapter  Google Scholar 

  26. https://tools.ietf.org/html/rfc7970

  27. Montville, A.W., Black, D.: Enumeration reference format for the incident object description exchange format (IODEF). RFC 7495, 1–10 (2015)

    Google Scholar 

  28. https://www.verizon.com/about/news/verizon-dbir

  29. de Melo, C.B., Dutt, N.D.: LOCoCAT: low-overhead classification of CAN bus attack types. IEEE Embed. Syst. Lett. 15(4), 178–181 (2023)

    Article  Google Scholar 

  30. Chang, P.: Multi-Layer Perceptron Neural Network for Improving Detection Performance of Malicious Phishing URLs Without Affecting Other Attack Types Classification. CoRR abs/2203.00774 (2022)

    Google Scholar 

  31. Lee, J., Lee, Y., Lee, D., Kwon, H., Shin, D.: Classification of attack types and analysis of attack methods for profiling phishing mail attack groups. IEEE Access 9, 80866–80872 (2021)

    Article  Google Scholar 

  32. Erfani, M.: A feature exploration approach for IoT attack type classification. DASC/PiCom/CBDCom/CyberSciTech, pp. 582–588 (2021)

    Google Scholar 

  33. Manyumwa, T., Chapita, P. F., Wu, H., Ji, S.: Towards fighting cybercrime: malicious URL attack type detection using multiclass classification. In: IEEE BigData, pp. 1813–1822 (2020)

    Google Scholar 

  34. Zhang, D., Suhara, Y., Li, J., Hulsebos, M., Demiralp, Ç., Tan, W.-C.: Sato: contextual semantic type detection in tables. Proc. VLDB Endow. 13(11), 1835–1848 (2020)

    Article  Google Scholar 

  35. Sebastiani, F.: Machine learning in automated text categorization. ACM Comput. Surv. 34(1), 1–47 (2002)

    Article  Google Scholar 

  36. Kurt Barbé, Gosselin, H.: An ARMA time series approach for analyzing long memory dynamics in measurements. In: I2MTC, pp. 1–6 (2016)

    Google Scholar 

  37. Zhao, Z., Kleinhans, A., Sandhu, G., Patel, I., Unnikrishnan, K.P.: Capsule networks with max-min normalization, CoRR, abs/1903.09662 (2019)

    Google Scholar 

  38. Best, D.J., Rayner, J.C.W.: Chi-squared components for tests of fit and improved models for the grouped exponential distribution. Comput. Stat. Data Anal. 51(8), 3946–3954 (2007)

    Article  MathSciNet  Google Scholar 

  39. Cui, H., Yan, G., Song, H.: A novel curvelet thresholding denoising method based on chi-squared distribution. Signal Image Video Process. 9(2), 491–498 (2015)

    Article  Google Scholar 

  40. Bono, R., Arnau, J., Alarcón, R., Blanca, M.J.: Bias, precision, and accuracy of skewness and kurtosis estimators for frequently used continuous distributions. Symmetry 12(1), 19 (2020)

    Article  Google Scholar 

  41. https://github.com/pytorch/pytorch

  42. Mao, A., Mohri, M., Zhong, Y.: Cross-Entropy Loss Functions: Theoretical Analysis and Applications. CoRR abs/2304.07288 (2023)

    Google Scholar 

Download references

Author information

Authors and Affiliations

Authors

Corresponding author

Correspondence to Binbin Li.

Editor information

Editors and Affiliations

Rights and permissions

Reprints and permissions

Copyright information

© 2025 The Author(s), under exclusive license to Springer Nature Singapore Pte Ltd.

About this paper

Check for updates. Verify currency and authenticity via CrossMark

Cite this paper

Wang, H. et al. (2025). Automatic Alert Categories Standardization for Heterogeneous Devices with Incomplete Semantic Knowledge Based on LSTM. In: Zhao, J., Meng, W. (eds) Science of Cyber Security. SciSec 2024. Lecture Notes in Computer Science, vol 15441. Springer, Singapore. https://doi.org/10.1007/978-981-96-2417-1_24

Download citation

Keywords

Publish with us

Policies and ethics