Abstract
In the realm of cybersecurity situational awareness, systems compile alert logs from diverse network monitors. These logs exhibit large-scale dimensions, numerous alert types, and autonomous alert categories. Ensuring precise and efficacious analysis necessitates the standardization and incorporation of these logs into a unified alert type categorization. Conventionally, security experts can manually categorize and standardize alert types by scrutinizing their semantic descriptions. However, this approach is inherently subjective and limited to alerts with comprehensive descriptions already known to the experts. To confront these challenges, we pioneer a groundbreaking method that automates alert type standardization without dependence on semantic information, harnessing solely the inherent attack behavior attributes and attacker-victim ratios extracted from the logs themselves. Specifically, we commence by encapsulating each alert type within a 27-dimensional feature vector, derived from its corresponding alert logs over a defined time frame. Subsequently, we utilize Long Short-Term Memory (LSTM) neural networks to homogenize these alert types. We undertake experiments on online alert logs, achieving an outstanding 92.308% accuracy in automatically categorizing 223 distinct alert types into 12 standardized classifications. These outcomes attest to the significant enhancement in efficiency and precision engendered by our method in alert categorization. Given that the alert logs encompass data from multiple NDR (Network Detection and Response Device) devices, this experimentation further substantiates the robustness of the proposed methodology.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Similar content being viewed by others
References
Endsley, M.R.: Design and evaluation for situation awareness enhancement. In: Proceedings of the Human Factors Society Annual Meeting, pp. 97–101 (1988)
Wellens, A.R.: Group situation awareness and distributed decision making: from military to civilian application. In: Individual and Group Decision Making: Current Issues, pp. 267–291 (1993)
Stiawan, D., et al.: An improved LSTM-PCA ensemble classifier for SQL injection and XSS attack detection. Comput. Syst. Sci. Eng. 46(2), 1759–1774 (2023)
Wang, C., et al.: State prediction using LSTM with optimized PMU deployment against DoS attacks. J. Intell. Fuzzy Syst. 42(6), 5957–5971 (2022)
Cheng, Z., Sun, D., Wang, L., Lv, Q., Wang, Y.: MMSP: a LSTM based framework for multi-step attack prediction in mixed scenarios. In: ISCC 2022, pp. 1–6 (2022)
Poornima, R., Elangovan, M., Nagarajan, G.: Network attack classification using LSTM with XGBoost feature selection. J. Intell. Fuzzy Syst. 43(1), 971–984 (2022)
Kulikov, D.A., Platonov, V.V.: Adversarial attacks on intrusion detection systems using the LSTM classifier. Autom. Control Comput. Sci. 55(8), 1080–1086 (2021)
Srinivasan, S., Deepalakshmi, P.: An innovative malware detection methodology employing the amalgamation of stacked BiLSTM and CNN+LSTM-based classification networks with the assistance of Mayfly metaheuristic optimization algorithm in cyber-attack. Concurr. Comput. Pract. Exp. 35(10) (2023)
MITRE. Adversarial Tactics, Techniques & Common Knowledge (ATT &CK) (2024). https://attack.mitre.org/
Al-Sada, B., Sadighian, A., Oligeri, G.: Analysis and characterization of cyber threats leveraging the MITRE ATT &CK database. IEEE Access 12, 1217–1234 (2024)
Kim, Y., Lee, I., Kwon, H., Lee, K., Yoon, J.: BAN: predicting APT attack based on Bayesian network with MITRE ATT &CK framework. IEEE Access 11, 91949–91968 (2023)
Amazon Web Services: NIST Cybersecurity Framework-Aligning to the NIST CSF in the AWS Cloud (2017)
Ibrahim, A., Valli, C., McAteer, I., Chaudhry, J.: A security review of local government using NIST CSF: a case study. J. Supercomput. 74(10), 5171–5186 (2018)
Roy, P.P.: A high-level comparison between the NIST cyber security framework and the ISO 27001 information security standard. In: 2020 National Conference on Emerging Trends on Sustainable Technology and Engineering Applications, NCETSTEA 2020, vol. 53, pp. 27001–27003 (2020)
Benz, M., Chatterjee, D.: Calculated risk? A cybersecurity evaluation tool for SMEs. Bus. Horiz. 63(4), 531–540 (2020)
Kohnke, A., Sigler, K., Shoemaker, D.: Implementing Cybersecurity: A Guide to the National Institute of Standards and Technology Risk Management Framework. CRC Press (2017)
National Institute of Standards and Technology. Framework for Improving Critical Infrastructure Cybersecurity [NIST Cybersecurity Framework]. National Institute of Standards and Technology, Gaithersburg, MD (2018). https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf
Carvalho, C., Marques, E.: Adapting ISO 27001 to a public institution. In: Iberian Conference on Information Systems and Technologies, CIST, vol. 2019-June, no. June, pp. 19–22 (2019)
Phirke, A., Ghorpade-Aher, J.: Best practices of auditing in an organization using ISO 27001 standard. Int. J. Recent Technol. Eng. 8(2), 691–695 (2019). Special Issue 3
Disterer, G.: ISO/IEC 27000, 27001 and 27002 for information security management. J. Inf. Secur. 04(02), 92–100 (2013)
Leszczyna, R.: A review of standards with cybersecurity requirements for smart grid. Comput. Secur. 77, 262–276 (2018)
Leszczyna, R.: Cybersecurity and privacy in standards for smart grids – a comprehensive survey. Comput. Stand. Interfaces 56(2017), 62–73 (2018)
Hao, X., Zhou, F., Chen, X.: Analysis on security standards for industrial control system and enlightenment on relevant Chinese standards. In: Proceedings of 2016 IEEE 11th Conference on Industrial Electronics and Applications, ICIEA 2016, pp. 1967–1971 (2016)
Apoorva, M., Eswarawaka, R., Reddy, P.V.B.: A latest comprehensive study on structured threat information expression (STIX) and trusted automated exchange of indicator information (TAXII). In: Satapathy, S.C., Bhateja, V., Udgata, S.K., Pattnaik, P.K. (eds.) Proceedings of the 5th International Conference on Frontiers in Intelligent Computing: Theory and Applications. AISC, vol. 516, pp. 477–482. Springer, Singapore (2017). https://doi.org/10.1007/978-981-10-3156-4_49
Montville, A.W., Black, D.: Enumeration reference format for the incident object description exchange format (IODEF). RFC 7495, 1–10 (2015)
de Melo, C.B., Dutt, N.D.: LOCoCAT: low-overhead classification of CAN bus attack types. IEEE Embed. Syst. Lett. 15(4), 178–181 (2023)
Chang, P.: Multi-Layer Perceptron Neural Network for Improving Detection Performance of Malicious Phishing URLs Without Affecting Other Attack Types Classification. CoRR abs/2203.00774 (2022)
Lee, J., Lee, Y., Lee, D., Kwon, H., Shin, D.: Classification of attack types and analysis of attack methods for profiling phishing mail attack groups. IEEE Access 9, 80866–80872 (2021)
Erfani, M.: A feature exploration approach for IoT attack type classification. DASC/PiCom/CBDCom/CyberSciTech, pp. 582–588 (2021)
Manyumwa, T., Chapita, P. F., Wu, H., Ji, S.: Towards fighting cybercrime: malicious URL attack type detection using multiclass classification. In: IEEE BigData, pp. 1813–1822 (2020)
Zhang, D., Suhara, Y., Li, J., Hulsebos, M., Demiralp, Ç., Tan, W.-C.: Sato: contextual semantic type detection in tables. Proc. VLDB Endow. 13(11), 1835–1848 (2020)
Sebastiani, F.: Machine learning in automated text categorization. ACM Comput. Surv. 34(1), 1–47 (2002)
Kurt Barbé, Gosselin, H.: An ARMA time series approach for analyzing long memory dynamics in measurements. In: I2MTC, pp. 1–6 (2016)
Zhao, Z., Kleinhans, A., Sandhu, G., Patel, I., Unnikrishnan, K.P.: Capsule networks with max-min normalization, CoRR, abs/1903.09662 (2019)
Best, D.J., Rayner, J.C.W.: Chi-squared components for tests of fit and improved models for the grouped exponential distribution. Comput. Stat. Data Anal. 51(8), 3946–3954 (2007)
Cui, H., Yan, G., Song, H.: A novel curvelet thresholding denoising method based on chi-squared distribution. Signal Image Video Process. 9(2), 491–498 (2015)
Bono, R., Arnau, J., Alarcón, R., Blanca, M.J.: Bias, precision, and accuracy of skewness and kurtosis estimators for frequently used continuous distributions. Symmetry 12(1), 19 (2020)
Mao, A., Mohri, M., Zhong, Y.: Cross-Entropy Loss Functions: Theoretical Analysis and Applications. CoRR abs/2304.07288 (2023)
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2025 The Author(s), under exclusive license to Springer Nature Singapore Pte Ltd.
About this paper
Cite this paper
Wang, H. et al. (2025). Automatic Alert Categories Standardization for Heterogeneous Devices with Incomplete Semantic Knowledge Based on LSTM. In: Zhao, J., Meng, W. (eds) Science of Cyber Security. SciSec 2024. Lecture Notes in Computer Science, vol 15441. Springer, Singapore. https://doi.org/10.1007/978-981-96-2417-1_24
Download citation
DOI: https://doi.org/10.1007/978-981-96-2417-1_24
Published:
Publisher Name: Springer, Singapore
Print ISBN: 978-981-96-2416-4
Online ISBN: 978-981-96-2417-1
eBook Packages: Computer ScienceComputer Science (R0)Springer Nature Proceedings Computer Science