Can process mining help in anomaly-based intrusion detection?
Yinzheng Zhong, Alexei Lisitsa
TL;DR
This paper evaluates the potential of process mining techniques for network traffic analysis and intrusion detection, highlighting their limitations and challenges in practical applications.
Contribution
It standardizes the transformation of network data into event logs and compares different process mining methods for intrusion detection.
Findings
Naive process mining is ineffective for intrusion detection.
Different process models reveal varying insights into network traffic.
Challenges include data transformation and model accuracy.
Abstract
In this paper, we consider the naive applications of process mining in network traffic comprehension, traffic anomaly detection, and intrusion detection. We standardise the procedure of transforming packet data into an event log. We mine multiple process models and analyse the process models mined with the inductive miner using ProM and the fuzzy miner using Disco. We compare the two types of process models extracted from event logs of differing sizes. We contrast the process models with the RFC TCP state transition diagram and the diagram by Bishop et al. We analyse the issues and challenges associated with process mining in intrusion detection and explain why naive process mining with network data is ineffective.
Peer Reviews
No public reviews on file for this paper yet. If you reviewed it on a platform where reviews are public (OpenReview, ICLR, NeurIPS, ICML), you can paste yours below so the community can read it here.
Videos
No videos yet. Explain this paper in a talk, walkthrough, or lecture? Add one.
Taxonomy
TopicsBusiness Process Modeling and Analysis · Network Security and Intrusion Detection · Information and Cyber Security