An Advanced Approach for Detecting Behavior-Based Intranet Attacks by Machine Learning

To address continuously increasing cyber threats, security professionals within organizations are fortifying internal security by implementing security policies such as network segregation and emerging concepts such as Zero Trust. However, despite these changes in the cybersecurity landscape, the ultimate goal of cyber attackers, which is to exfiltrate critical information stored within an organization's intranet, remains unchanged. Consequently, attackers with motives such as hacktivists persistently and repeatedly target key systems within an organization's intranet to achieve their ultimate objectives. Considering the tendencies of intranet attackers, this study proposes the inclusion of the number of connection attempts for attack detection as an additional attribute alongside commonly used attributes such as source IP, destination IP, protocol, and attack signatures in intrusion detection rules. This proposal is supported by establishing an experimental environment for conducting intranet attacks and collecting raw data. Using feature engineering techniques, the raw data were transformed into analyzable datasets, and the performance was measured using six supervised machine learning algorithms. Through this research, we aim to contribute to the field of cybersecurity by going beyond the conventional focus on Internet-based attacks and providing a methodology for analyzing various intranet-based attacks in a post-stage environment. In addition, we share the method of feature engineering Zeek IDS raw data and release the resulting dataset to further advance the field. We hope that these contributions will foster future developments in this domain.