Technical Report MSC-2019-06

Title: Applying Machine Learning for Identifying Attacks at Run-Time
Authors: Nurit Devir
Supervisors: Orna Grumberg and Shaul Markovitch
PDFCurrently accessibly only within the Technion network
Abstract: With the increase in malicious activity over the Internet, it has become extremely important to build tools for automatic detection of such activity. There have been attempts to use machine learning to detect network attacks, but the difficulty in obtaining positive (attack) examples, led to using one-class methods for anomaly detection. In this work we present a novel framework for using multi-class learning to induce a real-time attack detector. We designed a network simulator that is used to produce network activity. The simulator includes an attacker that stochastically violates the normal activity, yielding positive as well as negative examples. We have also designed a set of features that withstand changes in the network topology. Given the set of tagged feature vectors, we can then apply a learning algorithm to produce a multi-class attack detector. In addition, our framework allows the user to define a cost matrix for specifying the cost for each type of detection error. Our framework was tested in a wide variety of network topologies and succeeded to detect attacks with a high accuracy. We have also shown that our system is capable of handling a transfer learning setup, where the detector is learned on one network topology but is used on another topology from the same family. Another setup we tested is dynamic networks in which changes take place in the topologies. Finally, we also referred to choosing the router(s) which should be chosen to record the traffic and transfer this information to the detector, in order to achieve high performances. %hat will act as monitor(s) and predict the tag of the run (normal, attacked, etc...). We anticipate the presented framework will enable any organization to defend itself with an attack detector that is automatically adapted to its particular setting.
CopyrightThe above paper is copyright by the Technion, Author(s), or others. Please contact the author(s) for more information

Remark: Any link to this technical report should be to this page (, rather than to the URL of the PDF files directly. The latter URLs may change without notice.

To the list of the MSC technical reports of 2019
To the main CS technical reports page

Computer science department, Technion