Nurit Devir, M.Sc. Thesis Seminar
With the increase in malicious activity over the Internet, it has become extremely important to build tools for automatic detection of such activity. There have been attempts to use machine learning to detect network attacks, but the difficulty in obtaining positive (attack) examples, led to using one-class methods for anomaly detection. In this work we present a novel framework for using multiclass learning to induce an attack detector that identifies attacks at run time.
We designed a network simulator that is used to produce network activity. The simulator includes an attacker that stochastically violates the normal activity, yielding positive as well as negative examples. We have also designed a set of features that withstand changes in the network topology.
Given the set of tagged feature vectors, we can then apply a learning algorithm to produce a multiclass attack detector. Our framework allows the user to define a cost matrix for specifying the cost for each type of detection error (predicting some value for a run, when its real tag is another value).
We tested our framework in a wide variety of network topologies and in different setups, including transfer learning and dynamic networks. In addition, we also referred to how to choose the router(s) that will act as monitor(s) and predict the label of a run.
The presented framework will enable any organization to defend itself with an attack detector that is automatically adapted to its particular setting.
Please note: the seminar will be given in Hebrew.