|M.Sc Student||Devir Nurit|
|Subject||Applying Machine Learning for Identifying Attacks|
|Department||Department of Computer Science||Supervisors||PROFESSOR EMERITUS Orna Grumberg|
|PROF. Shaul Markovitch|
|Full Thesis text|
With the increase in malicious activity over the Internet, it has become extremely
important to build tools for automatic detection of such activity. There have been
attempts to use machine learning to detect network attacks, but the difficulty in obtaining positive (attack) examples, led to using one-class methods for anomaly detection.
In this work we present a novel framework for using multi-class learning to induce
a real-time attack detector. We designed a network simulator that is used to produce
network activity. The simulator includes an attacker that stochastically violates the
normal activity, yielding positive as well as negative examples. We have also designed a set of features that withstand changes in the network topology. Given the set of tagged feature vectors, we can then apply a learning algorithm to produce a multi-class attack detector. In addition, our framework allows the user to define a cost matrix for specifying the cost for each type of detection error.
Our framework was tested in a wide variety of network topologies and succeeded to
detect attacks with a high accuracy. We have also shown that our system is capable
of handling a transfer learning setup, where the detector is learned on one network
topology but is used on another topology from the same family. Another setup we
tested is dynamic networks in which changes take place in the topologies. Finally, we
also referred to choosing the router(s) which should be chosen to record the traffic and
transfer this information to the detector, in order to achieve high performances.
We anticipate the presented framework will enable any organization to defend itself
with an attack detector that is automatically adapted to its particular setting.