M.Sc Thesis

M.Sc StudentDevir Nurit
SubjectApplying Machine Learning for Identifying Attacks
at Run-Time
DepartmentDepartment of Computer Science
Supervisors PROFESSOR EMERITUS Orna Grumberg
PROF. Shaul Markovitch
Full Thesis textFull thesis text - English Version


With the increase in malicious activity over the Internet, it has become extremely

important to build tools for automatic detection of such activity. There have been

attempts to use machine learning to detect network attacks, but the difficulty in obtaining positive (attack) examples, led to using one-class methods for anomaly detection.

In this work we present a novel framework for using multi-class learning to induce

a real-time attack detector. We designed a network simulator that is used to produce

network activity. The simulator includes an attacker that stochastically violates the

normal activity, yielding positive as well as negative examples. We have also designed a set of features that withstand changes in the network topology. Given the set of tagged feature vectors, we can then apply a learning algorithm to produce a multi-class attack detector. In addition, our framework allows the user to define a cost matrix for specifying the cost for each type of detection error.

Our framework was tested in a wide variety of network topologies and succeeded to

detect attacks with a high accuracy. We have also shown that our system is capable

of handling a transfer learning setup, where the detector is learned on one network

topology but is used on another topology from the same family. Another setup we

tested is dynamic networks in which changes take place in the topologies. Finally, we

also referred to choosing the router(s) which should be chosen to record the traffic and

transfer this information to the detector, in order to achieve high performances.

We anticipate the presented framework will enable any organization to defend itself

with an attack detector that is automatically adapted to its particular setting.