Abstract

The proliferation of smart devices and computer networks has led to a huge rise in internet traffic and network attacks that necessitate efficient network traffic monitoring. There have been many attempts to address these issues; however, agile detecting solutions are needed. This research work deals with the problem of malware infections or detection is one of the most challenging tasks in modern computer security. In recent years, anomaly detection has been the first detection approach followed by results from other classifiers. Anomaly detection methods are typically designed to new model normal user behaviors and then seek for deviations from this model. However, anomaly detection techniques may suffer from a variety of problems, including missing validations for verification and a large number of false positives. This work proposes and describes a new profile-based method for identifying anomalous changes in network user behaviors. Profiles describe user behaviors from different perspectives using different flags. Each profile is composed of information about what the user has done over a period of time. The symptoms extracted in the profile cover a wide range of user actions and try to analyze different actions. Compared to other symptom anomaly detectors, the profiles offer a higher level of user experience. It is assumed that it is possible to look for anomalies using high-level symptoms while producing less false positives while effectively finding real attacks. Also, the problem of obtaining truly tagged data for training anomaly detection algorithms has been addressed in this work. It has been designed and created datasets that contain real normal user actions while the user is infected with real malware. These datasets were used to train and evaluate anomaly detection algorithms. Among the investigated algorithms for example, local outlier factor (LOF) and one class support vector machine (SVM). The results show that the proposed anomaly-based and profile-based algorithm causes very few false positives and relatively high true positive detection. The two main contributions of this work are a new approaches based on network anomaly detection and datasets containing a combination of genuine malware and actual user traffic. Finally, the future directions will focus on applying the proposed approaches for protecting the internet of things (IOT) devices.

Highlights

  • The side effect verification was to see if the method was capable of generalizing to malware which it has not seen during the training

  • The experiments proposed in our analysis try to find how the anomaly detection algorithms may work in a realistic setup where a normal user is infected at the same time that they continue to work

  • To the best of our knowledge, this research work presented the new anomaly detection method where users were profiled using their network traffic to create behavioral features, and these features were analyzed from different perspectives

Read more

Summary

MOTIVATION AND INTRODUCTION

Nowadays, detecting intruders and malware infections [1], in local networks is one of the most difficult and highest studied challenges in modern computer security. An anomaly detection model is created for each feature of a profile, based on all the data of that feature across all the normal profiles of the user. The anomaly detection algorithms, trained in the normal profiles, are used to evaluate the unseen profiles and assign a label to each feature in these profiles. To evaluate the performance of the algorithm it‘s necessary to have ground-truth labels It has been assigned the normal label (label = 1) to all the profiles that are created before the infection of the virtual machine.

RELATED WORK AND STATE-OF-THE-ART
METHODOLOGY
NetFlows
Established and not Established Connections
Profiling to Identify Network user behaviors
Anomaly Detection Algorithms
Training and Validation
Model Selection
MACHINE LEARNING DATASETS
Ground-Truth Labels Process
EXPERIMENTAL RESULTS
The First Experiment
The Second Experiment
The Third Experiment
The Fourth Experiment
21. Results
The Fifth Experiment
ANALYSIS OF RESULTS
CONCLUSIONS
VIII. FUTURE DIRECTIONS
Full Text
Published version (Free)

Talk to us

Join us for a 30 min session where you can share your feedback and ask us any queries you have

Schedule a call