Fingerprinting Network Sessions for the Discovery of Cyber Threats

Abstract

A
 rtificial intelligence (AI) assisted cyber-attacks, within the network cybersecurity domain, have evolved to be more successful at every phase of the cyber threat lifecycle. This involves, amongst other tasks, reconnaissance, weaponisation, delivery, exploitation, installation, command & control, and actions. The result has been AI-enhanced attacks, such as DeepLocker, self-learning malware and MalGan, which are highly targeted and undetectable, and automatically exploit vulnerabilities in existing cyber defence systems
 . Countermeasures would require significant improvements in the efficacy of existing cyber defence systems to enable the discovery and detection of AI-enhanced attacks in networks in general. The challenge is that rule-and-anomaly-based intrusion detection approaches would need to be evolved into a dynamic self-learning approach before being able to discover “undetectable” network threats. The problem is that, when considering current state-of-the-art network cybersecurity countermeasures, this has not yet been achieved. One of the key challenges in achieving this is the inability to extract meaningful information from network packets. The novel solution proposed in this paper is to fingerprint network sessions. Each fingerprint is represented by a two-dimensional matrix that can be visualised, comprising a unique session key, the protocol discourse and the transmitted data. This is achieved by extracting information, summarising network session key events, encoding the received data, and merging it with existing fingerprints. The unique key and transmitted data are encoded using a Hilbert curve, while the protocol discourse is encoded into a tornado diagram. The resulting visualised network session fingerprints reveal hidden patterns that are ideal for subsequent pattern recognition, reinforcement learning (RL) or support vector machines (SVM) training to discover AI-enhanced cyber threats as they evolve.