Automatic Detection of Emerging Threats to Computer Networks Andre McDonald.
-
Upload
emmeline-johnston -
Category
Documents
-
view
217 -
download
0
Transcript of Automatic Detection of Emerging Threats to Computer Networks Andre McDonald.
![Page 1: Automatic Detection of Emerging Threats to Computer Networks Andre McDonald.](https://reader038.fdocuments.net/reader038/viewer/2022110206/56649f445503460f94c64f7a/html5/thumbnails/1.jpg)
Automatic Detection of Emerging Threats to Computer Networks
Andre McDonald
![Page 2: Automatic Detection of Emerging Threats to Computer Networks Andre McDonald.](https://reader038.fdocuments.net/reader038/viewer/2022110206/56649f445503460f94c64f7a/html5/thumbnails/2.jpg)
Overview of presentation
• The cybercrime problem– Background– Cybercrime in South Africa– Network vulnerabilities
• Network intrusion detection– The need for network intrusion detection– Network intrusion detection systems– Anomaly detection techniques
• CSIR research and development– Time series detection– Network intrusion detection software platform
![Page 3: Automatic Detection of Emerging Threats to Computer Networks Andre McDonald.](https://reader038.fdocuments.net/reader038/viewer/2022110206/56649f445503460f94c64f7a/html5/thumbnails/3.jpg)
The CybercrimeProblem
![Page 4: Automatic Detection of Emerging Threats to Computer Networks Andre McDonald.](https://reader038.fdocuments.net/reader038/viewer/2022110206/56649f445503460f94c64f7a/html5/thumbnails/4.jpg)
Background
Cybercrime is any crime in which a computer is the object of the crime, or is used as a tool to commit an offence.
Examples• Fraud and financial crimes• Identity theft and theft of classified information
With a global impact of $388 bn per year, cybercrime is• bigger than the global black market in marijuana, cocaine and
heroin combined ($288 bn), and• more than 100 times the annual expenditure of UNICEF ($3.7 bn).
![Page 5: Automatic Detection of Emerging Threats to Computer Networks Andre McDonald.](https://reader038.fdocuments.net/reader038/viewer/2022110206/56649f445503460f94c64f7a/html5/thumbnails/5.jpg)
Cybercrime in South Africa
Challenges in the local context• SMMEs with small ICT budgets• Local skills shortage and lack of awareness
2014 statistics for cybercrime in South Africa
Estimated cost to SA companies R 5.8 billion, 0.14% GDP
Average delay in detecting breach 200 days
Online adult South Africans exposed to cybercrime
55%
Global ranking in cybercrime exposure 3rd, after Russia and China
Estimated rate of “phishing” attacks 1 in 215 email messages
![Page 6: Automatic Detection of Emerging Threats to Computer Networks Andre McDonald.](https://reader038.fdocuments.net/reader038/viewer/2022110206/56649f445503460f94c64f7a/html5/thumbnails/6.jpg)
Network vulnerabilities
• Cybercrime frequently involves illegitimate access to networked computer systems, or their abuse
• Networked systems are vulnerable– Weak passwords– Mobile devices and BYOD policies– Outdated software and misconfiguration– Unencrypted transmission of information
• Emerging threats and previously unobserved attacks are of particular concern– Rapid threat propagation and slow reaction– Threat signatures unavailable or not up to date
![Page 7: Automatic Detection of Emerging Threats to Computer Networks Andre McDonald.](https://reader038.fdocuments.net/reader038/viewer/2022110206/56649f445503460f94c64f7a/html5/thumbnails/7.jpg)
Network Intrusion Detection
![Page 8: Automatic Detection of Emerging Threats to Computer Networks Andre McDonald.](https://reader038.fdocuments.net/reader038/viewer/2022110206/56649f445503460f94c64f7a/html5/thumbnails/8.jpg)
The need for network intrusion detection
• Automatic detection of network intrusions is required as an additional security layer
• Timely detection and blocking of intrusions in their early phases may limit the scope of the damage
![Page 9: Automatic Detection of Emerging Threats to Computer Networks Andre McDonald.](https://reader038.fdocuments.net/reader038/viewer/2022110206/56649f445503460f94c64f7a/html5/thumbnails/9.jpg)
Network intrusion detectionsystems
Network Intrusion Detection Systems (NIDS):
Hardware or software systems for automatically detecting intrusions in computer networks
![Page 10: Automatic Detection of Emerging Threats to Computer Networks Andre McDonald.](https://reader038.fdocuments.net/reader038/viewer/2022110206/56649f445503460f94c64f7a/html5/thumbnails/10.jpg)
Detection approaches
Misuse detection• Select predefined signatures of known malicious traffic patterns• Compare observed traffic to signatures• Low false positive rate, but cannot detect previously unobserved
attacks
Anomaly detection• Construct models of legitimate traffic patterns• Observed traffic that deviates from models are tagged as malicious• Can detect certain previously unobserved attacks, but typically
exhibits high false positive rates
![Page 11: Automatic Detection of Emerging Threats to Computer Networks Andre McDonald.](https://reader038.fdocuments.net/reader038/viewer/2022110206/56649f445503460f94c64f7a/html5/thumbnails/11.jpg)
Anomaly detection techniques
Statistical techniques• Univariate / multivariate models• Time series detection
– Filtering and thresholding
Machine learning techniques• Supervised learning
– SVMs, neural networks
• Unsupervised learning– Clustering, outlier detection
![Page 12: Automatic Detection of Emerging Threats to Computer Networks Andre McDonald.](https://reader038.fdocuments.net/reader038/viewer/2022110206/56649f445503460f94c64f7a/html5/thumbnails/12.jpg)
Anomaly detection techniques
Statistical techniques• Adaptive and online model construction• Can potentially be trained by attacker• Rapid detection implies more false
positives
Machine learning techniques• Ability to detect more intricate attacks• Heavy data pre-processing burden• Supervised learning requires labelled
data
Accu
racy
Speed
`
Machine learning tech.
Statistical tech.
![Page 13: Automatic Detection of Emerging Threats to Computer Networks Andre McDonald.](https://reader038.fdocuments.net/reader038/viewer/2022110206/56649f445503460f94c64f7a/html5/thumbnails/13.jpg)
CSIR Research and Development
![Page 14: Automatic Detection of Emerging Threats to Computer Networks Andre McDonald.](https://reader038.fdocuments.net/reader038/viewer/2022110206/56649f445503460f94c64f7a/html5/thumbnails/14.jpg)
CSIR anomaly detectionresearch and development
Statistical time series based detectors• Two-stage detection• Multi-resolution detection
Unsupervised machine learning based detectors • Unsupervised feature selection to address lack of labelled data
Network intrusion detection software platform development• Deployment and configuration of sensors and detectors• Monitoring of network traffic patterns• Incident logging and analysis
Suppression of false positives
![Page 15: Automatic Detection of Emerging Threats to Computer Networks Andre McDonald.](https://reader038.fdocuments.net/reader038/viewer/2022110206/56649f445503460f94c64f7a/html5/thumbnails/15.jpg)
Time series detection:Example
20 40 60 80 100 120 140 160 1806
8
10
12
14
16
18
20
Time [minutes]
Re
qu
est
s p
er
seco
nd
MeasurementMoving averageThreshold
Falsepositive
Start ofattack
Truepositive
![Page 16: Automatic Detection of Emerging Threats to Computer Networks Andre McDonald.](https://reader038.fdocuments.net/reader038/viewer/2022110206/56649f445503460f94c64f7a/html5/thumbnails/16.jpg)
Time series detection:Proposed two-stage detector
• Second stage performs finer-grained detection to suppress false positives
• Second stage algorithm triggers only upon threshold crossing in first stage detector
• Candidate algorithms for stage 2:– Spectral-based detector– Inter-arrival time detector
Conventional time series detection
Finer-grained detection
Stage 1 Stage 2
![Page 17: Automatic Detection of Emerging Threats to Computer Networks Andre McDonald.](https://reader038.fdocuments.net/reader038/viewer/2022110206/56649f445503460f94c64f7a/html5/thumbnails/17.jpg)
Time series detection:Proposed two-stage detector
Left window density estimation
Right window density estimation
Divergence metric calculation
Thresholding
0 0.1 0.2 0.3 0.4 0.50
2
4
6
8
10
Interarrival time
Pro
babi
lity
dens
ity
Left Window PDFRight Window PDF
![Page 18: Automatic Detection of Emerging Threats to Computer Networks Andre McDonald.](https://reader038.fdocuments.net/reader038/viewer/2022110206/56649f445503460f94c64f7a/html5/thumbnails/18.jpg)
Time series detection:Experimental work
Detection of denial-of-service attack against web server• Corporate network with compromised workstations• Compromised workstation floods web server with requests,
denying legitimate users access to the website
![Page 19: Automatic Detection of Emerging Threats to Computer Networks Andre McDonald.](https://reader038.fdocuments.net/reader038/viewer/2022110206/56649f445503460f94c64f7a/html5/thumbnails/19.jpg)
Time series detection:Experimental work
![Page 20: Automatic Detection of Emerging Threats to Computer Networks Andre McDonald.](https://reader038.fdocuments.net/reader038/viewer/2022110206/56649f445503460f94c64f7a/html5/thumbnails/20.jpg)
Time series detection:Experimental work
Stage Algorithm / Parameter Value
1 Detection Exponentially-weighted moving average
1 Bin width 2 seconds
2 Density estimation Gaussian kernel, Silverman’s heuristic over logarithm of request interarrival time
2 Divergence metric Symmetric Kullback-Leibler divergence
2 Window width 31 requests
![Page 21: Automatic Detection of Emerging Threats to Computer Networks Andre McDonald.](https://reader038.fdocuments.net/reader038/viewer/2022110206/56649f445503460f94c64f7a/html5/thumbnails/21.jpg)
Time series detection:Experimental results
0 10 20 30 40 50 60 70 80 90 1000
10
20
30
40
50
60
70
80
90
100
False positive %
Tru
e p
osi
tive
%
1-stage detector, 100% attack rate2-stage detector, 100% attack rate1-stage detector, 150% attack rate2-stage detector, 150% attack rate
![Page 22: Automatic Detection of Emerging Threats to Computer Networks Andre McDonald.](https://reader038.fdocuments.net/reader038/viewer/2022110206/56649f445503460f94c64f7a/html5/thumbnails/22.jpg)
Thank you