Network Monitoring and Attack Detection - Master Thesis
Nicolas Kaenzig, D-ITET, ETH-Zürich
Tutors: Roland Meier, Luca Gambazzi, Vincent Lenders
Supervisor: Prof. Laurent Vanbever
Due to the rapid increase of sophisticated attacks on computer systems and networks, the field of network anomaly and intrusion detection has become a center of intense research during the past decades. The analysis of network traffic on a large scale and identifying suspicious patterns in the data has proven to be a major challenge.
In this thesis we investigate methods for performing effective analysis of network traffic and evaluate machine-learning based techniques for automated detection of malicious activities. We perform the analysis on a large set of raw network data originating from past cyber defense exercises (Locked Shields).
First, we apply common tools for network traffic analysis and intrusion detection such as Wireshark, Bro and Snort to the data. We then use the information extracted by these tools to build up an extensive database (Elasticsearch), which enables powerful ways for analysis and visualization of the data. In addition, we label connections between compromised hosts and C&C servers that are under control of the attacker team, using information sources provided by the organizers of the Locked Shields exercise.
In the second part of the thesis we investigate possible machine-learning based applications for intrusion and anomaly detection to provide the defenders with an additional monitoring tool during the exercise. We train supervised machine-learning models that can predict sessions established to malicious C&C servers with high precision. We then conduct a thorough analysis of the model robustness by simulating adversarial inputs and packet loss, while proposing possible methods to increase the model's resilience.
Finally, we evaluate unsupervised clustering approaches first on the novel intrustion detection dataset CICIDS2017 where the malicious traffic is completely labelled, facilitating the validation of the developed models. Going back to the Locked Shields data we proof the feasibility of unsupervised methods for intrusion detection on this data by reporting high detection rates of the C&C sessions mentioned above.
