Learning Detector of Malicious Network Traffic from Weak Labels

Kód výsledku v IS VaVaI

<a href="https://www.isvavai.cz/riv?ss=detail&h=RIV%2F68407700%3A21230%2F15%3A00235471" target="_blank" >RIV/68407700:21230/15:00235471 - isvavai.cz</a>

Výsledek na webu

<a href="http://dx.doi.org/10.1007/978-3-319-23461-8_6" target="_blank" >http://dx.doi.org/10.1007/978-3-319-23461-8_6</a>

DOI - Digital Object Identifier

<a href="http://dx.doi.org/10.1007/978-3-319-23461-8_6" target="_blank" >10.1007/978-3-319-23461-8_6</a>

Jazyk výsledku

angličtina

Název v původním jazyce

Learning Detector of Malicious Network Traffic from Weak Labels

Popis výsledku v původním jazyce

We address the problem of learning a detector of malicious behavior in network traffic. The malicious behavior is detected based on the analysis of network proxy logs that capture malware communication between client and server computers. The conceptualproblem in using the standard supervised learning methods is the lack of sufficiently representative training set containing examples of malicious and legitimate communication. Annotation of individual proxy logs is an expensive process involving security experts and does not scale with constantly evolving malware. However, weak supervision can be achieved on the level of properly defined bags of proxy logs by leveraging internet domain black lists, security reports, and sandboxing analysis. We demonstrate that an accurate detector can be obtained from the collected security intelligence data by using a Multiple Instance Learning algorithm tailored to the Neyman-Pearson problem. We provide a thorough experimental evaluation on a large c

Název v anglickém jazyce

Learning Detector of Malicious Network Traffic from Weak Labels

Popis výsledku anglicky

We address the problem of learning a detector of malicious behavior in network traffic. The malicious behavior is detected based on the analysis of network proxy logs that capture malware communication between client and server computers. The conceptualproblem in using the standard supervised learning methods is the lack of sufficiently representative training set containing examples of malicious and legitimate communication. Annotation of individual proxy logs is an expensive process involving security experts and does not scale with constantly evolving malware. However, weak supervision can be achieved on the level of properly defined bags of proxy logs by leveraging internet domain black lists, security reports, and sandboxing analysis. We demonstrate that an accurate detector can be obtained from the collected security intelligence data by using a Multiple Instance Learning algorithm tailored to the Neyman-Pearson problem. We provide a thorough experimental evaluation on a large c

Druh

D - Stať ve sborníku

CEP obor

JD - Využití počítačů, robotika a její aplikace

OECD FORD obor

—

Projekt

<a href="/cs/project/GAP202%2F12%2F2071" target="_blank" >GAP202/12/2071: Strukturované statistické modely pro porozumění obrazům</a><br>

Návaznosti

P - Projekt vyzkumu a vyvoje financovany z verejnych zdroju (s odkazem do CEP)

Rok uplatnění

2015

Kód důvěrnosti údajů

S - Úplné a pravdivé údaje o projektu nepodléhají ochraně podle zvláštních právních předpisů

Název statě ve sborníku

Machine Learning and Knowledge Discovery in Databases, Part III

ISBN

978-3-319-23460-1

ISSN

0302-9743

e-ISSN

—

Počet stran výsledku

15

Strana od-do

85-99

Název nakladatele

Springer

Místo vydání

Heidelberg

Místo konání akce

Porto

Datum konání akce

7. 9. 2015

Typ akce podle státní příslušnosti

WRD - Celosvětová akce

Kód UT WoS článku

000363667400009