WhatsThat? On the Usage of Hierarchical Clustering for Unsupervised Detection & Interpretation of Network Attacks
Identifikátory výsledku
Kód výsledku v IS VaVaI
<a href="https://www.isvavai.cz/riv?ss=detail&h=RIV%2F68407700%3A21230%2F20%3A00342465" target="_blank" >RIV/68407700:21230/20:00342465 - isvavai.cz</a>
Výsledek na webu
<a href="https://doi.org/10.1109/EuroSPW51379.2020.00084" target="_blank" >https://doi.org/10.1109/EuroSPW51379.2020.00084</a>
DOI - Digital Object Identifier
<a href="http://dx.doi.org/10.1109/EuroSPW51379.2020.00084" target="_blank" >10.1109/EuroSPW51379.2020.00084</a>
Alternativní jazyky
Jazyk výsledku
angličtina
Název v původním jazyce
WhatsThat? On the Usage of Hierarchical Clustering for Unsupervised Detection & Interpretation of Network Attacks
Popis výsledku v původním jazyce
The automatic detection and interpretation of network attacks through machine learning is a well-known problem, for which no general solution is available. Supervised learning and anomaly detection approaches require prior knowledge about the system under analysis, either in terms of normal operation profiles or on the specific attacks to detect. As a consequence, both approaches have clear limitations when it comes to detecting, and in particular interpreting, previously unseen attacks and anomalies. In this paper we present WhatsThat, a novel approach to unsupervised network anomaly detection, which can both detect and interpret anomalous behaviors in a completely black-box manner, without relying on any ground-truth on the system under analysis. WhatsThat relies on hierarchical clustering techniques to discover and characterize anomalous patterns present in nested or hierarchically structured multidimensional data, which is common in network traffic e.g., due to multi-layer protocols. The solution uses unsupervised cluster validity metrics to automatically explore the data structure, and builds on automatic identification of relevant features to provide meaningful descriptions of the detected patterns. We showcase WhatsThat in the detection and interpretation of network attacks hidden in real, large-scale network traffic collected at a transit Internet backbone network. While WhatsThat is mainly tailored for unsupervised anomaly detection and interpretation, it can also be applied to the unsupervised analysis of any kind of nested or hierarchically structured multi-dimensional data, showing the potential of hierarchical clustering for general unsupervised data analytics.
Název v anglickém jazyce
WhatsThat? On the Usage of Hierarchical Clustering for Unsupervised Detection & Interpretation of Network Attacks
Popis výsledku anglicky
The automatic detection and interpretation of network attacks through machine learning is a well-known problem, for which no general solution is available. Supervised learning and anomaly detection approaches require prior knowledge about the system under analysis, either in terms of normal operation profiles or on the specific attacks to detect. As a consequence, both approaches have clear limitations when it comes to detecting, and in particular interpreting, previously unseen attacks and anomalies. In this paper we present WhatsThat, a novel approach to unsupervised network anomaly detection, which can both detect and interpret anomalous behaviors in a completely black-box manner, without relying on any ground-truth on the system under analysis. WhatsThat relies on hierarchical clustering techniques to discover and characterize anomalous patterns present in nested or hierarchically structured multidimensional data, which is common in network traffic e.g., due to multi-layer protocols. The solution uses unsupervised cluster validity metrics to automatically explore the data structure, and builds on automatic identification of relevant features to provide meaningful descriptions of the detected patterns. We showcase WhatsThat in the detection and interpretation of network attacks hidden in real, large-scale network traffic collected at a transit Internet backbone network. While WhatsThat is mainly tailored for unsupervised anomaly detection and interpretation, it can also be applied to the unsupervised analysis of any kind of nested or hierarchically structured multi-dimensional data, showing the potential of hierarchical clustering for general unsupervised data analytics.
Klasifikace
Druh
D - Stať ve sborníku
CEP obor
—
OECD FORD obor
20202 - Communication engineering and systems
Návaznosti výsledku
Projekt
—
Návaznosti
I - Institucionalni podpora na dlouhodoby koncepcni rozvoj vyzkumne organizace
Ostatní
Rok uplatnění
2020
Kód důvěrnosti údajů
S - Úplné a pravdivé údaje o projektu nepodléhají ochraně podle zvláštních právních předpisů
Údaje specifické pro druh výsledku
Název statě ve sborníku
2020 IEEE European Symposium on Security and Privacy Workshops (EuroS&PW)
ISBN
978-1-7281-8597-2
ISSN
—
e-ISSN
—
Počet stran výsledku
10
Strana od-do
574-583
Název nakladatele
IEEE
Místo vydání
Piscataway (New Jersey)
Místo konání akce
online
Datum konání akce
7. 9. 2020
Typ akce podle státní příslušnosti
WRD - Celosvětová akce
Kód UT WoS článku
000630275400073