Detecting network attacks using high-resolution time series

 

Show simple item record

dc.contributor.advisor Baghai-Wadji, Alireza
dc.contributor.author Lorgat, Mohamed Wasim
dc.date.accessioned 2019-02-11T13:45:36Z
dc.date.available 2019-02-11T13:45:36Z
dc.date.issued 2018
dc.identifier.citation Lorgat, M. 2018. Detecting network attacks using high-resolution time series. University of Cape Town. en_ZA
dc.identifier.uri http://hdl.handle.net/11427/29489
dc.description.abstract Research in the detection of cyber-attacks has sky-rocketed in the recent past. However, there remains a striking gap between usage of the proposed algorithms in academic research versus industrial applications. Leading researchers have argued that efforts toward the understanding of proposed detectors are lacking. By digging deeper into their inner workings and critically evaluating their underlying assumptions, better detectors may be built. The aim of this thesis is therefore to provide an underlying theory for understanding a single class of detection algorithms, in particular, anomaly-based network intrusion detection algorithms that utilise high-resolution time series data. A framework is proposed to deconstruct the algorithms into their constituent components (windows, representations, and deviations). The framework is applied to a class of algorithms, allowing to construct a “space” of algorithms spanned by five variables: windowing procedure, information availability, single- or multi-aggregated representation, marginal distribution model, and deviation. The detection of a simple class of Denial-of-Service (DoS) attacks is modelled as a detection theoretic problem. It is shown that the effect of incomplete information is greatest when detecting low-intensity attacks (less than 5%), however, the effect slowly decays as the attack intensity increases. Next, the representation and deviation components are jointly analysed via a proposed experimental procedure using network traffic from two publicly available datasets: the Measurement and Analysis on the WIDE Internet (MAWI) archive, and the Booters dataset. The experimental analysis shows that varying the representation (single- versus multi-aggregated) has little effect on detection accuracy, and that the likelihood deviation is superior to the L2 distance deviation, although the difference is negligible for large-intensity attacks (approximately 80%).
dc.language.iso eng
dc.subject.other Electrical Engineering
dc.title Detecting network attacks using high-resolution time series
dc.type Thesis / Dissertation
dc.date.updated 2019-02-11T08:54:31Z
dc.publisher.institution University of Cape Town
dc.publisher.faculty Engineering and the Built Environment
dc.publisher.department Department of Electrical Engineering
dc.type.qualificationlevel Masters
dc.type.qualificationname MSc


Files in this item

This item appears in the following Collection(s)

Show simple item record