Detecting network attacks using high-resolution time series
| dc.contributor.advisor | Baghai-Wadji, Alireza | |
| dc.contributor.author | Lorgat, Mohamed Wasim | |
| dc.date.accessioned | 2019-02-11T13:45:36Z | |
| dc.date.available | 2019-02-11T13:45:36Z | |
| dc.date.issued | 2018 | |
| dc.date.updated | 2019-02-11T08:54:31Z | |
| dc.description.abstract | Research in the detection of cyber-attacks has sky-rocketed in the recent past. However, there remains a striking gap between usage of the proposed algorithms in academic research versus industrial applications. Leading researchers have argued that efforts toward the understanding of proposed detectors are lacking. By digging deeper into their inner workings and critically evaluating their underlying assumptions, better detectors may be built. The aim of this thesis is therefore to provide an underlying theory for understanding a single class of detection algorithms, in particular, anomaly-based network intrusion detection algorithms that utilise high-resolution time series data. A framework is proposed to deconstruct the algorithms into their constituent components (windows, representations, and deviations). The framework is applied to a class of algorithms, allowing to construct a “space” of algorithms spanned by five variables: windowing procedure, information availability, single- or multi-aggregated representation, marginal distribution model, and deviation. The detection of a simple class of Denial-of-Service (DoS) attacks is modelled as a detection theoretic problem. It is shown that the effect of incomplete information is greatest when detecting low-intensity attacks (less than 5%), however, the effect slowly decays as the attack intensity increases. Next, the representation and deviation components are jointly analysed via a proposed experimental procedure using network traffic from two publicly available datasets: the Measurement and Analysis on the WIDE Internet (MAWI) archive, and the Booters dataset. The experimental analysis shows that varying the representation (single- versus multi-aggregated) has little effect on detection accuracy, and that the likelihood deviation is superior to the L2 distance deviation, although the difference is negligible for large-intensity attacks (approximately 80%). | |
| dc.identifier.apacitation | Lorgat, M. W. (2018). <i>Detecting network attacks using high-resolution time series</i>. (). University of Cape Town ,Engineering and the Built Environment ,Department of Electrical Engineering. Retrieved from http://hdl.handle.net/11427/29489 | en_ZA |
| dc.identifier.chicagocitation | Lorgat, Mohamed Wasim. <i>"Detecting network attacks using high-resolution time series."</i> ., University of Cape Town ,Engineering and the Built Environment ,Department of Electrical Engineering, 2018. http://hdl.handle.net/11427/29489 | en_ZA |
| dc.identifier.citation | Lorgat, M. 2018. Detecting network attacks using high-resolution time series. University of Cape Town. | en_ZA |
| dc.identifier.ris | TY - Thesis / Dissertation AU - Lorgat, Mohamed Wasim AB - Research in the detection of cyber-attacks has sky-rocketed in the recent past. However, there remains a striking gap between usage of the proposed algorithms in academic research versus industrial applications. Leading researchers have argued that efforts toward the understanding of proposed detectors are lacking. By digging deeper into their inner workings and critically evaluating their underlying assumptions, better detectors may be built. The aim of this thesis is therefore to provide an underlying theory for understanding a single class of detection algorithms, in particular, anomaly-based network intrusion detection algorithms that utilise high-resolution time series data. A framework is proposed to deconstruct the algorithms into their constituent components (windows, representations, and deviations). The framework is applied to a class of algorithms, allowing to construct a “space” of algorithms spanned by five variables: windowing procedure, information availability, single- or multi-aggregated representation, marginal distribution model, and deviation. The detection of a simple class of Denial-of-Service (DoS) attacks is modelled as a detection theoretic problem. It is shown that the effect of incomplete information is greatest when detecting low-intensity attacks (less than 5%), however, the effect slowly decays as the attack intensity increases. Next, the representation and deviation components are jointly analysed via a proposed experimental procedure using network traffic from two publicly available datasets: the Measurement and Analysis on the WIDE Internet (MAWI) archive, and the Booters dataset. The experimental analysis shows that varying the representation (single- versus multi-aggregated) has little effect on detection accuracy, and that the likelihood deviation is superior to the L2 distance deviation, although the difference is negligible for large-intensity attacks (approximately 80%). DA - 2018 DB - OpenUCT DP - University of Cape Town LK - https://open.uct.ac.za PB - University of Cape Town PY - 2018 T1 - Detecting network attacks using high-resolution time series TI - Detecting network attacks using high-resolution time series UR - http://hdl.handle.net/11427/29489 ER - | en_ZA |
| dc.identifier.uri | http://hdl.handle.net/11427/29489 | |
| dc.identifier.vancouvercitation | Lorgat MW. Detecting network attacks using high-resolution time series. []. University of Cape Town ,Engineering and the Built Environment ,Department of Electrical Engineering, 2018 [cited yyyy month dd]. Available from: http://hdl.handle.net/11427/29489 | en_ZA |
| dc.language.iso | eng | |
| dc.publisher.department | Department of Electrical Engineering | |
| dc.publisher.faculty | Faculty of Engineering and the Built Environment | |
| dc.publisher.institution | University of Cape Town | |
| dc.subject.other | Electrical Engineering | |
| dc.title | Detecting network attacks using high-resolution time series | |
| dc.type | Master Thesis | |
| dc.type.qualificationlevel | Masters | |
| dc.type.qualificationname | MSc |