ENHANCING NETWORK INTRUSION CLASSIfiCATION THROUGH THE KOLMOGOROV-SMIRNOV SPLITTING CRITERION

ABSTRACTOur investigation aims at detecting network intrusions using decision tree algorithms. Large differences in prior class probabilities of intrusion data have been reported to hinder the performance of decision trees. We propose to replace the Shannon entropy used in tree induction algorithms with a Kolmogorov Smirnov splitting criterion which locates a Bayes optimal cutpoint of attributes. The Kolmogorov-Smirnov distance based on the cumulative distributions is not degraded by class imbalance. Numerical test  results on the KDDCup99 dataset showed that our proposals are attractive to network intrusion detection tasks. The single decision tree gives best results for minority classes, cost metric and global accuracy compared with the bagged boosting of trees of the KDDCup’99 winner and classical decision tree algorithms using the Shannon entropy. In contrast to the complex model of KDDCup winner, our decision tree represents inductive rules (IF-THEN) that facilitate human interpretation.ABSTRACTOur investigation aims at detecting network intrusions using decision tree algorithms. Large differences in prior class probabilities of intrusion data have been reported to hinder the performance of decision trees. We propose to replace the Shannon entropy used in tree induction algorithms with a Kolmogorov Smirnov splitting criterion which locates a Bayes optimal cutpoint of attributes. The Kolmogorov-Smirnov distance based on the cumulative distributions is not degraded by class imbalance. Numerical test  results on the KDDCup99 dataset showed that our proposals are attractive to network intrusion detection tasks. The single decision tree gives best results for minority classes, cost metric and global accuracy compared with the bagged boosting of trees of the KDDCup’99 winner and classical decision tree algorithms using the Shannon entropy. In contrast to the complex model of KDDCup winner, our decision tree represents inductive rules (IF-THEN) that facilitate human interpretation

Detecção de anomalias na partilha de ficheiros em ambientes empresariais

File sharing is the activity of making archives (documents, videos, photos) available to other users. Enterprises use file sharing to make archives available to their employees or clients. The availability of these files can be done through an internal network, cloud service (external) or even Peer-to-Peer (P2P). Most of the time, the files within the file sharing service have sensitive information that cannot be disclosed. Equifax data breach attack exploited a zero-day attack that allowed arbitrary code execution, leading to a huge data breach as over 143 million user information was presumed compromised. Ransomware is a type of malware that encrypts computer data (documents, media, ...) making it inaccessible to the user, demanding a ransom for the decryption of the data. This type of malware has been a serious threat to enterprises. WannaCry and NotPetya are some examples of ransomware that had a huge impact on enterprises with big amounts of ransoms, for example WannaCry reached more than 142,361.51$in ransoms. In this dissertation, we purpose a system that can detect file sharing anomalies like ransomware (WannaCry, NotPetya) and theft (Equifax breach), and also their propagation. The solution consists of network monitoring, the creation of communication profiles for each user/machine, an analysis algorithm using machine learning and a countermeasure mechanism in case an anomaly is detected.Partilha de ficheiros é a atividade de disponibilizar ficheiros (documentos, vídeos, fotos) a utilizadores. As empresas usam a partilha de ficheiros para disponibilizar ficheiros aos seus utilizadores e trabalhadores. A disponibilidade destes ficheiros pode ser feita a partir de uma rede interna, serviço de nuvem (externo) ou até Ponto-a-Ponto. Normalmente, os ficheiros contidos no serviço de partilha de ficheiros contêm dados confidenciais que não podem ser divulgados. O ataque de violação de dados realizado a Equifax explorou uma vulnerabilidade de dia zero que permitiu execução de código arbitrário, levando a que a informação de 143 milhões de utilizadores fosse comprometida. Ransomware é um tipo de malware que cifra os dados do computador (documentos, multimédia...) tornando-os inacessíveis ao utilizador, exigindo a este um resgate para decifrar esses dados. Este tipo de malware tem sido uma grande ameaça às empresas atuais. WannaCry e NotPetya são alguns exemplos de Ransomware que tiveram um grande impacto com grandes quantias de resgate, WannaCry alcançou mais de 142,361.51$ em resgates. Neste tabalho, propomos um sistema que consiga detectar anomalias na partilha de ficheiros, como o ransomware (WannaCry, NotPetya) e roubo de dados (violação de dados Equifax), bem como a sua propagação. A solução consiste na monitorização da rede da empresa, na criação de perfis para cada utilizador/máquina, num algoritmo de machine learning para análise dos dados e num mecanismo que bloqueie a máquina afetada no caso de se detectar uma anomalia.Mestrado em Engenharia de Computadores e Telemátic

Prototipo de detección de ataques distribuidos de denegación de servicios (DDOS1) a partir de máquinas de aprendizaje

Los ataques Distribuidos de Denegación de Servicios (DDOS) afectan la disponibilidad de los servicios WEB por un periodo de tiempo indeterminado, inundando con peticiones fraudulentas los servidores de las empresas y denegando las solicitudes de los usuarios legítimos, generando pérdidas económicas por indisponibilidad de los servicios prestados. Por este motivo, el alcance de este documento es desarrollar un prototipo de detección de ataques DDOS a partir de máquinas de aprendizaje (SVM2),el cual captura el tráfico de red, filtra las cabeceras HTTP3, normaliza los datos teniendo como base las variables operacionales: Tasa de Falsos Positivos, Tasa de Falsos Negativos, Tasa de Clasificación, y envía la información a la SVM para el respectivo entrenamiento y pruebas de detección, integrado con el software estadístico para minería de datos WEKA4, permitiendo identificar efectivamente estos comportamientos anómalos en la capa superior a la sesión (Modelo de referencia OSI5), con el propósito de aumentar el tiempo de disponibilidad de los servicios. El experimento permitirá evaluar, validar y comparar la técnica del prototipo basado en un modelo supervisado SVM, contra un modelo tradicional basado en reglas como SNORT(Snort, 2008).Distributed Denial of Services (DDOS) attacks affect the availability of WEB services for an indeterminate period of time, flooding company servers with fraudulent requests and denying requests from legitimate users, generating economic losses due to unavailability of services. rendered. For this reason, the scope of this document is to develop a DDOS attack detection prototype from machine learning (SVM2), which captures network traffic, filters HTTP3 headers, normalizes data based on operational variables : False Positive Rate, False Negative Rate, Classification Rate, and sends the information to the SVM for the respective training and detection tests, integrated with the statistical software for data mining WEKA4, allowing to effectively identify these anomalous behaviors in the layer above the session (OSI5 Reference Model), in order to increase the availability time of services. The experiment will allow to evaluate, validate and compare the technique of the prototype based on a supervised SVM model, against a traditional model based on rules such as SNORT (Snort, 2008)