ENCODE: Encoding NetFlows for Network Anomaly Detection

NetFlow data is a popular network log format used by many network analysts and researchers. The advantages of using NetFlow over deep packet inspection are that it is easier to collect and process, and it is less privacy intrusive. Many works have used machine learning to detect network attacks using NetFlow data. The first step for these machine learning pipelines is to pre-process the data before it is given to the machine learning algorithm. Many approaches exist to pre-process NetFlow data; however, these simply apply existing methods to the data, not considering the specific properties of network data. We argue that for data originating from software systems, such as NetFlow or software logs, similarities in frequency and contexts of feature values are more important than similarities in the value itself. In this work, we propose an encoding algorithm that directly takes the frequency and the context of the feature values into account when the data is being processed. Different types of network behaviours can be clustered using this encoding, thus aiding the process of detecting anomalies within the network. We train several machine learning models for anomaly detection using the data that has been encoded with our encoding algorithm. We evaluate the effectiveness of our encoding on a new dataset that we created for network attacks on Kubernetes clusters and two well-known public NetFlow datasets. We empirically demonstrate that the machine learning models benefit from using our encoding for anomaly detection.Comment: 11 pages, 17 figure

Chemical Profile and Antimicrobial Activity of the Fungus-Growing Termite Strain Macrotermes Bellicosus Used in Traditional Medicine in the Republic of Benin

The fungus growing termite species Macrotermes bellicosus (M. bellicosus) is used in nutrition and traditional medicine in the Republic of Benin for the treatment of infectious and inflammatory diseases. Previous findings demonstrated evidence of anti-inflammatory and spasmolytic properties of M. bellicosus. The aim of the present study was to evaluate the antimicrobial potential of different extracts of M. bellicosus samples and determine the chemical profile of an ethanolic M. bellicosus extract. Chemical profiling was conducted using centrifugal partition chromatography and 13C-NMR, followed by MALDI-TOF MS. Major identified compounds include hydroquinone (HQ), methylhydroquinone (MHQ), 3,4-dihydroxyphenethyl glycol (DHPG), N-acetyldopamine (NADA) and niacinamide. The fatty acid mixture of the extract was mainly composed of linoleic and oleic acid and highlights the nutritional purpose of M. bellicosus. Using the Kirby–Bauer disc diffusion and broth microdilution assay, an antibacterial activity of M. bellicosus samples was observed against various clinical strains with a highest growth inhibition of S. aureus. In addition, HQ and MHQ as well as fractions containing DHPG, niacinamide and NADA inhibited S. aureus growth. The reported antimicrobial activity of M. bellicosus and identified active substances provide a rationale for the traditional medicinal use of M. bellicosus

Nouveaux algorithmes de détection d'anomalies et de classification pour les réseaux IP et mobile

Last years have witnessed an increase in the diversity and frequency of network attacks, that appear more sophisticated than ever and devised to be undetectable. At the same time, customized techniques have been designed to detect them and to take rapid countermeasures. The recent surge in statistical and machine learning techniques largely contributed to provide novel and sophisticated techniques to allow the detection of such attacks. These techniques have multiple applications to enable automation in various fields. Within the networking area, they can serve traffic routing, traffic classification, and network security, to name a few. This thesis presents novel anomaly detection and classification techniques in IP and mobile networks. At IP level, it presents our solution Split-and-Merge which detects botnets slowly spreading on the Internet exploiting emerging vulnerabilities. This technique monitors the long-term evolutions of the usages of application ports. Then, our thesis tackles the detection of botnet’s infected hosts, this time at the host-level, using classification techniques, in our solution BotFP. Finally, it presents our ASTECH (for Anomaly SpatioTEmporal Convex Hull) methodology for group anomaly detection in mobile networks based on mobile app usages.Ces dernières années ont été marquées par une nette augmentation de la fréquence et de la diversité des attaques réseau, qui apparaissent toujours plus sophistiquées et conçues pour être indétectables. En parallèle, des techniques sont développées pour les détecter et prendre des contre-mesures rapidement. Récemment, l’essor des techniques statistiques et d’apprentissage machine ("machine learning") ont permis un développement rapide de techniques innovantes visant à détecter de telles attaques. Ces techniques ont des applications dans de nombreux domaines qui gagneraient à être davantage automatisés. Dans le domaine des réseaux, elles s’appliquent par exemple au routage et à la classifcation de trafic et à la sécurité des réseaux. Cette thèse propose de nouveaux algorithmes de détection d’anomalies et de classification appliqués aux réseaux IP et mobiles. Au niveau IP, celle-ci présente une solution Split-and-Merge qui détecte des botnets qui se propagent lentement sur Internet en exploitant des vulnérabilités émergentes. Cette méthode analyse l’évolution à long-terme de l’usage des ports applicatifs. Ensuite, celle-ci aborde la détection d’hôtes infectés par un botnet, cette fois en utilisant des techniques de classification au niveau de l’hôte, dans une solution nommée BotFP. Enfin, cette thèse présente notre algorithme ASTECH qui permet la détection d’anomalies brutes dans les séries temporelles dans les réseaux mobiles, les regroupe en enveloppes convexes spatio-temporelles, et finalement induit plusieurs classes d’événements

Nouveaux algorithmes de détection d'anomalies et de classification pour les réseaux IP et mobile

Ces dernières années ont été marquées par une nette augmentation de la fréquence et de la diversité des attaques réseau, qui apparaissent toujours plus sophistiquées et conçues pour être indétectables. En parallèle, des techniques sont développées pour les détecter et prendre des contre-mesures rapidement. Récemment, l’essor des techniques statistiques et d’apprentissage machine ("machine learning") ont permis un développement rapide de techniques innovantes visant à détecter de telles attaques. Ces techniques ont des applications dans de nombreux domaines qui gagneraient à être davantage automatisés. Dans le domaine des réseaux, elles s’appliquent par exemple au routage et à la classifcation de trafic et à la sécurité des réseaux. Cette thèse propose de nouveaux algorithmes de détection d’anomalies et de classification appliqués aux réseaux IP et mobiles. Au niveau IP, celle-ci présente une solution Split-and-Merge qui détecte des botnets qui se propagent lentement sur Internet en exploitant des vulnérabilités émergentes. Cette méthode analyse l’évolution à long-terme de l’usage des ports applicatifs. Ensuite, celle-ci aborde la détection d’hôtes infectés par un botnet, cette fois en utilisant des techniques de classification au niveau de l’hôte, dans une solution nommée BotFP. Enfin, cette thèse présente notre algorithme ASTECH qui permet la détection d’anomalies brutes dans les séries temporelles dans les réseaux mobiles, les regroupe en enveloppes convexes spatio-temporelles, et finalement induit plusieurs classes d’événements.Last years have witnessed an increase in the diversity and frequency of network attacks, that appear more sophisticated than ever and devised to be undetectable. At the same time, customized techniques have been designed to detect them and to take rapid countermeasures. The recent surge in statistical and machine learning techniques largely contributed to provide novel and sophisticated techniques to allow the detection of such attacks. These techniques have multiple applications to enable automation in various fields. Within the networking area, they can serve traffic routing, traffic classification, and network security, to name a few. This thesis presents novel anomaly detection and classification techniques in IP and mobile networks. At IP level, it presents our solution Split-and-Merge which detects botnets slowly spreading on the Internet exploiting emerging vulnerabilities. This technique monitors the long-term evolutions of the usages of application ports. Then, our thesis tackles the detection of botnet’s infected hosts, this time at the host-level, using classification techniques, in our solution BotFP. Finally, it presents our ASTECH (for Anomaly SpatioTEmporal Convex Hull) methodology for group anomaly detection in mobile networks based on mobile app usages

SurvCaus : Representation Balancing for Survival Causal Inference

Individual Treatment Effects (ITE) estimation methods have risen in popularity in the last years. Most of the time, individual effects are better presented as Conditional Average Treatment Effects (CATE). Recently, representation balancing techniques have gained considerable momentum in causal inference from observational data, still limited to continuous (and binary) outcomes. However, in numerous pathologies, the outcome of interest is a (possibly censored) survival time. Our paper proposes theoretical guarantees for a representation balancing framework applied to counterfactual inference in a survival setting using a neural network capable of predicting the factual and counterfactual survival functions (and then the CATE), in the presence of censorship, at the individual level. We also present extensive experiments on synthetic and semisynthetic datasets that show that the proposed extensions outperform baseline methods

Scalable and Collaborative Intrusion Detection and Prevention Systems Based on SDN and NFV

International audienc

Group anomaly detection in mobile app usages: A spatiotemporal convex hull methodology

International audienceAnalysing mobile apps communications can unleash significant information on both the communication infrastructure state and the operations of mobile computing services. A wide variety of events can engender unusual mobile communication patterns possibly interesting for pervasive computing applications, e.g., in smart cities. For instance, local events, national events, and network outages can produce spatiotemporal load anomalies that could be taken into consideration by both mobile applications and infrastructure providers, especially with the emergence of edge computing frameworks where the two environments merge. Being able to detect and timely treat these anomalies is therefore a desirable feature for next-generation cellular and edge computing networks, with regards to security, network and application performance, and public safety. We focus on the detection of mobile access spatiotemporal anomalies by decomposing, aggregating and grouping cellular data usage features time series. We propose a methodology to detect first raw anomalies, and group them in a spatiotemporal convex hull, further refining the anomaly detection logic, with a novel algorithmic framework. We show how with the proposed framework we can unveil details about broad-category mobile events timeline, their spatiotemporal spreading, and their impacted apps. We apply our technique to extensive real-world data and open source our code. By linkage with ground-truth special events that happened in the observed period, we show how our methodology is able to detect them. We also evidence the existence of five main categories of anomalies, finely characterising them. Finally, we identify global patterns in the anomalies and assess their level of unpredictability, based on the nature of the impacted mobile applications

Rabies Postexposure Prophylaxis for Travelers Injured by Nonhuman Primates, Marseille, France, 2001–2014

Most exposures of residents of Marseille to nonhuman primates occurred among unvaccinated adult travelers to Southeast Asia within the first 10 days of their arrival at 2 major tourist locations in Thailand and 1 in Indonesia. A small proportion of travelers received rabies immunoglobulin in the country of exposure