Full Text Available
Note: Clicking the button above will open the full text document at the original institutional repository in a new window.
Detecting network attacks using high-resolution time series
Research in the detection of cyber-attacks has sky-rocketed in the recent past. However, there remains a striking gap between usage of the proposed algorithms in academic research versus industrial applications. Leading researchers have argued that efforts toward the understanding of proposed detect...
Saved in:
| Main Author: | |
|---|---|
| Other Authors: | |
| Format: | Thesis |
| Language: | English |
| Published: |
Department of Electrical Engineering
2019
|
| Subjects: | |
| Tags: |
No Tags, Be the first to tag this record!
|
| _version_ | 1867614183122534400 |
|---|---|
| access_status_str | Open Access |
| author | Lorgat, Mohamed Wasim |
| author2 | Baghai-Wadji, Alireza |
| author_browse | Baghai-Wadji, Alireza Lorgat, Mohamed Wasim |
| author_facet | Baghai-Wadji, Alireza Lorgat, Mohamed Wasim |
| author_sort | Lorgat, Mohamed Wasim |
| collection | Thesis |
| description | Research in the detection of cyber-attacks has sky-rocketed in the recent past. However, there remains a striking gap between usage of the proposed algorithms in academic research versus industrial applications. Leading researchers have argued that efforts toward the understanding of proposed detectors are lacking. By digging deeper into their inner workings and critically evaluating their underlying assumptions, better detectors may be built. The aim of this thesis is therefore to provide an underlying theory for understanding a single class of detection algorithms, in particular, anomaly-based network intrusion detection algorithms that utilise high-resolution time series data. A framework is proposed to deconstruct the algorithms into their constituent components (windows, representations, and deviations). The framework is applied to a class of algorithms, allowing to construct a “space” of algorithms spanned by five variables: windowing procedure, information availability, single- or multi-aggregated representation, marginal distribution model, and deviation. The detection of a simple class of Denial-of-Service (DoS) attacks is modelled as a detection theoretic problem. It is shown that the effect of incomplete information is greatest when detecting low-intensity attacks (less than 5%), however, the effect slowly decays as the attack intensity increases. Next, the representation and deviation components are jointly analysed via a proposed experimental procedure using network traffic from two publicly available datasets: the Measurement and Analysis on the WIDE Internet (MAWI) archive, and the Booters dataset. The experimental analysis shows that varying the representation (single- versus multi-aggregated) has little effect on detection accuracy, and that the likelihood deviation is superior to the L2 distance deviation, although the difference is negligible for large-intensity attacks (approximately 80%). |
| format | Thesis |
| id | oai:open.uct.ac.za:11427/29489 |
| institution | University of Cape Town (South Africa) |
| language | eng |
| last_indexed | 2026-06-10T12:47:59.399Z |
| license_str | Not specified — see source repository |
| provenance_str_mv | Harvested via OAI-PMH from UCTD — University of Cape Town Open Access Repository |
| publishDate | 2019 |
| publishDateRange | 2019 |
| publishDateSort | 2019 |
| publisher | Department of Electrical Engineering |
| publisherStr | Department of Electrical Engineering |
| record_format | dspace |
| source_str | UCTD — University of Cape Town Open Access Repository |
| spelling | oai:open.uct.ac.za:11427/29489 Detecting network attacks using high-resolution time series Lorgat, Mohamed Wasim Baghai-Wadji, Alireza Electrical Engineering Research in the detection of cyber-attacks has sky-rocketed in the recent past. However, there remains a striking gap between usage of the proposed algorithms in academic research versus industrial applications. Leading researchers have argued that efforts toward the understanding of proposed detectors are lacking. By digging deeper into their inner workings and critically evaluating their underlying assumptions, better detectors may be built. The aim of this thesis is therefore to provide an underlying theory for understanding a single class of detection algorithms, in particular, anomaly-based network intrusion detection algorithms that utilise high-resolution time series data. A framework is proposed to deconstruct the algorithms into their constituent components (windows, representations, and deviations). The framework is applied to a class of algorithms, allowing to construct a “space” of algorithms spanned by five variables: windowing procedure, information availability, single- or multi-aggregated representation, marginal distribution model, and deviation. The detection of a simple class of Denial-of-Service (DoS) attacks is modelled as a detection theoretic problem. It is shown that the effect of incomplete information is greatest when detecting low-intensity attacks (less than 5%), however, the effect slowly decays as the attack intensity increases. Next, the representation and deviation components are jointly analysed via a proposed experimental procedure using network traffic from two publicly available datasets: the Measurement and Analysis on the WIDE Internet (MAWI) archive, and the Booters dataset. The experimental analysis shows that varying the representation (single- versus multi-aggregated) has little effect on detection accuracy, and that the likelihood deviation is superior to the L2 distance deviation, although the difference is negligible for large-intensity attacks (approximately 80%). 2019-02-11T13:45:36Z 2019-02-11T13:45:36Z 2018 2019-02-11T08:54:31Z Master Thesis Masters MSc http://hdl.handle.net/11427/29489 eng application/pdf Department of Electrical Engineering Faculty of Engineering and the Built Environment University of Cape Town |
| spellingShingle | Electrical Engineering Lorgat, Mohamed Wasim Detecting network attacks using high-resolution time series |
| thesis_degree_str | Master's |
| title | Detecting network attacks using high-resolution time series |
| title_full | Detecting network attacks using high-resolution time series |
| title_fullStr | Detecting network attacks using high-resolution time series |
| title_full_unstemmed | Detecting network attacks using high-resolution time series |
| title_short | Detecting network attacks using high-resolution time series |
| title_sort | detecting network attacks using high resolution time series |
| topic | Electrical Engineering |
| url | http://hdl.handle.net/11427/29489 |
| work_keys_str_mv | AT lorgatmohamedwasim detectingnetworkattacksusinghighresolutiontimeseries |