Monika Skowron
supervisor: Wojciech Mazurczyk
Network traffic has been one of the key sources of data leveraged by cybersecurity practitioners to detect and research multiple types of cyber threats. However, the ubiquitous use of encryption leaves the security monitoring teams blind to potentially malicious activities or forces them to implement computationally expensive full packet inspection, which is also questionable from user privacy perspective.
The aim of the project is to examine the effectiveness of cyber threat detection (such as malicious network tunnels) enhanced by machine learning techniques. The current work focuses on the analysis of encrypted traffic (encrypted DNS in particular) based only on TLS protocol fields and statistical traffic features without the need to perform decryption and full packet inspection. It includes the application and performance comparison of several machine learning algorithms (anomaly detection, clustering, density estimation, DNN, tree-based algorithms etc.) on publicly available network traffic datasets enriched by samples of new protocol versions. Moreover, supervised and unsupervised learning approaches are to be compared in terms of efficiency and practicality of use in real life scenarios.
Another important concept to be discussed is machine learning security represented in this case by the models’ resistance to adversarial attacks. Lastly, the work will include an attempt of practical implementation of online anomaly detection on real life traffic and will conclude by preparing response guidelines to alerts triggered by the designed model.