Titulo Estágio
Feature analysis of cyberattacks for improved AI-based anomaly detection in microservice-based applications
Local do Estágio
IPN - Instituto Pedro Nunes (Laboratório de Informática e Sistemas)
Enquadramento
Microservices have become a widely used approach for building scalable and flexible applications. However, their distributed and API-driven nature introduces new security challenges. The inherent interconnections and complexities of these systems significantly expand the attack surface, providing potential entry points for attackers and increasing exposure to threats such as Distributed Denial of Service (DDoS), credential stuffing, and injection attacks(1).
Traditional cybersecurity approaches are often not suitable for addressing the complexity and dynamic behaviour of microservice environments(2). This has led to growing interest in more adaptable methods, such as AI-based anomaly detection, which can analyse complex system behaviours to identify anomalies potentially related to cyberattacks. However, the effectiveness of these methods depends on selecting and engineering data features that reliably distinguish between normal and malicious activity(3). The goal of this thesis is to study and analyse common cyberattacks to empirically identify and validate data features that can improve the reliability of AI-based anomaly detection for identifying cyberattacks.
This topic will be developed in the scope of the NEXUS project, in which Pedro Nunes Institute (IPN) is a consortium member.
(1)R. Kanishka Jayalath, H. Ahmad, D. Goel, M. Shuja Syed and F. Ullah, "Microservice Vulnerability Analysis: A Literature Review With Empirical Insights," in IEEE Access, vol. 12, pp. 155168-155204, 2024, doi: 10.1109/ACCESS.2024.3481374.
(2)Priyanka Billawa, Anusha Bambhore Tukaram, Nicolás E. Díaz Ferreyra, Jan-Philipp Steghöfer, Riccardo Scandariato, and Georg Simhandl. 2022. SoK: Security of Microservice Applications: A Practitioners’ Perspective on Challenges and Best Practices. In Proceedings of the 17th International Conference on Availability, Reliability and Security (ARES '22). Association for Computing Machinery, New York, NY, USA, Article 9, 1–10. https://doi.org/10.1145/3538969.3538986
(3)E. -L. Kafita and T. Yamazaki, "Leveraging Artificial Intelligence Feature Selection for Cybersecurity Network Anomaly Intrusion Detection," 2024 7th World Symposium on Communication Engineering (WSCE), Tokyo, Japan, 2024, pp. 22-26, doi: 10.1109/WSCE65107.2024.00010
Objetivo
The main objective of this thesis is to identify and validate data features that are strongly associated with common cyberattacks in microservices, thereby providing a robust foundation for AI-based anomaly detection in microservice security. This involves the following specific objectives:
• Conduct a literature review to identify most relevant cyberattacks targeting microservices.
• Select and preprocess public datasets that include both normal and attack behaviours relevant to the selected cyberattacks. The datasets used in this research will be determined at a later stage; however, currently available and relevant examples include CIC-IDS2017(4), CSIC 2010 HTTP(5), and BCCC-cPacket-Cloud-DDoS-2024(6).
• Conduct initial analysis of candidate features for each cyberattack by generating visualizations and performing basic statistical assessments to identify promising analysis directions.
• Statistically and empirically validate the discriminative power of these features for distinguishing attacks from normal behaviour, through statistical and/or machine learning-based analysis.
• Analyse the applicability and potential adaptation of these features for anomaly detection in microservice environments.
• Document the findings and provide practical guidance for future research and application.
By the end of this thesis, the student is expected to have produced a validated set of features indicative of the selected cyberattack(s), along with practical guidance on their use for AI-based anomaly detection in microservice environments. This work will provide a solid foundation for developing more effective security monitoring tailored to microservices.
(4)https://www.unb.ca/cic/datasets/ids-2017.html
(5)https://www.kaggle.com/datasets/ispangler/csic-2010-web-application-attacks
(6)https://www.kaggle.com/datasets/dhoogla/bccc-cpacket-cloud-ddos-2024/data
Plano de Trabalhos - Semestre 1
[Weeks 1-4] - Conduct literature review on cyberattacks and datasets applicable to microservices
[Weeks 5-8] - Select and pre-process public datasets that contain both normal and attack behaviours for the selected cyberattacks.
[Weeks 9-15] - Perform initial analysis of the selected datasets, extracting candidate features, generating visualizations, and conducting basic statistical assessments to identify promising analysis directions.
[Week 16-20] – Prepare intermediate report.
Plano de Trabalhos - Semestre 2
[Weeks 1-6] - Conduct experiments to empirically refine and validate the most promising features, through statistical and/or machine learning based analysis, to assess their effectiveness in distinguishing between normal and attack behaviours.
[Weeks 7-10] - Aggregate, organize, and interpret the main experimental results in preparation for discussion and thesis writing.
[Weeks 11-15] - Analyse the applicability and adaptation of validated features for anomaly detection in microservice environments, and compile findings and recommendations.
[Week 16-20] - Finalize the master's thesis report, submission of document, and preparation for final
thesis defence.
Condições
The workplace will be at the Instituto Pedro Nunes (IPN) Computer and Systems Laboratory, which will provide the necessary equipment and infrastructure for model training and evaluation.
This work will be part of a funded research project. Upon a successful first semester, the student may apply for a research grant for a graduate, for a period of up to 6 months, possibly renewable, with a value of 1040,98 € / month.
Observações
During the application phase, doubts related to this proposal, namely about the objectives and conditions, must be clarified with the supervisors, via email or a meeting, to be scheduled after contact by email.
Orientador
Sérgio Figueiredo
sfigueiredo@ipn.pt 📩