Titulo Estágio
Network anomaly detection using image processing techniques
Local do Estágio
Universidade de Roma 3 (Itália) e LCT/DEI
Enquadramento
This proposal aims to research and develop network intrusion detection solutions using image processing techniques. It is intended to implement an intelligent system that can, through network traffic, determine occurrences of attacks or non-attacks.
The fundamental concept revolves around adopting a 2D representation of traffic data to design a network anomaly detection system which includes the context by exploiting the information gathered from a set of probes. The use of a 2D representation allows to characterize the multi-input information collected from such probes in a compact form.
Objetivo
The fundamental objective for this thesis is focused in defining a network anomaly detection solution for cyber-physical systems based on deep learning techniques and on an optimized 2D representation of the network. This will encompass the following steps:
1. selection of the most effective 2D representation of network traffic information;
2. definition of a deep learning model for the detection of anomalies based on the two dimensional representation of traffic data;
3. design and implementation of a context-sensitive network anomaly detection system by exploiting the information gathered from a set of distributed nodes.
To do so, the first issue to be solved is the research of available datasets to be used in the training phase. In fact, even if network security is a well-studied topic, the continuous evolution of attack strategies and of the communication systems, leads to a proliferation of methods to guarantee their security. Unfortunately, the availability of verification datasets does not follow the same updating trend. Furthermore, the use of deep learning-based methods requires a large amount of data to effectively train networks. Consequently, the choice of the dataset containing the traffic data to be analyzed, is an important step towards the realization of the proposed anomaly detection system. To this aim, two key aspects have to be considered: the sampling interval and the total duration of the data recording. The sampling interval must be short and fixed for all recorded data. If the sampling interval was long, in fact, assuming that the recorded data is analyzed exploiting time windows, in order to collect a sufficient number of samples in each of them, a single time window would correspond to a long time period, thus impacting on the system promptness. On the contrary, the use of smaller time windows would result in the processing of a reduced number of samples, thus impairing the system effectiveness. As for the total data recording period, it should be long enough for both normal and anomalous traffic in order to perform an effective training and testing.
Moreover, one of the first problems to deal with is the pre-processing the network data and the definition of its structure so that the effectiveness of a subsequent analysis module may be maximized. More specifically, the following characteristics need to be selected: i) the traffic parameters (e.g., bytes, packets) to be used in the two-dimensional representation of the network status; ii) at which protocol level data will be analyzed (e.g., IP layer, transport layer); iii) the data normalization model to guarantee that the resulting images have the same dynamic range; iv) the best domain representation of the 2D data (e.g., transform domain, time domain) ; v) the type of information that needs to be represented for each traffic parameter (e.g. the traffic volume, the correlation between traffic patterns of different nodes).
Plano de Trabalhos - Semestre 1
• State of the Art Research on existing datasets and their respective suitability
• Research on the state-of-the art for suitable 2D representations and analysis techniques
• Feature study and preliminary feature engineering analysis
• Preliminary evaluation of candidate approaches
• Definition of a preliminary architecture for the Network IDS
• Writing of documentation, including the interim report
Plano de Trabalhos - Semestre 2
• Implementation of the selected approaches
• Refinement of the proposed architecture
• Integration and system testing
• Final Documentation and Writing of the Report/Dissertation
Condições
The ability to work within a team will be essential, as the candidate will be part of a joint effort between the Multimedia and Security Laboratory of the University of Roma Tre and the Laboratory of Communications and Telematics of the Department of Informatics Engineering of the University of Coimbra. A workspace will be provided in a Roma Tre laboratory, which will be involved in the daily dynamics of the project and the group, under joint coordination/monitoring of both the Italian and Portuguese teams.
Observações
Co-Orientador do lado da Universidade de Roma 3: Prof. Marco Carli
Orientador
Paulo Simoes
psimoes@dei.uc.pt 📩