Detection and Prevention of Advanced Persistent Threat (APT) Activitiesin Heterogeneous Networks using SIEM and Deep Learning
Dr. T. Senthil Kumar
Sunday, April 1, 2018
Computer Science Engineering
School of Engineering
IBM Shared University Research
The organization consists of different networks at various geographical locations. For such vast networks a simple honeypot is not enough to decoy attackers. Hence, a collection of various honeypots installed at various geographically separated locations inside the organization is necessary for luring attackers. Such a conglomeration of honeypots – Honeynet – is the key in collection of attacker data and traffic destined at the organization. Heterogeneous data from Network devices, Systems, Firewalls, NIDS, UTMs, etc., are collected at a centralized location using Cloud basedSplunk Security Information and Event Management (SIEM) for further processing. Extracting useful information from a plethora of heterogeneous data is a difficult task. SIEM is supported with a Correlation Engine for processing such heterogeneous data. The Correlation Engine is capable of deploying Complex Event Analysis techniques, Data Mining techniques, Deep Learning algorithms, Log Analysis techniques, etc., for searching the presence of attack vectors (or anomalous behaviour). The output of the Correlation Engine can be categorised to rank the output network behaviour in terms of the severity of the data/traffic by using a metric such as Vulnerability Score. The dashboard of the SIEM machine is capable of displaying the near real time processing of the various network and host events, network traffic flow statistics, system behaviour, and other properties of the network.
Dr.Gireesh Kumar T-Associate Professor( CSE)
Dr. Senthil Kumar T –Associate Professor(CSE)
Dr.Harish Ram D.S-Assistant Professor(ECE)
Dr. Binoy B Nair -Assistant Professor(ECE)
The teams of students working on the project is as below:
Deep Learning Based Model Development for Malware Analysis
Kiran S Raj
SaiRamanan M K
KarthikShriram G S
V S Tharunika
The outcomes of the project under different student groups is as below:
Detection of DoS and DDoS Packets using Hidden Markov Model
Description: Companies use internet to access resources like GPU andNAS. Network is essential for any company. DNS attacks are more prominent in these networks. DoS and DDoS, minimizes the potential of theresources available in the company. In this paper, we have presenteda method to detect DoS and DDoS using HMM algorithm. KDD-CUPdataset is used for our research. Various sub-classes of DNS attacks havebeen listed and description of the sub-classes are provided. Performanceof Logistic regression & KNN is compared with HMM.
HMM algorithm has a higher True Negative Rate of 94.8 % when compared with kNN which has 80.04% and Logistic Regression with 79.40%. Another key factor is HMM has very low False Negative rate, whereas Logistic Regression has high rate. Recall is also high for HMM ss False Negative rate is inversely proportional to Recall. Detecting DoS and DDoS is not easy withstandard machine learning algorithms. It requires understanding of the interconnection of the features and analysing the past data. HMM got an accuracyof 92.11%. HMM was able to detect more packets than generic machine learning algorithms. Finally, HMM outperforms other two machine learning algorithms.
Roll Number: CB.EN.U4CSE16360 Name:Varahabhatla Sri HarshaChayanulu
Roll Number: CB.EN.U4CSE16362 Name:VijeyShrivathsan
Network intrusion detection system (NIDS) is a tool used to detect and classify the network breaches dynamically in information and communication technologies (ICT) systems in both industries and academia. NIDS is used to detect network born attacks such as Denial of Service (DoS) attacks, malware replication, and intruders that are operating within the system. Deep learning algorithms and frameworks have revolutionized predictive analysis over the past decade. These powerful techniques can be leveraged in the field of Intrusion Detection to classify and predict cyber-attacks with minimal overhead. The dynamic nature of the problem along with the arise of new network attacks, make this problem highly intricate. In this project, we explore LSTM-Autoencoders and a unique two-stage deep learning framework for NIDS. The work is done on the CICIDS-17 dataset which is a comprehensive dataset with an amalgam of real, modern, normal and contemporary attacks. We propose this deep neural network to classify the attacks using flow-based traffic with a significant classification accuracy higher than that of existing deep learning frameworks.
Batchwise training results for the LSTM Autoencoder
Roll Number: CB.EN.U4CSE17430 Name: Kiran S. Raj
Roll Number: CB.EN.U4CSE17402 Name:Krishna Tej
Title : Ensemble Techniques for Malicious Threat Detection
In the world that we live in today, malware and malicious messages circulate around systems causing havoc and issues. Hence in a cyber world where social media is prevalent and API requests simultaneously flooding, malicious content is a very serious concern. The traditional approach to the problem is done by comparing these messages with a core ruleset consisting of predefined signatures. This method is not accurate and has always fallen prey to updating the core set signatures. The aim of the project is to develop a Machine Learning model capable of detecting these malicious messages and hence being more generalisable to detect the same. Various methods from linear, neural networks, ensemble techniques are used to assess the difference in the performance of detecting these various malicious contents.
The above screenshot details the training of the target model and the obtained results. From the tuning and training of the model, it achieved a validation accuracy of 98.1%.