When attempting to read malicious network traffic, security analysts are challenged to determine what attacks are happening in the network at any given time. This need to analyze data and attempt to classify the data requires a large amount of manual time and knowledge to be successful. It can also be difficult for the analysts to determine new attacks if the data is unlike anything they have seen before. Because of the ever-changing nature of cyber-attacks, a need exists for an automated system that can read network traffic and determine the types of attacks present in a network. Many existing works for classification of network attacks exist and contain a very similar fundamental problem. This problem is the need either for labeled data, or batches of data. Real network traffic does not contain labels for attack types and is streaming packet by packet. This work proposes a system that reads in streaming malicious network data and classifies the data into attack models while dynamically generating and reevaluating attack models when needed.
This research develops a system that contains three major components. The first is a dynamic Bayesian classifier that utilizes Bayes' Theorem to classify the data into the proper attack models using dynamic priors and novel likelihood functions. The second component is the dynamic model generator. This component utilizes the concept of a cluster validity index to determine the proper time to generate new models. The third component is a model shuffler. This component redistributes misclassified data into attack models that more closely fit the behaviors of the data. Malicious packet captures obtained from two network attack and defense competitions are used to demonstrate the ability of the system to classify data, successfully and reasonably create new attack models, and shuffle the data into more closely related models.
Computer Engineering (MS)
Department, Program, or Center
Computer Engineering (KGCOE)
Shanchieh Jay Yang
Saxton, Jacob D., "Dynamic Model Generation and Classification of Network Attacks" (2017). Thesis. Rochester Institute of Technology. Accessed from
RIT – Main Campus