Applying Machine Learning for Identifying Attacks at Run-Time

With the increase in malicious activity over the Internet, it has become extremely important to build tools for automatic detection of such activity. There have been attempts to use machine learning to detect network attacks, but the difficulty in obtaining positive (attack) examples, led to using one-class methods for anomaly detection. In this work we present a novel framework for using multi-class learning to induce a real-time attack detector. We designed a network simulator that is used to produce network activity. The simulator includes an attacker that stochastically violates the normal activity, yielding positive as well as negative examples. We have also designed a set of features that withstand changes in the network topology. Given the set of tagged feature vectors, we can then apply a learning algorithm to produce a multi-class attack detector. In addition, our framework allows the user to define a cost matrix for specifying the cost for each type of detection error. Our framework was tested in a wide variety of network topologies and succeeded to detect attacks with a high accuracy. We have also shown that our system is capable of handling a transfer learning setup, where the detector is learned on one network topology but is used on another topology from the same family. Another setup we tested is dynamic networks in which changes take place in the topologies. Finally, we also referred to choosing the router (s) which should be chosen to record the traffic and transfer this information to the detector, in order to achieve high performances.% hat will act as monitor (s) and predict the tag of the run (normal, attacked, etc...). We anticipate the presented …