In the context of cybersecurity, tracking the activi-ties of coordinated hosts over time is a daunting task because both participants and their behaviours evolve at a fast pace. We address this scenario by solving a dynamic novelty dis-covery problem with the aim of both re-identifying patterns seen in the past and highlighting new patterns. We focus on traffic collected by Network Telescopes, a primary and noisy source for cybersecurity analysis. We propose a 3-stage pipeline: (i) we learn compact representations (embeddings) of hosts through their traffic in a self-supervised fashion; (ii) via clustering, we distinguish groups of hosts performing similar activities; (iii) we track the cluster temporal evolution to highlight novel patterns. We apply our methodology to 20 days of telescope traffic during which we observe more than 8 thousand active hosts. Our results show that we efficiently identify 50-70 well-shaped clusters per day, 60-70% of which we associate with already analysed cases, while we pinpoint 10-20 previously unseen clusters per day. These correspond to activity changes and new incidents, of which we document some. In short, our novelty discovery methodology enormously simplifies the manual analysis the security analysts have to conduct to gain insights to interpret novel coordinated activities.
Dynamic Cluster Analysis to Detect and Track Novelty in Network Telescopes / Huang, Kai; Gioacchini, Luca; Mellia, Marco; Vassio, Luca. - (2024), pp. 287-296. (Intervento presentato al convegno 2024 IEEE European Symposium on Security and Privacy Workshops (EuroS&PW) tenutosi a Vienna (AUT) nel 08-12 July 2024) [10.1109/EuroSPW61312.2024.00037].
Dynamic Cluster Analysis to Detect and Track Novelty in Network Telescopes
Huang Kai;Gioacchini Luca;Mellia Marco;Vassio Luca
2024
Abstract
In the context of cybersecurity, tracking the activi-ties of coordinated hosts over time is a daunting task because both participants and their behaviours evolve at a fast pace. We address this scenario by solving a dynamic novelty dis-covery problem with the aim of both re-identifying patterns seen in the past and highlighting new patterns. We focus on traffic collected by Network Telescopes, a primary and noisy source for cybersecurity analysis. We propose a 3-stage pipeline: (i) we learn compact representations (embeddings) of hosts through their traffic in a self-supervised fashion; (ii) via clustering, we distinguish groups of hosts performing similar activities; (iii) we track the cluster temporal evolution to highlight novel patterns. We apply our methodology to 20 days of telescope traffic during which we observe more than 8 thousand active hosts. Our results show that we efficiently identify 50-70 well-shaped clusters per day, 60-70% of which we associate with already analysed cases, while we pinpoint 10-20 previously unseen clusters per day. These correspond to activity changes and new incidents, of which we document some. In short, our novelty discovery methodology enormously simplifies the manual analysis the security analysts have to conduct to gain insights to interpret novel coordinated activities.File | Dimensione | Formato | |
---|---|---|---|
2024_WTMC_evolutionary_darknet_workshop.pdf
accesso aperto
Descrizione: Post Print Paper Version
Tipologia:
2. Post-print / Author's Accepted Manuscript
Licenza:
Pubblico - Tutti i diritti riservati
Dimensione
673.34 kB
Formato
Adobe PDF
|
673.34 kB | Adobe PDF | Visualizza/Apri |
Dynamic_Cluster_Analysis_to_Detect_and_Track_Novelty_in_Network_Telescopes.pdf
accesso riservato
Tipologia:
2a Post-print versione editoriale / Version of Record
Licenza:
Non Pubblico - Accesso privato/ristretto
Dimensione
739.86 kB
Formato
Adobe PDF
|
739.86 kB | Adobe PDF | Visualizza/Apri Richiedi una copia |
Pubblicazioni consigliate
I documenti in IRIS sono protetti da copyright e tutti i diritti sono riservati, salvo diversa indicazione.
https://hdl.handle.net/11583/2991924