Malicious traffic detection on sampled network flow data with novelty-detection-based models

Cyber-attacks are a major problem for users, businesses, and institutions. Classical anomaly detection techniques can detect malicious traffic generated in a cyber-attack by analyzing individual network packets. However, routers that manage large traffic loads can only examine some packets. These de...

Descripción completa

Detalles Bibliográficos
Autores principales: Campazas-Vega, Adrián, Crespo-Martínez, Ignacio Samuel, Guerrero-Higueras, Ángel Manuel, Álvarez-Aparicio, Claudia, Matellán, Vicente, Fernández-Llamas, Camino
Formato: Online Artículo Texto
Lenguaje:English
Publicado: Nature Publishing Group UK 2023
Materias:
Article
Acceso en línea:https://www.ncbi.nlm.nih.gov/pmc/articles/PMC10507111/
https://www.ncbi.nlm.nih.gov/pubmed/37723267
http://dx.doi.org/10.1038/s41598-023-42618-9
_version_ 1785107241367502848
author Campazas-Vega, Adrián
Crespo-Martínez, Ignacio Samuel
Guerrero-Higueras, Ángel Manuel
Álvarez-Aparicio, Claudia
Matellán, Vicente
Fernández-Llamas, Camino
author_facet Campazas-Vega, Adrián
Crespo-Martínez, Ignacio Samuel
Guerrero-Higueras, Ángel Manuel
Álvarez-Aparicio, Claudia
Matellán, Vicente
Fernández-Llamas, Camino
author_sort Campazas-Vega, Adrián
collection PubMed
description Cyber-attacks are a major problem for users, businesses, and institutions. Classical anomaly detection techniques can detect malicious traffic generated in a cyber-attack by analyzing individual network packets. However, routers that manage large traffic loads can only examine some packets. These devices often use lightweight flow-based protocols to collect network statistics. Analyzing flow data also allows for detecting malicious network traffic. But even gathering flow data has a high computational cost, so routers usually apply a sampling rate to generate flows. This sampling reduces the computational load on routers, but much information is lost. This work aims to demonstrate that malicious traffic can be detected even on flow data collected with a sampling rate of 1 out of 1,000 packets. To do so, we evaluate anomaly-detection-based models using synthetic sampled flow data and actual sampled flow data from RedCAYLE, the Castilla y León regional subnet of the Spanish academic and research network. The results presented show that detection of malicious traffic on sampled flow data is possible using novelty-detection-based models with a high accuracy score and a low false alarm rate.
format Online
Article
Text
id pubmed-10507111
institution National Center for Biotechnology Information
language English
publishDate 2023
publisher Nature Publishing Group UK
record_format MEDLINE/PubMed
spelling pubmed-105071112023-09-20 Malicious traffic detection on sampled network flow data with novelty-detection-based models Campazas-Vega, Adrián Crespo-Martínez, Ignacio Samuel Guerrero-Higueras, Ángel Manuel Álvarez-Aparicio, Claudia Matellán, Vicente Fernández-Llamas, Camino Sci Rep Article Cyber-attacks are a major problem for users, businesses, and institutions. Classical anomaly detection techniques can detect malicious traffic generated in a cyber-attack by analyzing individual network packets. However, routers that manage large traffic loads can only examine some packets. These devices often use lightweight flow-based protocols to collect network statistics. Analyzing flow data also allows for detecting malicious network traffic. But even gathering flow data has a high computational cost, so routers usually apply a sampling rate to generate flows. This sampling reduces the computational load on routers, but much information is lost. This work aims to demonstrate that malicious traffic can be detected even on flow data collected with a sampling rate of 1 out of 1,000 packets. To do so, we evaluate anomaly-detection-based models using synthetic sampled flow data and actual sampled flow data from RedCAYLE, the Castilla y León regional subnet of the Spanish academic and research network. The results presented show that detection of malicious traffic on sampled flow data is possible using novelty-detection-based models with a high accuracy score and a low false alarm rate. Nature Publishing Group UK 2023-09-18 /pmc/articles/PMC10507111/ /pubmed/37723267 http://dx.doi.org/10.1038/s41598-023-42618-9 Text en © The Author(s) 2023 https://creativecommons.org/licenses/by/4.0/Open Access This article is licensed under a Creative Commons Attribution 4.0 International License, which permits use, sharing, adaptation, distribution and reproduction in any medium or format, as long as you give appropriate credit to the original author(s) and the source, provide a link to the Creative Commons licence, and indicate if changes were made. The images or other third party material in this article are included in the article's Creative Commons licence, unless indicated otherwise in a credit line to the material. If material is not included in the article's Creative Commons licence and your intended use is not permitted by statutory regulation or exceeds the permitted use, you will need to obtain permission directly from the copyright holder. To view a copy of this licence, visit http://creativecommons.org/licenses/by/4.0/ (https://creativecommons.org/licenses/by/4.0/) .
spellingShingle Article
Campazas-Vega, Adrián
Crespo-Martínez, Ignacio Samuel
Guerrero-Higueras, Ángel Manuel
Álvarez-Aparicio, Claudia
Matellán, Vicente
Fernández-Llamas, Camino
Malicious traffic detection on sampled network flow data with novelty-detection-based models
title Malicious traffic detection on sampled network flow data with novelty-detection-based models
title_full Malicious traffic detection on sampled network flow data with novelty-detection-based models
title_fullStr Malicious traffic detection on sampled network flow data with novelty-detection-based models
title_full_unstemmed Malicious traffic detection on sampled network flow data with novelty-detection-based models
title_short Malicious traffic detection on sampled network flow data with novelty-detection-based models
title_sort malicious traffic detection on sampled network flow data with novelty-detection-based models
topic Article
url https://www.ncbi.nlm.nih.gov/pmc/articles/PMC10507111/
https://www.ncbi.nlm.nih.gov/pubmed/37723267
http://dx.doi.org/10.1038/s41598-023-42618-9
work_keys_str_mv AT campazasvegaadrian malicioustrafficdetectiononsamplednetworkflowdatawithnoveltydetectionbasedmodels
AT crespomartinezignaciosamuel malicioustrafficdetectiononsamplednetworkflowdatawithnoveltydetectionbasedmodels
AT guerrerohiguerasangelmanuel malicioustrafficdetectiononsamplednetworkflowdatawithnoveltydetectionbasedmodels
AT alvarezaparicioclaudia malicioustrafficdetectiononsamplednetworkflowdatawithnoveltydetectionbasedmodels
AT matellanvicente malicioustrafficdetectiononsamplednetworkflowdatawithnoveltydetectionbasedmodels
AT fernandezllamascamino malicioustrafficdetectiononsamplednetworkflowdatawithnoveltydetectionbasedmodels

Ejemplares similares