Anomaly detection in network traffic based on connection-specific profiling

Thumbnail Image

Files

master_Ujjwal_Sonika_2020.pdf (9.17 MB)

URL

Journal Title

Journal ISSN

Volume Title

Perustieteiden korkeakoulu | Master's thesis
Unless otherwise stated, all rights belong to the author. You may download, display and print this publication for Your own personal use. Commercial use is prohibited.

Authors

Date

2020-08-18

Department

Major/Subject

Security and Cloud Computing

Mcode

SCI3084

Degree programme

Master’s Programme in Security and Cloud Computing (SECCLO)

Language

en

Pages

69

Series

Abstract

Recent studies have shown that a number of network attacks that were used to target mainframes and personal computers are now being directed towards mobile devices. The ever-evolving nature of mobile attacks, coupled with the growing number of new vulnerabilities in mobile platforms poses a challenge to the security of mobile networks and devices. The intrusion detection systems based on attack signature fail to detect novel attacks or anomalies. In such scenarios, an anomaly-based detection approach is a necessary security measure against previously unknown attacks. Machine learning methods have been widely used in anomaly detection in various domains including network intrusion detection, credit card fraud detection, etc. In this work, we utilise machine learning algorithms for anomaly detection in mobile network traffic. We choose an unsupervised algorithm that does not require a labelled dataset. We define a connection as the flow instance using a particular combination of protocol type and network port. We observe that the network data comprises a variety of connections, each of which follows a different profile. We illustrate an anomaly detection approach, which is based on connection-specific profiling of network data. We develop the profile of each connection using the isolation forest model. We provide the evaluation of our approach using two use-cases of mobile traffic data with identified anomalies. The result illustrates that our approach works best when the distribution of anomalies in the incoming network traffic is similar to the distribution of anomalies in the learned profile. Our model achieves more than 95% F-1 measure in both use-cases. Even though our model is sensitive to the model parameters, it performs very well with the same distribution of anomalies in the new network traffic.

Description

Supervisor

Aura, Tuomas

Thesis advisor

Reijonen, Joel
Slavov, Kristian

Keywords

anomaly detection, mobile networks, network security, machine learning

Other note

Citation

Permanent link to this item

https://urn.fi/URN:NBN:fi:aalto-202008245154

Collections

[dipl] Perustieteiden korkeakoulu / SCI