MINOS: Unsupervised Netflow-Based Detection of Infected and Attacked Hosts, and Attack Time in Large Networks

Author

Mousume Bhowmick, Boise State UniversityFollow

Publication Date

8-2019

Date of Final Oral Examination (Defense)

4-30-2019

Type of Culminating Activity

Thesis

Degree Title

Master of Science in Computer Science

Department

Computer Science

Supervisory Committee Chair

Dianxiang Xu, Ph.D.

Supervisory Committee Member

Edoardo Serra, Ph.D.

Supervisory Committee Member

Francesca Spezzano, Ph.D.

Abstract

Monitoring large-scale networks for malicious activities is increasingly challenging: the amount and heterogeneity of traffic hinder the manual definition of IDS signatures and deep packet inspection. In this thesis, we propose MINOS, a novel fully unsupervised approach that generates an anomaly score for each host allowing us to classify with high accuracy each host as either infected (generating malicious activities), attacked (under attack), or clean (without any infection). The generated score of each hour is able to detect the time frame of being attacked for an infected or attacked host without any prior knowledge. MINOS automatically creates a personalized traffic behavioral model for each host and does not require any previous knowledge of existing or unknown attacks. Experimental evaluation on a real large academic network over one year of data shows that MINOS achieves very high accuracy, even when analyzing only two weeks of data. We demonstrate MINOS is also efficient and faster than a state-of-the-art approach for unsupervised anomaly detection on traffic data.

DOI

10.18122/td/1601/boisestate

Recommended Citation

Bhowmick, Mousume, "MINOS: Unsupervised Netflow-Based Detection of Infected and Attacked Hosts, and Attack Time in Large Networks" (2019). Boise State University Theses and Dissertations. 1601.
10.18122/td/1601/boisestate