MINOS: Unsupervised Netflow-Based Detection of Infected and Attacked Hosts, and Attack Time in Large Networks
Date of Final Oral Examination (Defense)
Type of Culminating Activity
Master of Science in Computer Science
Dianxiang Xu, Ph.D.
Edoardo Serra, Ph.D.
Francesca Spezzano, Ph.D.
Monitoring large-scale networks for malicious activities is increasingly challenging: the amount and heterogeneity of traffic hinder the manual definition of IDS signatures and deep packet inspection. In this thesis, we propose MINOS, a novel fully unsupervised approach that generates an anomaly score for each host allowing us to classify with high accuracy each host as either infected (generating malicious activities), attacked (under attack), or clean (without any infection). The generated score of each hour is able to detect the time frame of being attacked for an infected or attacked host without any prior knowledge. MINOS automatically creates a personalized traffic behavioral model for each host and does not require any previous knowledge of existing or unknown attacks. Experimental evaluation on a real large academic network over one year of data shows that MINOS achieves very high accuracy, even when analyzing only two weeks of data. We demonstrate MINOS is also efficient and faster than a state-of-the-art approach for unsupervised anomaly detection on traffic data.
Bhowmick, Mousume, "MINOS: Unsupervised Netflow-Based Detection of Infected and Attacked Hosts, and Attack Time in Large Networks" (2019). Boise State University Theses and Dissertations. 1601.