Inferring the Purpose of Network Activities
Lead Research Organisation:
University College London
Department Name: Computer Science
Abstract
The sophistication of attacks targeting computer networks is constantly increasing. Recently, we have witnessed multiple sophisticated targeted attacks against governments and companies. Such attacks are much different than traditional network attacks, because attackers have virtually unlimited resources and can tailor their operation to the victim's network, making these attacks very difficult to detect. In fact, current state of the art detection techniques are inadequate to protect computer networks against targeted attacks.
In this proposal, we aim to make some fundamental steps towards being able to reliably detect targeted attacks on computer networks. To this end, we plan to abstract the observation from the actual manifestation of an attack, and focus on the purpose behind network activities instead. We believe that modern machine learning techniques such as deep belief networks can be used to automatically learn high-level features from network data. Such features are indicative of the purpose for which the network activity is performed, rather than of the specific techniques and tools used to accomplish that purpose. These high-level features can then be used in traditional supervised machine learning to detect whether a network activity is being performed with a malicious intention or a benign one.
In this proposal, we aim to make some fundamental steps towards being able to reliably detect targeted attacks on computer networks. To this end, we plan to abstract the observation from the actual manifestation of an attack, and focus on the purpose behind network activities instead. We believe that modern machine learning techniques such as deep belief networks can be used to automatically learn high-level features from network data. Such features are indicative of the purpose for which the network activity is performed, rather than of the specific techniques and tools used to accomplish that purpose. These high-level features can then be used in traditional supervised machine learning to detect whether a network activity is being performed with a malicious intention or a benign one.
Planned Impact
Being able to accurately detect stealthy network attacks by motivated adversaries if of fundamental importance for both the UK government and industry. Recent events such as the Regin and Stuxnet malware have demonstrated that the way in which attacks are currently detected is not effective. This proposal aims at setting the foundation to overcoming this problem, by changing the way in which network attacks are detected.
The main goal of this proposal is to change the way in which the academic community is mitigating network attacks. Instead of looking at the actual manifestation of an attack, we aim at understanding the purpose for which a network activity is conducted. If successful, this proposal will inspire a wealth of research both from the computer security academic community as a whole. To make sure that the academic community is aware of the techniques proposed in this project and of its results, Dr Stringhini will publish two papers (one for WP1 and one for WP2) in top computer security conferences such as the IEEE Symposium on Security and Privacy or the ACM Conference on Computer and Communications Security. He will also engage the community by describing the developed techniques at invited talks and seminars worldwide, to which he is often invited.
As we mention in the proposal, and as our letters of support show, Dr Stringhini already has an established partnership with Lastline inc., and the researchers at this company are keen on applying the techniques developed for this project to the network defence systems sold by the company. This partnership has the potential of fostering a long-term collaboration that could bring important results that go beyond the duration of this proposal. Dr Stringhini will also actively look for additional industry partners, and build a industry network that will be able to effectively bring the techniques developer for this project to the real world, with a consequent benefit for Internet users.
Internet users could have additional benefits from the developments of this project. Being able to accurately infer the purpose behind network activities could dramatically reduce the need for invasive security mechanisms such as CAPTCHAS and security questions.
Finally, the techniques developed in this proposal will have an important benefit for the UK critical infrastructure. To make an impact on how the operators of the critical infrastructure deal with attacks, Dr Stringhini will reach out to partners at National Grid, who have had long term collaboration with the Computer Science Department at UCL, in particular through Professor David Pym.
The main goal of this proposal is to change the way in which the academic community is mitigating network attacks. Instead of looking at the actual manifestation of an attack, we aim at understanding the purpose for which a network activity is conducted. If successful, this proposal will inspire a wealth of research both from the computer security academic community as a whole. To make sure that the academic community is aware of the techniques proposed in this project and of its results, Dr Stringhini will publish two papers (one for WP1 and one for WP2) in top computer security conferences such as the IEEE Symposium on Security and Privacy or the ACM Conference on Computer and Communications Security. He will also engage the community by describing the developed techniques at invited talks and seminars worldwide, to which he is often invited.
As we mention in the proposal, and as our letters of support show, Dr Stringhini already has an established partnership with Lastline inc., and the researchers at this company are keen on applying the techniques developed for this project to the network defence systems sold by the company. This partnership has the potential of fostering a long-term collaboration that could bring important results that go beyond the duration of this proposal. Dr Stringhini will also actively look for additional industry partners, and build a industry network that will be able to effectively bring the techniques developer for this project to the real world, with a consequent benefit for Internet users.
Internet users could have additional benefits from the developments of this project. Being able to accurately infer the purpose behind network activities could dramatically reduce the need for invasive security mechanisms such as CAPTCHAS and security questions.
Finally, the techniques developed in this proposal will have an important benefit for the UK critical infrastructure. To make an impact on how the operators of the critical infrastructure deal with attacks, Dr Stringhini will reach out to partners at National Grid, who have had long term collaboration with the Computer Science Department at UCL, in particular through Professor David Pym.
Organisations
People |
ORCID iD |
Gianluca Stringhini (Principal Investigator) |
Publications
Bernard-Jones E
(2018)
BABELTOWER
Chatzakou D
(2017)
Mean Birds
Egele M
(2017)
Towards Detecting Compromised Accounts on Social Networks
in IEEE Transactions on Dependable and Secure Computing
Haslebacher A
(2017)
All your cards are belong to us: Understanding online carding forums
Kolodenker E
(2017)
PayBreak
Mariconti E
(2017)
What's in a Name? Understanding Profile Name Reuse on Twitter
Mariconti E
(2016)
Why allowing profile name reuse is a bad idea
Description | During this project we furthered our understanding of the modus operandi and motivations of online attackers. We used these insights to develop automated systems that can detect and block such activity online. |
Exploitation Route | We are releasing our datasets and tools, see the further resources in this submission. Our MaMaDroid paper is currently being used worldwide as the state of the art in Android malware detection |
Sectors | Digital/Communication/Information Technologies (including Software) |
URL | http://www0.cs.ucl.ac.uk/staff/G.Stringhini/publications.html |
Description | Our insights on the modus operandi of cybercriminals when compromising accounts attracted the attention of companies such as Facebook, Google, and Telefonica Research, and of law enforcement agencies such as the National Cyber Crime Unit (NCCU). This led to two further joint projects in the area. We are currently discussing how to extend our monitoring platform to suit the needs of these organisations. Dr Stringhini was invited to give evidence to the International Relations Committee at the House of Lords on the impact of non-state cybercriminal actors to the UK. |
First Year Of Impact | 2017 |
Sector | Digital/Communication/Information Technologies (including Software) |
Impact Types | Policy & public services |
Description | EPSRC-funded BEAMS Future Leaders in Engineering and Physical Sciences |
Amount | £29,054 (GBP) |
Organisation | University College London |
Sector | Academic/University |
Country | United Kingdom |
Start | 08/2016 |
End | 04/2017 |
Description | GCHQ ACE Small grant |
Amount | £14,244 (GBP) |
Organisation | Government Communications Headquarters (GCHQ) |
Sector | Public |
Country | United Kingdom |
Start | 01/2016 |
End | 02/2016 |
Description | Google Faculty Research Award |
Amount | $66,500 (USD) |
Organisation | |
Sector | Private |
Country | United States |
Start | 08/2015 |
End | 09/2018 |
Title | Understanding The Use Of Stolen Webmail Credentials In The Wild |
Description | Dataset resulting from our IMC 2016 paper |
Type Of Material | Database/Collection of data |
Year Produced | 2016 |
Provided To Others? | Yes |
Impact | Other researchers are working on this database |
Title | Honeypot infrastructure for Gmail |
Description | This program allows researchers to instrument Gmail accounts and monitor activity on them. |
Type Of Technology | Webtool/Application |
Year Produced | 2016 |
Impact | This infrastructure is being used by multiple MSc students at UCL and by researchers at the University of Utrecht |
URL | https://bitbucket.org/gianluca_students/gmail-honeypot |
Title | MaMaDroid |
Description | This is the infrastructure we developed for MaMaDroid, as presented in the paper below. If you use the infrastructure in your work, please cite or acknowledge us (bib entry follows). @inproceedings{MaMaDroid, author = {Mariconti, Enrico and Onwuzurike, Lucky and Andriotis, Panagiotis and De Cristofaro, Emiliano and Ross, Gordon and Stringhini, Gianluca}, title = {{MaMaDroid: Detecting Android Malware by Building Markov Chains of Behavioral Models}}, booktitle = {{The Network and Distributed System Security Symposium 2017}}, year = {2017}, } |
Type Of Technology | Software |
Year Produced | 2017 |
Open Source License? | Yes |
Impact | This tool is being used as state of the art to compare against by multiple research groups worldwide |
URL | https://bitbucket.org/gianluca_students/mamadroid_code |
Description | Hearing at the International Relations Committee at the House of Lords |
Form Of Engagement Activity | A formal working group, expert panel or dialogue |
Part Of Official Scheme? | No |
Geographic Reach | National |
Primary Audience | Policymakers/politicians |
Results and Impact | Participated as an expert to a hearing at the House of Lords, studying how non-state actors engage in online criminal activity, and their impact on the UK |
Year(s) Of Engagement Activity | 2018 |
Description | RISCS Cybercrime Workshop |
Form Of Engagement Activity | A formal working group, expert panel or dialogue |
Part Of Official Scheme? | No |
Geographic Reach | National |
Primary Audience | Policymakers/politicians |
Results and Impact | Gave a talk entitled "Interdisciplinary Cybercrime Research: Where Are We?" at the RISCS/Home Office Cybercrime Workshop |
Year(s) Of Engagement Activity | 2017 |