Inferring the Purpose of Network Activities

Lead Research Organisation: University College London
Department Name: Computer Science


The sophistication of attacks targeting computer networks is constantly increasing. Recently, we have witnessed multiple sophisticated targeted attacks against governments and companies. Such attacks are much different than traditional network attacks, because attackers have virtually unlimited resources and can tailor their operation to the victim's network, making these attacks very difficult to detect. In fact, current state of the art detection techniques are inadequate to protect computer networks against targeted attacks.

In this proposal, we aim to make some fundamental steps towards being able to reliably detect targeted attacks on computer networks. To this end, we plan to abstract the observation from the actual manifestation of an attack, and focus on the purpose behind network activities instead. We believe that modern machine learning techniques such as deep belief networks can be used to automatically learn high-level features from network data. Such features are indicative of the purpose for which the network activity is performed, rather than of the specific techniques and tools used to accomplish that purpose. These high-level features can then be used in traditional supervised machine learning to detect whether a network activity is being performed with a malicious intention or a benign one.

Planned Impact

Being able to accurately detect stealthy network attacks by motivated adversaries if of fundamental importance for both the UK government and industry. Recent events such as the Regin and Stuxnet malware have demonstrated that the way in which attacks are currently detected is not effective. This proposal aims at setting the foundation to overcoming this problem, by changing the way in which network attacks are detected.

The main goal of this proposal is to change the way in which the academic community is mitigating network attacks. Instead of looking at the actual manifestation of an attack, we aim at understanding the purpose for which a network activity is conducted. If successful, this proposal will inspire a wealth of research both from the computer security academic community as a whole. To make sure that the academic community is aware of the techniques proposed in this project and of its results, Dr Stringhini will publish two papers (one for WP1 and one for WP2) in top computer security conferences such as the IEEE Symposium on Security and Privacy or the ACM Conference on Computer and Communications Security. He will also engage the community by describing the developed techniques at invited talks and seminars worldwide, to which he is often invited.

As we mention in the proposal, and as our letters of support show, Dr Stringhini already has an established partnership with Lastline inc., and the researchers at this company are keen on applying the techniques developed for this project to the network defence systems sold by the company. This partnership has the potential of fostering a long-term collaboration that could bring important results that go beyond the duration of this proposal. Dr Stringhini will also actively look for additional industry partners, and build a industry network that will be able to effectively bring the techniques developer for this project to the real world, with a consequent benefit for Internet users.

Internet users could have additional benefits from the developments of this project. Being able to accurately infer the purpose behind network activities could dramatically reduce the need for invasive security mechanisms such as CAPTCHAS and security questions.

Finally, the techniques developed in this proposal will have an important benefit for the UK critical infrastructure. To make an impact on how the operators of the critical infrastructure deal with attacks, Dr Stringhini will reach out to partners at National Grid, who have had long term collaboration with the Computer Science Department at UCL, in particular through Professor David Pym.


10 25 50
Description During this project we furthered our understanding of the modus operandi and motivations of online attackers. We used these insights to develop automated systems that can detect and block such activity online.
Exploitation Route We are releasing our datasets and tools, see the further resources in this submission. Our MaMaDroid paper is currently being used worldwide as the state of the art in Android malware detection
Sectors Digital/Communication/Information Technologies (including Software)

Description Our insights on the modus operandi of cybercriminals when compromising accounts attracted the attention of companies such as Facebook, Google, and Telefonica Research, and of law enforcement agencies such as the National Cyber Crime Unit (NCCU). This led to two further joint projects in the area. We are currently discussing how to extend our monitoring platform to suit the needs of these organisations. Dr Stringhini was invited to give evidence to the International Relations Committee at the House of Lords on the impact of non-state cybercriminal actors to the UK.
First Year Of Impact 2017
Sector Digital/Communication/Information Technologies (including Software)
Impact Types Policy & public services

Description EPSRC-funded BEAMS Future Leaders in Engineering and Physical Sciences
Amount £29,054 (GBP)
Organisation University College London 
Sector Academic/University
Country United Kingdom
Start 08/2016 
End 04/2017
Description GCHQ ACE Small grant
Amount £14,244 (GBP)
Organisation Government Communications Headquarters (GCHQ) 
Sector Public
Country United Kingdom
Start 01/2016 
End 02/2016
Description Google Faculty Research Award
Amount $66,500 (USD)
Organisation Google 
Sector Private
Country United States
Start 08/2015 
End 09/2018
Title Understanding The Use Of Stolen Webmail Credentials In The Wild 
Description Dataset resulting from our IMC 2016 paper 
Type Of Material Database/Collection of data 
Year Produced 2016 
Provided To Others? Yes  
Impact Other researchers are working on this database 
Title Honeypot infrastructure for Gmail 
Description This program allows researchers to instrument Gmail accounts and monitor activity on them. 
Type Of Technology Webtool/Application 
Year Produced 2016 
Impact This infrastructure is being used by multiple MSc students at UCL and by researchers at the University of Utrecht 
Title MaMaDroid 
Description This is the infrastructure we developed for MaMaDroid, as presented in the paper below. If you use the infrastructure in your work, please cite or acknowledge us (bib entry follows). @inproceedings{MaMaDroid, author = {Mariconti, Enrico and Onwuzurike, Lucky and Andriotis, Panagiotis and De Cristofaro, Emiliano and Ross, Gordon and Stringhini, Gianluca}, title = {{MaMaDroid: Detecting Android Malware by Building Markov Chains of Behavioral Models}}, booktitle = {{The Network and Distributed System Security Symposium 2017}}, year = {2017}, } 
Type Of Technology Software 
Year Produced 2017 
Open Source License? Yes  
Impact This tool is being used as state of the art to compare against by multiple research groups worldwide 
Description Hearing at the International Relations Committee at the House of Lords 
Form Of Engagement Activity A formal working group, expert panel or dialogue
Part Of Official Scheme? No
Geographic Reach National
Primary Audience Policymakers/politicians
Results and Impact Participated as an expert to a hearing at the House of Lords, studying how non-state actors engage in online criminal activity, and their impact on the UK
Year(s) Of Engagement Activity 2018
Description RISCS Cybercrime Workshop 
Form Of Engagement Activity A formal working group, expert panel or dialogue
Part Of Official Scheme? No
Geographic Reach National
Primary Audience Policymakers/politicians
Results and Impact Gave a talk entitled "Interdisciplinary Cybercrime Research: Where Are We?" at the RISCS/Home Office Cybercrime Workshop
Year(s) Of Engagement Activity 2017