Inferring the Purpose of Network Activities

The sophistication of attacks targeting computer networks is constantly increasing. Recently, we have witnessed multiple sophisticated targeted attacks against governments and companies. Such attacks are much different than traditional network attacks, because attackers have virtually unlimited resources and can tailor their operation to the victim's network, making these attacks very difficult to detect. In fact, current state of the art detection techniques are inadequate to protect computer networks against targeted attacks.

In this proposal, we aim to make some fundamental steps towards being able to reliably detect targeted attacks on computer networks. To this end, we plan to abstract the observation from the actual manifestation of an attack, and focus on the purpose behind network activities instead. We believe that modern machine learning techniques such as deep belief networks can be used to automatically learn high-level features from network data. Such features are indicative of the purpose for which the network activity is performed, rather than of the specific techniques and tools used to accomplish that purpose. These high-level features can then be used in traditional supervised machine learning to detect whether a network activity is being performed with a malicious intention or a benign one.

Being able to accurately detect stealthy network attacks by motivated adversaries if of fundamental importance for both the UK government and industry. Recent events such as the Regin and Stuxnet malware have demonstrated that the way in which attacks are currently detected is not effective. This proposal aims at setting the foundation to overcoming this problem, by changing the way in which network attacks are detected.

The main goal of this proposal is to change the way in which the academic community is mitigating network attacks. Instead of looking at the actual manifestation of an attack, we aim at understanding the purpose for which a network activity is conducted. If successful, this proposal will inspire a wealth of research both from the computer security academic community as a whole. To make sure that the academic community is aware of the techniques proposed in this project and of its results, Dr Stringhini will publish two papers (one for WP1 and one for WP2) in top computer security conferences such as the IEEE Symposium on Security and Privacy or the ACM Conference on Computer and Communications Security. He will also engage the community by describing the developed techniques at invited talks and seminars worldwide, to which he is often invited.

As we mention in the proposal, and as our letters of support show, Dr Stringhini already has an established partnership with Lastline inc., and the researchers at this company are keen on applying the techniques developed for this project to the network defence systems sold by the company. This partnership has the potential of fostering a long-term collaboration that could bring important results that go beyond the duration of this proposal. Dr Stringhini will also actively look for additional industry partners, and build a industry network that will be able to effectively bring the techniques developer for this project to the real world, with a consequent benefit for Internet users.

Internet users could have additional benefits from the developments of this project. Being able to accurately infer the purpose behind network activities could dramatically reduce the need for invasive security mechanisms such as CAPTCHAS and security questions.

Finally, the techniques developed in this proposal will have an important benefit for the UK critical infrastructure. To make an impact on how the operators of the critical infrastructure deal with attacks, Dr Stringhini will reach out to partners at National Grid, who have had long term collaboration with the Computer Science Department at UCL, in particular through Professor David Pym.