Reference : Security and Network monitoring based on Internet flow measurements
Dissertations and theses : Doctoral thesis
Engineering, computing & technology : Computer science
Security and Network monitoring based on Internet flow measurements
Wagner, Cynthia [University of Luxembourg > Faculty of Science, Technology and Communication (FSTC) > Computer Science and Communications Research Unit (CSC)]
University of Luxembourg, ​Luxembourg, ​​Luxembourg
Docteur en Informatique
Engel, Thomas mailto
[en] network monitoring ; flow analysis ; anomaly detection ; anonymity ; tor security ; game theory ; data mining
[en] Today's networks face continuously arising new threats, making analysis of network data for the detection of anomalies in current operational networks essential. Network operators have to deal with the analysis of huge volumes of data. To counter this main issue, dealing with IP flows (also known as Netflows) records is common in network management. However in modern networks, even Netflow records still represent a high volume of data. Interest in traffic classification as well as attack and anomaly detection in network monitoring and security related activities has become very strong.

This thesis addresses the topic of Netflow record analysis by introducing simple mechanisms for the evaluation of large quantities of data. The mechanisms are based on spatially aggregated Netflow records. These records are evaluated by the use of a kernel function. This similarity function analyses aggregated data on quantitative and topological pattern changes. By the use of machine learning techniques the aim is to use the aggregated data and classify it into benign traffic and anomalies. Besides the detection of anomalies in network traffic, traffic is analyzed from the perspective of an attacker and a network operator by using a game-theoretical model in order to define strategies for attack and defence.

To extend the evaluation models, information from the application layer has been analyzed. An occurring problem with application flows is that in some cases, network flows cannot be clearly attributed to sessions or users, as for example in anonymous overlay networks. A model for the attribution of flows to sessions or users has been defined and related to this, the behaviour of attack and defence mechanisms is studied in the framework of a game.

File(s) associated to this reference

Fulltext file(s):

Open access
WagnerC- Thesis.pdfAuthor postprint5.03 MBView/Open

Bookmark and Share SFX Query

All documents in ORBilu are protected by a user license.