WIF: Efficient Library for Network Traffic Analysis
Type
Proceedings paper
Departments
Annotation
Network traffic classification and analysis are crucial for maintaining computer security. Nevertheless, the rise of encrypted traffic has made reliable threat detection increasingly challenging, requiring more complex algorithms such as heterogeneous ensembles. These types of algorithms proved to be effective in complex threat detection while maintaining high accuracy and explainability. However, their complexity and time-consuming development process limit their widespread adoption. Therefore, we created a new library called Weak Indication Framework (WIF) for the faster development of heterogeneous ensembles, which minimizes the time between attack discovery and detection capability. Moreover, WIF-based detectors are efficient enough to operate on large Internet Service Provider networks—a single detector can protect millions of users. We demonstrate the effectiveness of the WIF library through four different detectors (TOR, Cryptomining, IoT Malware, and Tunnel detector), each achieving outstanding performance and quick deployment times.
Augmenting Monitoring Infrastructure For Dynamic Software-Defined Networks
Authors
Year
2023
Published
2023 8th International Conference on Smart and Sustainable Technologies (SpliTech). New Jersey: IEEE, 2023. ISBN 978-953-290-128-3.
Type
Proceedings paper
Annotation
Software-Defined Networking (SDN) and virtual environment raise new challenges for network monitoring tools. The dynamic and flexible nature of these network technologies requires adaptation of monitoring infrastructure to overcome challenges of analysis and interpretability of the monitored network traffic. This paper describes a concept of automatic on-demand deployment of monitoring probes and correlation of network data with infrastructure state and configuration in time. Such an approach to monitoring SDN virtual networks is usable in several use cases, such as IoT networks and anomaly detection. It increases visibility into complex and dynamic networks. Additionally, it can help with the creation of well-annotated datasets that are essential for any further research.
Enhancing DeCrypto: Finding Cryptocurrency Miners Based on Periodic Behavior
Authors
Year
2023
Published
2023 19th International Conference on Network and Service Management (CNSM). New York: IEEE, 2023. International Conference on Network and Service Management. vol. 19. ISSN 2165-9605. ISBN 978-3-903176-59-1.
Type
Proceedings paper
Annotation
While the popularity of cryptocurrencies and the whole industry's value are rising, the number of threat actors who use illegal “coin miner mal ware” is increasing as well. The threat actors commonly use computational resources of companies, research and educational institutions, or end users. In this paper, we analyzed the long-term periodic behavior of the cryptocurrency miners communicating in computer networks. We propose a novel method for cryptominers detection using specially designed periodicity features. The detection algorithm is based on the mathematical detection of periodic Flow time series (FTS) and feature mining. Altogether with the Machine Learning technique, the resulting system achieves high-precision performance. Furthermore, our approach enhances a flow-based cryptominers detection system DeCrypto to further improve its reliability and feasibility for high-speed networks.
DeCrypto: Finding Cryptocurrency Miners on ISP networks
Type
Proceedings paper
Annotation
With the rising popularity of cryptocurrencies and the increasing value of the whole industry, people are incentivized to join and earn revenues by cryptomining — using computational resources for cryptocurrency transaction verification. Nevertheless, there is an increasing number of abusive cryptomining cases, and it is reported that “coin miner malware” grew by more than 4000% in 2018. In this work, we analyzed the cryptominer network communication and proposed the DeCrypto system that can detect and report mining on high-speed 100 Gbps backbone Internet lines with millions of users. The detector uses the concept of heterogeneous weak-indication detectors (Machine-Learning-based, domain-based, and payload-based) that work together and create a robust and accurate detector with an extremely low false-positive rate. The detector was implemented and evaluated on a real nationwide high-speed network and proved efficient in a real-world deployment.
Detection of Cryptomining in High-speed Networks
Type
Proceedings paper
Annotation
This paper addresses cryptomining from the security perspective with an emphasis on abusive mining. It explores the possibility of detecting cryptominers in high-speed
computer networks using a flow-based monitoring approach. Based on the analysis of mining communication, we proposed detection method, which can be deployed on high-speed networks. The proposed solution was implemented as a group of NEMEA modules. Moreover, it was deployed and evaluated on the national network CESNET2 operated by CESNET.