Fingerprinting Network Sessions for the Discovery of Cyber Threats

Authors

  • Christiaan Klopper University of Pretoria
  • Jan Department Computer Science, University of Pretoria, Pretoria, South Africa

DOI:

https://doi.org/10.34190/iccws.18.1.1027

Keywords:

cybersecurity, cyber defence, packet-based feature extraction, network session fingerprints, visual data mining

Abstract

A rtificial intelligence (AI) assisted cyber-attacks, within the network cybersecurity domain, have evolved to be more successful at every phase of the cyber threat lifecycle. This involves, amongst other tasks, reconnaissance, weaponisation, delivery, exploitation, installation, command & control, and actions. The result has been AI-enhanced attacks, such as DeepLocker, self-learning malware and MalGan, which are highly targeted and undetectable, and automatically exploit vulnerabilities in existing cyber defence systems . Countermeasures would require significant improvements in the efficacy of existing cyber defence systems to enable the discovery and detection of AI-enhanced attacks in networks in general. The challenge is that rule-and-anomaly-based intrusion detection approaches would need to be evolved into a dynamic self-learning approach before being able to discover “undetectable” network threats. The problem is that, when considering current state-of-the-art network cybersecurity countermeasures, this has not yet been achieved. One of the key challenges in achieving this is the inability to extract meaningful information from network packets. The novel solution proposed in this paper is to fingerprint network sessions. Each fingerprint is represented by a two-dimensional matrix that can be visualised, comprising a unique session key, the protocol discourse and the transmitted data. This is achieved by extracting information, summarising network session key events, encoding the received data, and merging it with existing fingerprints. The unique key and transmitted data are encoded using a Hilbert curve, while the protocol discourse is encoded into a tornado diagram. The resulting visualised network session fingerprints reveal hidden patterns that are ideal for subsequent pattern recognition, reinforcement learning (RL) or support vector machines (SVM) training to discover AI-enhanced cyber threats as they evolve.

Author Biography

Jan, Department Computer Science, University of Pretoria, Pretoria, South Africa

Professor Dr. Jan Eloff is appointed as a full Professor in Computer Science at the University of Pretoria, South Africa. Up to 2022 he was also appointed as Acting Dean: in the Faculty of Engineering, Built Environment and IT at the University of Pretoria. From 2008 to 2015 he was appointed as Research Director for SAP Research in Africa. He holds a B2 rating from the National Research Foundation in South Africa indicating that he receives considerable international recognition for his research in safeguarding platforms against societal and organisational cyber-threats. He is also a leading international scholar in conducting research in the convergence of Cyber-security and Big Data & Data Science. He has published widely in leading international journals. In 2018 he published a scholarly book on Software Failure Investigations. Up to 2018 he was an associate editor of Computers & Security, the world’s leading journal for the advancement of Cyber-security. He is the co-inventor of a number of patents registered in the USA.  Jan is a member of the governing and advisory board of the International Knowledge Centre for Engineering Sciences and Technology (UNESCO(IKCEST)).

Downloads

Published

2023-02-28