Detection and classification of malicious network streams in honeynets : a thesis presented in partial fulfilment of the requirements for the degree of Doctor of Philosophy in Computer Science at Massey University, Palmerston North, New Zealand

dc.contributor.authorAbbasi, Fahim U H
dc.date.accessioned2013-12-16T01:16:50Z
dc.date.available2013-12-16T01:16:50Z
dc.date.issued2013
dc.description.abstractVariants of malware and exploits are emerging on the global canvas at an ever-increasing rate. There is a need to automate their detection by observing their malicious footprints over network streams. Misuse-based intrusion detection systems alone cannot cope with the dynamic nature of the security threats faced today by organizations globally, nor can anomaly-based systems and models that rely solely on packet header information, without considering the payload or content. In this thesis we approach intrusion detection as a classi cation problem and describe a system using exemplar-based learning to correctly classify known classes of malware and their variants, using supervised learning techniques, and detect novel or unknown classes using unsupervised learning techniques. This is facilitated by an exemplar selection algorithm that selects most suitable exemplars and their thresholds for any given class and a novelty detection algorithm and classi cation algorithm that is capable to detect, learn and classify unknown malicious streams into their respective novel classes. The similarity between malicious network streams is determined by a proposed technique that uses string and information-theoretic metrics to evaluate the relative similarity or level of maliciousness between di erent categories of malicious network streams. This is measured by quantifying sections of analogous information or entropy between incoming network streams and reference malicious samples. Honeynets are deployed to capture these malicious streams and create labelled datasets. Clustering and classi cation methods are used to cluster similar groups of streams from the datasets. This technique is then evaluated using a large dataset and the correctness of the classi er is veri ed by using \area under the receiver operating characteristic curves" (ROC AUC) measures across various string metric-based classi ers. Di erent clustering algorithms are also compared and evaluated on a large dataset. The outcomes of this research can be applied to aid existing intrusion detection systems (IDS) to detect and classify known and unknown malicious network streams by utilizing information-theoretic and machine learning based approaches.en
dc.identifier.urihttp://hdl.handle.net/10179/4967
dc.language.isoenen
dc.publisherMassey Universityen_US
dc.rightsThe Authoren_US
dc.subjectMalware (Computer software)en
dc.subjectPreventionen
dc.subjectIntrusion detection systemsen
dc.subjectComputer securityen
dc.titleDetection and classification of malicious network streams in honeynets : a thesis presented in partial fulfilment of the requirements for the degree of Doctor of Philosophy in Computer Science at Massey University, Palmerston North, New Zealanden
dc.typeThesisen
massey.contributor.authorAbbasi, Fahimen
thesis.degree.disciplineComputer Scienceen
thesis.degree.grantorMassey Universityen
thesis.degree.levelDoctoralen
thesis.degree.nameDoctor of Philosophy (Ph.D.)en
Files
Original bundle
Now showing 1 - 2 of 2
Loading...
Thumbnail Image
Name:
01_front.pdf
Size:
99.93 KB
Format:
Adobe Portable Document Format
Description:
Loading...
Thumbnail Image
Name:
02_whole.pdf
Size:
3.87 MB
Format:
Adobe Portable Document Format
Description:
License bundle
Now showing 1 - 1 of 1
Loading...
Thumbnail Image
Name:
license.txt
Size:
804 B
Format:
Item-specific license agreed upon to submission
Description: