Abstract:
Intrusion detection systems represent a fundamental component at the basis of the information security of a computer network. The increasing improvements in the field of data mining, due to the capabilities of the modern computers to treat large amount of data, allow to evolve intrusion detection systems, with particular reference to those based on anomaly detection. Usually this kind of systems operate in networks where the illicit activities represent sporadic events that deviates from the normal licit usage. This dissertation describes a different situation resulting from an ethical hacking contest where attack attempts, generated by a large number of different subjects, represent the vast majority of the network traffic in comparison with the normal activity consisting in regular traffic carried out by known trusted entities. In this atypical reversed scenario, raw network traffic has been collected,analysed and suitable transformed in order to find relevant characteristics. Subsequently, the resulting data has been analysed through unsupervised data mining techniques in order to build models able to recognize licit traffic and the different attack patterns used. The results and the relative model efficiency has been measured, compared and discussed. The experiment and the resulting models represent a possible approach in anomaly detection field with particular regard to Operation Technology (OT) networks where licit traffic is generated by trusted and well known devices. Furthermore, these models can be adopted to analyse and compare different strategies used by different attackers toward various network
targets.
