Richard Plný | Czech Technical University, Prague
Supported by CESNET
Richard is currently in his first year of master’s studies at the Faculty of Information Technology, Czech Technical University, Prague, with an emphasis on network security. The topic of Richard’s bachelor thesis was the detection of crypto-malware on ISP-level networks using so-called ‘’weak indicators’’ - a combination of several different data sources that are used for reliable detection. The proposed solution was deployed on the large ISP network CESNET2 in the Czech Republic, and it is already protecting half a million users.
Richard is currently focusing on further exploring the idea of weak indications and data fusion to deal with inaccurate detectors, spoofed and inaccurate data, and the overall number of alerts generated by automatic detectors. He is trying to make automatic threat detection systems more reliable and easier to use by network security operators.
Lightning Talk | TNC23, Tirana, Albania
DATA FUSION: THE KEY TO RELIABLE THREAT DETECTION
Secure computer networks rely on monitoring, threat detection and security operators who respond to automatically created alerts. Performance of current anomaly and threat detection methods is dependent on the network telemetry data they are developed on. However, in some cases network telemetry does not contain truthful information. An error can occur during transmission, or an attacker can spoof information to confuse threat detectors. As a result, many attacks may remain undetected and false alerts might overwhelm security personnel. We are currently exploring an approach that utilises a combination of several data sources to overcome imperfections.
Many state-of-the-art detectors are based on Machine Learning (ML) technology, which can be easily confused. Attackers can alter traffic shape by sending additional data which is unnecessary for communication. Malicious traffic can be completely hidden by this technique and missed by the ML - an outgoing attack might not be detected at all. Data incompleteness is another problem. For example, no blocklist can ever contain every malicious IP address. Moreover, these IP addresses can change over time. Therefore the output of some detectors might not reflect reality. Current techniques, when used separately, are suffering from many pitfalls.