Research Summaries

Back Machine Learning Techniques for Identifying Anomalous Network Traffic

Fiscal Year 2020
Division Research & Sponsored Programs
Department NPS Naval Research Program
Investigator(s) Garza, Victor R.
Sponsor NPS Naval Research Program (Navy)
Summary Cyber investigations often involve analysis of large volumes of log files, including network flow data. Machine learning techniques allow analysts and examiners to more quickly identify traffic flows relevant to the investigation. The research will focus on the analysis of network flow data generated by the Audit Record Generation and Utilization System (ARGUS). Examples of anomalous traffic patterns of interest (not an exhaustive list) include traffic spikes, malware beaconing, command and control (C2) activity, data exfiltration, and scanning.
The objective of the proposed study is to analyze network flow data with machine learning and heuristics algorithms to optimize time spent by analysts and investigators during cyber network forensic investigations (including, but not limited to, cyber incident handling and incident response investigations). We will analyze ARGUS, and other network flow application data, with machine learning algorithms, with a focus on targeting and optimizing indicators-of-compromise (IOCs). Machine learning will be leveraged to mine network flows to optimize the determination and identification of an ongoing compromise, or historical evidence of compromise (mining C2 channel data, beaconing, data exfiltration, unexpected encrypted traffic, or other anomalous network traffic).
Keywords Anomaly Cyber Netflow machine learning
Publications Publications, theses (not shown) and data repositories will be added to the portal record when information is available in FAIRS and brought back to the portal
Data Publications, theses (not shown) and data repositories will be added to the portal record when information is available in FAIRS and brought back to the portal