Using Deep learning for Anomaly Detection in CyberSANE


In the last decades, the entire world has experienced a huge digital transformation. The amount of data exchanged between organizations has increased dramatically. The massive data flowing across the net every minute have created an unprecedented risk and has led to a significant technology race to secure the data and communications. Nowadays, the resource that a potential attacker has at his disposal covers a very wide spectrum from malware to zero-day exploits programs.

However, many organizations are not efficient enough recognizing the impact of emerging technologies on cybersecurity. This is especially dangerous with critical information Infrastructures (CIIs); and in many cases, the resources allocated to cyber protection are not enough. As a result, these centres have anomaly-detection classical outdated static barriers that are no longer valid for latest attacks. The only way to create a defence against an attack that hasn’t happened yet is to predict it.

In the CyberSANE project we scrutinize all received traffic in real time and analyse patterns, trying to be always one step ahead of cyber-attacks. The component in charge of this function is HybridNet, which is composed by different assets such as a L-ADS (Live Anomaly Detection System), CARMEN and SiVi. Together they cover the full spectrum of artificial intelligence to perform efficient security analysis. In this article we will describe the core of L-ADS.

The L-ADS (Live Anomaly Detection System) has the aim to classify in real time anomalous connections to a certain network. It is based on a deep learning algorithm called Auto-encoder. This kind of algorithm tries to learn about the normal behaviour of the network using the following variables: source and destination IPs, ports, number of bytes, number of packets, protocol used during the connection and duration of the connection. Once the algorithm is trained using normal traffic, it can classify any new connections. If they are too different, they will be categorised as “anomalous” connection or “legit” connection, otherwise.

If something potentially dangerous is detected, it is sent to the LiveNet, where advanced correlation rules are applied; and the predictions performed by the L-ADS (and other HybridNet components) are compared with traffic and data received from other sensor in order to fulfil the incident knowledge base.

Leave a Reply

Your email address will not be published. Required fields are marked *