Security and Fraud

The application and development of machine learning methods in the field of (network) security and fraud is an active field of research in the Data Science Chair. In the DeepScan project, we are developing methods to detect anomalies, ICT security incidents and fraudulent behaviour in business software. Other research projects are currently working on the detection of security incidents in corporate networks or on application layer.

Projects

We are currently working on the following projects:

Publications

Here is a list of selected publications.

Flow-based network traffic generation using Generative Adversarial Networks Ring, Markus; Schlör, Daniel; Landes, Dieter; Hotho, Andreas in Computers & Security (2019). 82 156–172.
- [ Abstract ]
- [ BibTeX ]
- [ URL ]
- [ DOI ]
- [ Download ]
Flow-based data sets are necessary for evaluating network-based intrusion detection systems (NIDS). In this work, we propose a novel methodology for generating realistic flow-based network traffic. Our approach is based on Generative Adversarial Networks (GANs) which achieve good results for image generation. A major challenge lies in the fact that GANs can only process continuous attributes. However, flow-based data inevitably contain categorical attributes such as IP addresses or port numbers. Therefore, we propose three different preprocessing approaches for flow-based data in order to transform them into continuous values. Further, we present a new method for evaluating the generated flow-based network traffic which uses domain knowledge to define quality tests. We use the three approaches for generating flow-based network traffic based on the CIDDS-001 data set. Experiments indicate that two of the three approaches are able to generate high quality data.

@article{RING2019156, abstract = {Flow-based data sets are necessary for evaluating network-based intrusion detection systems (NIDS). In this work, we propose a novel methodology for generating realistic flow-based network traffic. Our approach is based on Generative Adversarial Networks (GANs) which achieve good results for image generation. A major challenge lies in the fact that GANs can only process continuous attributes. However, flow-based data inevitably contain categorical attributes such as IP addresses or port numbers. Therefore, we propose three different preprocessing approaches for flow-based data in order to transform them into continuous values. Further, we present a new method for evaluating the generated flow-based network traffic which uses domain knowledge to define quality tests. We use the three approaches for generating flow-based network traffic based on the CIDDS-001 data set. Experiments indicate that two of the three approaches are able to generate high quality data.}, author = {Ring, Markus and Schlör, Daniel and Landes, Dieter and Hotho, Andreas}, journal = {Computers & Security}, keywords = {traffic}, pages = {156 - 172}, title = {Flow-based network traffic generation using Generative Adversarial Networks}, volume = 82, year = 2019 }
IP2Vec: Learning Similarities Between IP Addresses Ring, Markus; Landes, Dieter; Dallmann, Alexander; Hotho, Andreas in 2017 IEEE International Conference on Data Mining Workshops (ICDMW) (2017). 657–666.
- [ BibTeX ]
- [ DOI ]
- [ Download ]
@article{ring2017ip2vec, author = {Ring, Markus and Landes, Dieter and Dallmann, Alexander and Hotho, Andreas}, journal = {2017 IEEE International Conference on Data Mining Workshops (ICDMW)}, keywords = {similarity}, pages = {657-666}, title = {IP2Vec: Learning Similarities Between IP Addresses}, type = {Publication}, year = 2017 }
Creation of Flow-Based Data Sets for Intrusion Detection Ring, Markus; Wunderlich, Sarah; Grüdl, Dominik; Landes, Dieter; Hotho, Andreas in Journal of Information Warfare (2017). 16(4) 41–54.
- [ Abstract ]
- [ BibTeX ]
- [ URL ]
- [ Download ]
Publicly available labelled data sets are necessary for evaluating anomaly-based Intrusion Detection Systems (IDS). However, existing data sets are often not up-to-date or not yet published because of privacy concerns. This paper identifies requirements for good data sets and proposes an approach for their generation. The key idea is to use a test environment and emulate realistic user behaviour with parameterised scripts on the clients. Comprehensive logging mechanisms provide additional information which may be used for a better understanding of the inner dynamics of an IDS. Finally, the proposed approach is used to generate the flow-based CIDDS-002 data set.

@article{ring2017creation, abstract = {Publicly available labelled data sets are necessary for evaluating anomaly-based Intrusion Detection Systems (IDS). However, existing data sets are often not up-to-date or not yet published because of privacy concerns. This paper identifies requirements for good data sets and proposes an approach for their generation. The key idea is to use a test environment and emulate realistic user behaviour with parameterised scripts on the clients. Comprehensive logging mechanisms provide additional information which may be used for a better understanding of the inner dynamics of an IDS. Finally, the proposed approach is used to generate the flow-based CIDDS-002 data set.}, author = {Ring, Markus and Wunderlich, Sarah and Grüdl, Dominik and Landes, Dieter and Hotho, Andreas}, journal = {Journal of Information Warfare}, keywords = {security:selected}, month = {Dez}, number = 4, pages = {41-54}, title = {Creation of Flow-Based Data Sets for Intrusion Detection}, volume = 16, year = 2017 }
A Toolset for Intrusion and Insider Threat Detection Ring, Markus; Wunderlich, Sarah; Gr{\"u}dl, Dominik; Landes, Dieter; Hotho, Andreas in Data Analytics and Decision Support for Cybersecurity: Trends, Methodologies and Applications, I. Palomares Carrascosa, H. K. Kalutarage, Y. Huang (eds.) (2017). 3–31.
- [ Abstract ]
- [ BibTeX ]
- [ URL ]
- [ DOI ]
- [ Download ]
Company data are a valuable asset and must be protected against unauthorized access and manipulation. In this contribution, we report on our ongoing work that aims to support IT security experts with identifying novel or obfuscated attacks in company networks, irrespective of their origin inside or outside the company network. A new toolset for anomaly based network intrusion detection is proposed. This toolset uses flow-based data which can be easily retrieved by central network components. We study the challenges of analysing flow-based data streams using data mining algorithms and build an appropriate approach step by step. In contrast to previous work, we collect flow-based data for each host over a certain time window, include the knowledge of domain experts and analyse the data from three different views. We argue that incorporating expert knowledge and previous flows allow us to create more meaningful attributes for subsequent analysis methods. This way, we try to detect novel attacks while simultaneously limiting the number of false positives.

@inbook{Ring2017, abstract = {Company data are a valuable asset and must be protected against unauthorized access and manipulation. In this contribution, we report on our ongoing work that aims to support IT security experts with identifying novel or obfuscated attacks in company networks, irrespective of their origin inside or outside the company network. A new toolset for anomaly based network intrusion detection is proposed. This toolset uses flow-based data which can be easily retrieved by central network components. We study the challenges of analysing flow-based data streams using data mining algorithms and build an appropriate approach step by step. In contrast to previous work, we collect flow-based data for each host over a certain time window, include the knowledge of domain experts and analyse the data from three different views. We argue that incorporating expert knowledge and previous flows allow us to create more meaningful attributes for subsequent analysis methods. This way, we try to detect novel attacks while simultaneously limiting the number of false positives.}, address = {Cham}, author = {Ring, Markus and Wunderlich, Sarah and Gr{\"u}dl, Dominik and Landes, Dieter and Hotho, Andreas}, booktitle = {Data Analytics and Decision Support for Cybersecurity: Trends, Methodologies and Applications}, editor = {Palomares Carrascosa, Iv{\'a}n and Kalutarage, Harsha Kumara and Huang, Yan}, keywords = {security:selected}, pages = {3–31}, publisher = {Springer International Publishing}, title = {A Toolset for Intrusion and Insider Threat Detection}, year = 2017 }

Projects

DeepScan

Publications

Data privacy protection

Data privacy protection

Picture credits