Počet záznamů: 1
Discriminative models for multi-instance problems with tree-structure
- 1.
SYSNO ASEP 0507120 Druh ASEP C - Konferenční příspěvek (mezinárodní konf.) Zařazení RIV D - Článek ve sborníku Název Discriminative models for multi-instance problems with tree-structure Tvůrce(i) Pevný, T. (CZ)
Somol, Petr (UTIA-B) RIDCelkový počet autorů 2 Zdroj.dok. Proceedings of the 2016 ACM Workshop on Artificial Intelligence and Security (AISec'16). - New York : ACM, 2016 - ISBN 978-1-4503-4573-6 Rozsah stran s. 83-91 Poč.str. 9 s. Forma vydání Tištěná - P Akce the 2016 ACM Workshop on Artificial Intelligence and Security (AISec'16) Datum konání 28.10.2016 - 28.10.2016 Místo konání Vienna Země AT - Rakousko Typ akce WRD Jazyk dok. eng - angličtina Země vyd. US - Spojené státy americké Klíč. slova big data ; learning indicators of compromise ; malware detection ; neural network ; user modeling Vědní obor RIV BC - Teorie a systémy řízení Obor OECD Automation and control systems Institucionální podpora UTIA-B - RVO:67985556 UT WOS 000391051600008 EID SCOPUS 85001945953 DOI 10.1145/2996758.2996761 Anotace Modelling network traffic is gaining importance to counter modern security threats of ever increasing sophistication. It is though surprisingly difficult and costly to construct reliable classifiers on top of telemetry data due to the variety and complexity of signals that no human can manage to interpret in full. Obtaining training data with sufficiently large and variable body of labels can thus be seen as a prohibitive problem. The goal of this work is to detect infected computers by observing their HTTP(S) traffic collected from network sensors, which are typically proxy servers or network firewalls, while relying on only minimal human input in the model training phase. We propose a discriminative model that makes decisions based on a computer's all traffic observed during a predefined time window (5 minutes in our case). The model is trained on traffic samples collected over equally-sized time windows for a large number of computers, where the only labels needed are (human) verdicts about the computer as a whole (presumed infected vs. presumed clean). As part of training, the model itself learns discriminative patterns in traffic targeted to individual servers and constructs the final high-level classifier on top of them. We show the classifier to perform with very high precision, and demonstrate that the learned traffic patterns can be interpreted as Indicators of Compromise. We implement the discriminative model as a neural network with special structure reflecting two stacked multi instance problems. The main advantages of the proposed configuration include not only improved accuracy and ability to learn from gross labels, but also automatic learning of server types (together with their detectors) that are typically visited by infected computers. Pracoviště Ústav teorie informace a automatizace Kontakt Markéta Votavová, votavova@utia.cas.cz, Tel.: 266 052 201. Rok sběru 2020
Počet záznamů: 1