EVIDENCE: EVolutionary Intrusion DEtectioN for dynamiC Environments
Period: Aug, 2018 - Jul, 2022
Previous years have seen a surge of cyber attacks targeting private data. This virtual pillage deprives citizens and companies across all industries of sensitive information such as login credentials, intellectual property or personal data. Existing cyber security solutions attempt to deal with these attacks by learning a detection model. However, in today's continuously developing IT settings, such a model quickly depreciates, making the approach fail miserably (often already in the case of a simple software update). In this proposal, we call for a drastic change in security technologies, progressing from static security concepts to evolutionary security concepts. As an important milestone in this progression, the EVIDENCE project will build a network-based intrusion detection system (NIDS) capable of evolving with dynamic changes in the environment in which it is deployed.
Designing a system which is able to adapt to developing environments requires us to effortlessly update our system's security models. We plan to apply passive application fingerprinting, an approach which maps network traffic to applications on the machine. This method will create fingerprints of all monitored applications in its training phase and subsequently detects unknown (malicious) applications for which it raises alerts. We propose the generation of fingerprints per host, per protocol, and per application, allowing for fine grained dexterous readjustments in case of environmental changes. In addition, our pivotal contribution commences the detection of contextual changes and subsequent adaptation of the detection model. To this end, we will investigate the application of machine learning classifiers and concept drift detectors on our fingerprint features to detect both basic and more advanced environmental changes such as software updates or newly added devices. This ability to automatically adapt to contextual changes (including those imposed by new cyber attacks) establishes the evolutionary character of our envisaged network-based intrusion detection system and constitutes the uniqueness of the EVIDENCE project.