Towards a Near-real-time Protocol Tunneling Detector based on Machine Learning Techniques

TL;DR

This paper introduces a near-real-time protocol tunneling detector using machine learning techniques to identify malicious network activities, achieving high accuracy and F1-score in tests on real datasets.

Contribution

The paper presents a novel prototype for protocol tunneling detection that combines machine learning and deep learning, capable of real-time network traffic analysis.

Findings

97.1% overall detection accuracy

F1-score of 95.6% on test datasets

Effective detection of tunneling attacks and anomalies

Abstract

In the very last years, cybersecurity attacks have increased at an unprecedented pace, becoming ever more sophisticated and costly. Their impact has involved both private/public companies and critical infrastructures. At the same time, due to the COVID-19 pandemic, the security perimeters of many organizations expanded, causing an increase of the attack surface exploitable by threat actors through malware and phishing attacks. Given these factors, it is of primary importance to monitor the security perimeter and the events occurring in the monitored network, according to a tested security strategy of detection and response. In this paper, we present a protocol tunneling detector prototype which inspects, in near real time, a company's network traffic using machine learning techniques. Indeed, tunneling attacks allow malicious actors to maximize the time in which their activity remains undetected. The detector monitors unencrypted network flows and extracts features to detect possible occurring attacks and anomalies, by combining machine learning and deep learning. The proposed module can be embedded in any network security monitoring platform able to provide network flow information along with its metadata. The detection capabilities of the implemented prototype have been tested both on benign and malicious datasets. Results show 97.1% overall accuracy and an F1-score equals to 95.6%.