| Abstract | In a series of previous M.Sc. projects, a variety of techniques have been investigated for analysing the behaviour of computer systems in order to identify attacks by malicious persons or programs which have been designed to have malicious effects. A common feature of the techniques considered has been that they are based on supervised learning, where the analysis system has been trained to recognise patterns of activity which have been classified in advance by an experienced analyst as being malicious, or to recognise patterns of activity which deviate from those classified in advance as "normal" or non-malicious. Unfortunately, in many practical situations, the amount of data is so large that it is not feasible for an expert to carry out a complete classification, and supervised learning becomes unreliable.
In this project, the aim is to supplement the previous investigations with techniques based on unsupervised learning. Here the training process is not based on a previous classification by an expert, but on some kind of self-organising principle, such as cluster detection, principal components analysis, self-organising maps, entropy-based methods or stochastic machines. The project will involve a study of the literature on the use of unsupervised learning for intrusion detection, selection of one or more methods for evaluation, and the specification and development of a simple tool which exploits the chosen method(s) and which can provide the user with useful information about attack patterns which are observed in a real-life computer system.
Supervisor: Robin Sharp |