TGI: Network Traffic Analysis and Anomaly Detection

Aims and Objectives

The protection of communication networks against new and unexpected attacks remains a challenging task. Attacks become more sophisticated and new vulnerabilities emerge every day. Proactive solutions often fail if new attack strategies are used or undetected vulnerabilities are exploited. Network supervision methods are essential to establish situational awareness in communication networks. They help to detect anomalies in communication patterns and provide the first step for the detection of new attack types.

Network measurements and traffic analysis are important tools for network security. In addition, they support network operation and provide the basis for answering a wide variety of research questions about network structures, QoS parameters, user behavior, protocol performance and other characteristics of communication networks and protocols. Knowledge about such methods is therefore not only valuable for researchers in network security, but also useful for students working in different areas in the field of communication networks. The introduced statistical data analysis and machine learning methodologies can be also applicable to other fields.

This class focuses on network measurement and network traffic analysis methods for network security. Students learn about network measurement standards, statistical network traffic analysis and anomaly detection methods. They learn how malware uses communication networks to spread and how communication can be hidden in common protocols by using network steganography. In practical exercises, students learn penetration test, network data exploration and anomaly detection methods. They learn how to analyse IP darkspace traffic and how to detect covert channels in TCP/IP traffic.

Learning Outcomes

On successful completion of this module, students will learn about:

• Network Security Basics
• Malware Communication
• Penetration Tests
• Network Measurement Standards
• Data Analysis, Machine Learning and Clustering Basics
• Network Traffic Processing and Analysis Methods
• IP Darkspace Analysis
• Anomaly Detection Methods
• Network Steganography Methods
• Hands on experience: Penetration Tests (Information Gathering, Scanning)
• Hands on experience: Network Traffic Analysis Tools
• Hands on experience: How to work with data (from Pre-processing to Evaluation)
• Hands on experience: Darkspace Traffic Analysis
• Hands on experience: Network Steganography (Detection and use of Covert Channels)

Indicative Syllabus

1. TCP/IP Protocol Behavior
2. Network Security Basics
3. Malware Communication
4. Penetration Testing
5. Lab Exercise: Penetration Testing
6. Network Measurements Standards
7. Anomaly Detection Methods
8. IP Darkspace Traffic Analysis
9. Lab Exercise: IP Darkspace Traffic Analysis
10. Data Analysis Basics
11. Lab Exercise: Data Analysis Basics
12. Advanced Data Analysis Methods
13. Data Mining, Machine Learning, Clustering Methods
14. Lab Exercise: Network Traffic Analysis
15. Network Steganography Methods
16. Lab Exercise: Network Steganography

Assessment Methodology

• Written Test (in the morning of day 5) (30%)
• Fulfilment of laboratory exercises and final lab report (40%)
• Paper on selected topic (30%)

Essential and Supplementary Reading/Resources

Supplementary reading lists:

Contact Hours :

20 hours lectures, 20 hours laboratory sessions, and 10 hours nighttime reading/revision within a single week.

10 hours follow-up work on lab report

40 hours preparatory and follow-up reading/writing

On completion of the module, the student will be awarded a certification of completion along with 5 ECTS credits.

The course will run Thurs/Fri/Sat - Mon/Tues from 9:30 - 17:00 each day.