DYNAMO: Towards Network Attack Campaign Attribution via Density-Aware Active Learning

Helene Orsini; Yufei Han

doi:10.5220/0012759100003767

DYNAMO: Towards Network Attack Campaign Attribution via Density-Aware Active Learning

Helene Orsini, Yufei Han

2024

Abstract

Network attack attribution is crucial for identifying and understanding attack campaigns, and implementing preemptive measures. Traditional machine learning approaches face challenges such as labor-intensive campaign annotation, imbalanced attack data distribution, and concept drift. To address these challenges, we propose DYNAMO, a novel weakly supervised and human-in-the-loop machine learning framework for automated network attack attribution using raw network traffic records. DYNAMO integrates self-supervised learning and density-aware active learning techniques to reduce the overhead of exhaustive annotation, querying human analysts to label only a few selected highly representative network traffic samples. Our experiments on the CTU-13 dataset demonstrate that annotating less than 3% of the records achieves attribution accuracy comparable to fully supervised approaches with twice as many labeled records. Moreover, compared to classic active learning and semi-supervised techniques, DYNAMO achieves 20% higher attribution accuracy and nearly perfect detection accuracy for unknown botnet campaigns with minimal annotations.

Download

Paper Citation

in Harvard Style

Orsini H. and Han Y. (2024). DYNAMO: Towards Network Attack Campaign Attribution via Density-Aware Active Learning. In Proceedings of the 21st International Conference on Security and Cryptography - Volume 1: SECRYPT; ISBN 978-989-758-709-2, SciTePress, pages 91-102. DOI: 10.5220/0012759100003767

in Bibtex Style

@conference{secrypt24,
author={Helene Orsini and Yufei Han},
title={DYNAMO: Towards Network Attack Campaign Attribution via Density-Aware Active Learning},
booktitle={Proceedings of the 21st International Conference on Security and Cryptography - Volume 1: SECRYPT},
year={2024},
pages={91-102},
publisher={SciTePress},
organization={INSTICC},
doi={10.5220/0012759100003767},
isbn={978-989-758-709-2},
}

in EndNote Style

TY - CONF

JO - Proceedings of the 21st International Conference on Security and Cryptography - Volume 1: SECRYPT
TI - DYNAMO: Towards Network Attack Campaign Attribution via Density-Aware Active Learning
SN - 978-989-758-709-2
AU - Orsini H.
AU - Han Y.
PY - 2024
SP - 91
EP - 102
DO - 10.5220/0012759100003767
PB - SciTePress