Detecting Advanced Network Threats Using a Similarity Search

  • Milan ČermákEmail author
  • Pavel Čeleda
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 9701)


In this paper, we propose a novel approach for the detection of advanced network threats. We combine knowledge-based detections with similarity search techniques commonly utilized for automated image annotation. This unique combination could provide effective detection of common network anomalies together with their unknown variants. In addition, it offers a similar approach to network data analysis as a security analyst does. Our research is focused on understanding the similarity of anomalies in network traffic and their representation within complex behaviour patterns. This will lead to a proposal of a system for the real-time analysis of network data based on similarity. This goal should be achieved within a period of three years as a part of a PhD thesis.


Similarity search Network data Classification Network threats 



This research was supported by the Security Research Programme of the Czech Republic 2015 - 2020 (BV III/1 VS) granted by the Ministry of the Interior of the Czech Republic under No. VI20162019029 The Sharing and analysis of security events in the Czech Republic.


  1. 1.
    Barbosa, R.R.R., Sadre, R., Pras, A., van de Meent, R.: Simpleweb/University of twente traffic traces data repository. Technical report TR-CTIT-10-19, Centre for Telematics and Information Technology, University of Twente, April 2010.
  2. 2.
    Batko, M., Novak, D., Zezula, P.: MESSIF: metric similarity search implementation framework. In: Thanos, C., Borri, F., Candela, L. (eds.) Digital Libraries: Research and Development. LNCS, vol. 4877, pp. 1–10. Springer, Heidelberg (2007)CrossRefGoogle Scholar
  3. 3.
    Bhuyan, M.H., Bhattacharyya, D.K., Kalita, K.J.: Network anomaly detection: methods, systems and tools. IEEE Commun. Surv. Tutorials 16(1), 303–336 (2014)CrossRefGoogle Scholar
  4. 4.
    Budikova, P., Batko, M., Botorek, J., Zezula, P.: Search-based image annotation: extracting semantics from similar images. In: Mothe, J., et al. (eds.) CLEF 2015. LNCS, vol. 9283, pp. 327–339. Springer, Heidelberg (2015). doi: 10.1007/978-3-319-24027-5_36 CrossRefGoogle Scholar
  5. 5.
    CAIDA: The CAIDA UCSD Anonymized Internet Traces 2015–20150219-130000 (2015).
  6. 6.
    Drašar, M.: Behavioral detection of distributed dictionary attacks. Doctoral theses, dissertations, Masaryk University, Faculty of Informatics, Brno (2015)Google Scholar
  7. 7.
    Hofstede, R., Čeleda, P., Trammell, B., Drago, I., Sadre, R., Sperotto, A., Pras, A.: Flow monitoring explained: from packet capture to data analysis with NetFlow and IPFIX. IEEE Commun. Surv. Tutorials PP(99), 2037–2064 (2014)CrossRefGoogle Scholar
  8. 8.
    INVEA-TECH a.s.: Flowmon ads. Web page (2015). Accessed 06 Jan 2016
  9. 9.
    Kompella, R.R., Singh, S., Varghese, G.: On scalable attack detection in the network. IEEE/ACM Trans. Netw. 15(1), 14–25 (2007)CrossRefGoogle Scholar
  10. 10.
    Kouřil, D., Rebok, T., Jirsík, T., Čegan, J., Drašar, M., Vizváry, M., Vykopal, J.: Cloud-based testbed for simulation of cyber attacks. In: 2014 IEEE Network Operations and Management Symposium (NOMS), May 2014Google Scholar
  11. 11.
    Paxson, V.: Bro: a system for detecting network intruders in real-time. Comput. Netw. 31(23–24), 2435–2463 (1999). CrossRefGoogle Scholar
  12. 12.
    Roesch, M.: Snort - lightweight intrusion detection for networks. In: Proceedings of the 13th USENIX Conference on System Administration, LISA 1999, pp. 229–238. USENIX Association, Berkeley (1999)Google Scholar
  13. 13.
    Symantec Corporation: 2015 Internet Security Threat Report. Technical report 20, Symantec Corporation, April 2015.
  14. 14.
    Weller-Fahy, D.J., Borghetti, B.J., Sodemann, A.A.: A survey of distance and similarity measures used within network intrusion anomaly detection. IEEE Commun. Surv. Tutorials 17(1), 70–91 (2015)CrossRefGoogle Scholar
  15. 15.
    Zezula, P., Amato, G., Dohnal, V., Batko, M.: Similarity Search: The Metric Space Approach, Advances in Database Systems, vol. 32. Springer, New York (2006)zbMATHGoogle Scholar

Copyright information

© IFIP International Federation for Information Processing 2016

Authors and Affiliations

  1. 1.Institute of Computer ScienceMasaryk UniversityBrnoCzech Republic

Personalised recommendations