The United States increasingly relies on cyber-physical systems to conduct military and commercial
operations. Attacks on these systems have increased dramatically around the globe. The attackers constantly
change their methods, making state-of-the-art commercial and military intrusion detection systems ineffective.
In this paper, we present a model to identify functional behavior of network devices from netflow traces. Our
model includes two innovations. First, we define novel features for a host IP using detection of application
graph patterns in IP’s host graph constructed from 5-min aggregated packet flows. Second, we present the
first application, to the best of our knowledge, of Graph Semi-Supervised Learning (GSSL) to the space of IP
behavior classification. Using a cyber-attack dataset collected from NetFlow packet traces, we show that
GSSL trained with only 20% of the data achieves higher attack detection rates than Support Vector Machines
(SVM) and Naïve Bayes (NB) classifiers trained with 80% of data points. We also show how to improve
detection quality by filtering out web browsing data, and conclude with discussion of future research
Georgiy Levchuk, John Colonna-Romano, and Mohammed Eslami, "Application of graph-based semi-supervised learning for development of cyber COP and network intrusion detection," Proc. SPIE 10206, Disruptive Technologies in Sensors and Sensor Systems, 102060D (Presented at SPIE Defense + Security: April 11, 2017; Published: 19 May 2017); https://doi.org/10.1117/12.2263543.
Conference Presentations are recordings of oral presentations given at SPIE conferences and published as part of the conference proceedings. They include the speaker's narration along with a video recording of the presentation slides and animations. Many conference presentations also include full-text papers. Search and browse our growing collection of more than 14,000 conference presentations, including many plenary and keynote presentations.