Publications
5 results found
Highnam K, Arulkumaran K, Hanif Z, et al., 2021, BETH dataset: real cybersecurity data for anomaly detection research, Publisher: Gatsby Computational Neuroscience Unit
We present the BETH cybersecurity dataset for anomaly detection and out-of-distribution analysis. With real “anomalies” collected using a novel tracking system, our dataset contains over eight million data points tracking 23 hosts. Each host has captured benign activity and, at most, a single attack, enabling cleaner behavioural analysis. In addition to being one of the most modern and extensive cybersecurity datasets available, BETH enables the development of anomaly detection algorithms on heterogeneously-structured real-world data, with clear downstream applications. We give details on the data collection, suggestions on pre-processing, and analysis with initial anomaly detection benchmarks on a subset of the data.
Highnam K, Puzio D, Luo S, et al., 2021, Real-time detection of dictionary DGA network traffic using deep learning., SN Computer Science, Vol: 2, Pages: 110-110, ISSN: 2661-8907
Botnets and malware continue to avoid detection by static rule engines when using domain generation algorithms (DGAs) for callouts to unique, dynamically generated web addresses. Common DGA detection techniques fail to reliably detect DGA variants that combine random dictionary words to create domain names that closely mirror legitimate domains. To combat this, we created a novel hybrid neural network, Bilbo the “bagging” model, that analyses domains and scores the likelihood they are generated by such algorithms and therefore are potentially malicious. Bilbo is the first parallel usage of a convolutional neural network (CNN) and a long short-term memory (LSTM) network for DGA detection. Our unique architecture is found to be the most consistent in performance in terms of AUC, F1 score, and accuracy when generalising across different dictionary DGA classification tasks compared to current state-of-the-art deep learning architectures. We validate using reverse-engineered dictionary DGA domains and detail our real-time implementation strategy for scoring real-world network logs within a large enterprise. In 4 h of actual network traffic, the model discovered at least five potential command-and-control networks that commercial vendor tools did not flag.
Lengyel D, Petangoda J, Falk I, et al., 2020, GENNI: Visualising the geometry of equivalences for neural network identifiability, Publisher: arXiv
We propose an efficient algorithm to visualise symmetries in neural networks.Typically, models are defined with respect to a parameter space, wherenon-equal parameters can produce the same input-output map. Our proposedmethod, GENNI, allows us to efficiently identify parameters that arefunctionally equivalent and then visualise the subspace of the resultingequivalence class. By doing so, we are now able to better explore questionssurrounding identifiability, with applications to optimisation andgeneralizability, for commonly used or newly developed neural networkarchitectures.
Highnam K, Puzio D, Luo S, et al., 2020, Real-time detection of dictionary DGA network traffic using deep learning, Publisher: arXiv
Botnets and malware continue to avoid detection by static rules engines whenusing domain generation algorithms (DGAs) for callouts to unique, dynamicallygenerated web addresses. Common DGA detection techniques fail to reliablydetect DGA variants that combine random dictionary words to create domain namesthat closely mirror legitimate domains. To combat this, we created a novelhybrid neural network, Bilbo the `bagging` model, that analyses domains andscores the likelihood they are generated by such algorithms and therefore arepotentially malicious. Bilbo is the first parallel usage of a convolutionalneural network (CNN) and a long short-term memory (LSTM) network for DGAdetection. Our unique architecture is found to be the most consistent inperformance in terms of AUC, F1 score, and accuracy when generalising acrossdifferent dictionary DGA classification tasks compared to currentstate-of-the-art deep learning architectures. We validate usingreverse-engineered dictionary DGA domains and detail our real-timeimplementation strategy for scoring real-world network logs within a largefinancial enterprise. In four hours of actual network traffic, the modeldiscovered at least five potential command-and-control networks that commercialvendor tools did not flag.
Highnam K, Angstadt K, Leach K, et al., 2016, An Uncrewed Aerial Vehicle Attack Scenario and Trustworthy Repair Architecture, 46th Annual IEEE/IFIP International Conference on Dependable Systems and Networks Workshops (DSN-W), Publisher: IEEE, Pages: 222-225, ISSN: 2325-6648
- Author Web Link
- Cite
- Citations: 12
This data is extracted from the Web of Science and reproduced under a licence from Thomson Reuters. You may not copy or re-distribute this data in whole or in part without the written consent of the Science business of Thomson Reuters.