During the last two decades, cyber attacks against end users have grown significantly both in terms of number and sophistication. Unfortunately, traditional signature-based technologies such as network IDS/IPS and next generation firewalls are able to detect known attacks only, while new attack types not matching any signatures remain unnoticed. Therefore, the use of machine learning for detecting anomalous network traffic of end user nodes has become an important research problem.
In this paper, CCDCOE and TalTech researchers present a novel NetFlow based framework for identifying anomalous end user nodes and their network traffic patterns, and describe experiments for evaluating framework performance in an organizational network, that could be useful for technicians, monitoring specialists, and network security specialists.
This paper was accepted to the 15th International Conference on Cyber Warfare and Security: ICCWS 2020 and the final version of the paper is included in the Conference Proceedings (ISBN: 978-1-912764-53-2).
Keywords: detection of anomalous end user nodes, network anomaly detection, NetFlow based network monitoring