Machine learning classification of internet worms and ransomware attacks and effect of BGP feature properties

Resource type
Thesis type
(Thesis) M.A.Sc.
Date created
Cyberattacks cause significant disruptions to communication networks and it is crucial to detect and prevent such malicious behaviors to provide secure and reliable network connections. Detecting these intrusions is challenging and conventional intrusion detection techniques are insufficient to identify such malicious activities. Machine learning techniques offer effective intrusion detection due to their computational abilities. In this thesis, we apply machine learning techniques to classify anomalies such as Internet worms and ransomware attacks. We employ Border Gateway Protocol (BGP) datasets that contain routing records from Réseaux IP Européens (RIPE) collection sites. Supervised machine learning algorithms Support Vector Machine, Long Short-Term Memory (LSTM), Gradient Boosting Decision Tree (GBDT) algorithms are employed for classifications. Dynamic learning rate scheduling and attention mechanism are employed to enhance the performance of LSTM models to classify ransomware attacks. While LSTM models proved effective in classifying attacks using sequential BGP data, their performance may degrade in case of lengthy data sequences. Feature transformation and selection techniques are applied to enhance performance of GDBT models. We perform feature selection to determine the most important features and identify the best fitting distributions. Experimental results indicate that a number of features follow heavy-tailed distributions. We evaluate performance of models generated using worms (Code Red, Nimda, and Slammer) and ransomware attack (WannaCrypt and WestRock) BGP datasets. Models generated using principal component analysis (PCA) transformed BGP data led to improved classification performance using the WestRock BGP dataset. Selecting important features using extra-trees algorithm led to the best classification performance of GBDT models. GBDT models offer short training time and may be suitable for designing scalable and real-time anomaly detection systems.
102 pages.
Copyright statement
Copyright is held by the author(s).
This thesis may be printed or downloaded for non-commercial research and scholarly purposes.
Supervisor or Senior Supervisor
Thesis advisor: Trajkovic, Ljiljana
Member of collection
Attachment Size
etd22483.pdf 4.48 MB