A technique to identify indicators for predicting web-based threat activity


  1. Dondo, M.
Corporate Authors
Defence Research and Development Canada, Ottawa Research Centre, Ottawa ON (CAN)
Cyber criminals attack and compromise Internet-connected networks on an almost daily basis. One way to help defend these networks is to detect threat indicators, a minimal set of network traffic attributes or features that reflect threat activity on the network. Such indicators can provide network defenders with useful information on what is happening on the network and help them predict what could happen next. Currently, tools and techniques to determine these indicators are scarce. We, therefore, propose an approach to determine these indicators. Our approach, which is based on high-level recommendations from recent papers, uses machine learning to determine which network traffic attributes are indicative of network threat activity. Due to a high prevalence of web-based attacks, we chose to demonstrate our approach on selected web-based attacks. In our approach, we collected traffic attributes from historical network data, labelled the data, and used machine learning to determine a minimal set of traffic attributes, or indicators, that can best describe the selected web threat activity on the network. We show that a set of indicators can be used to identify specific threat activities on the network with high detection rates. We conclude by suggesting a way to extend our approach of determining indicators for web-based attacks to determining indicators for general network attacks, which is a subject of possible future work.

Il y a un résumé en français ici.

cyber threat;web threat;web security;machine learning
Report Number
DRDC-RDDC-2016-R151 — Scientific Report
Date of publication
01 Sep 2016
Number of Pages
Electronic Document(PDF)

Permanent link

Document 1 of 1

Date modified: