Skip to main content



Master Thesis Defense - April 10, 2019: Scalable and Efficient Network Anomaly Detection on Connection Data Streams

April 3, 2019


Aniss Chohra

Wednesday, April 10, 2019 at 10:30 a.m.
Room EV003.309

You are invited to attend the following M.A.Sc. (Quality Systems Engineering) thesis examination.

Examining Committee

Dr. J. Yan, Chair
Dr. M. Debbabi, Supervisor
Dr. C. Wang, CIISE Examiner
Dr. O. Ormandjieva, External Examiner (CSE)



Everyday, security experts and analysts must deal with and face the huge increase of cyber security threats that are propagating very fast on the Internet and threatening the security of hundreds of millions of users worldwide. The detection of such threats and attacks is of paramount importance to these experts in order to prevent these threats and mitigate their effects in the future. Thus, the need for security solutions that can prevent, detect, and mitigate such threats is imminent and must be addressed with scalable and efficient solutions. To this end, we propose a scalable framework, called Daedalus, to analyze streams of NIDS (network-based intrusion detection system) logs in near real-time and to extract useful threat security intelligence. The proposed system pre-processes massive amounts of connections stream logs received from different participating organizations and applies an elaborated anomaly detection technique in order to distinguish between normal and abnormal or anomalous network behaviors. As such, Daedalus detects network traffic anomalies by extracting a set of significant pre-defined features from the connection logs and then applying a time series-based technique in order to detect abnormal behavior in near real-time. Moreover, we correlate IP blocks extracted from the logs with some external security signature-based feeds that detect factual malicious activities (e.g., malware families and hashes, ransomware distribution, and command and control centers) in order to validate the proposed approach. Performed experiments demonstrate that Daedalus accurately identities the malicious activities with an average F1 score of 92:88%. We further compare our proposed approach with existing K-Means and deep learning (LSTMs) approaches and demonstrate the accuracy and efficiency of our system.

Back to top Back to top

© Concordia University