Graph-based Feature Enrichment for Online Intrusion Detection in Virtual Networks

  • Igor Jochem Sanz UFRJ / Samsung R&D Institute
  • Otto Carlos M. B. Duarte UFRJ


The ubiquitousness of Internet-of-Things devices paves the way for distributed network attacks at an unprecedented scale. Graph theory, strengthened by machine learning techniques, improves an automatic discovery of group behavior patterns of distributed network threats often omitted by traditional security systems. This dissertation proposes an intrusion detection system for online threat detection enriched by a graph-learning analysis. We develop a feature enrichment algorithm that infers metrics based on a graph analysis. By using different machine learning techniques, we evaluated our system for three network traffic datasets. Results show that the proposed enrichment improves the threat detection accuracy up to 15.7% and significantly reduces false-positive rate. Furthermore, we evaluate intrusion detection systems deployed as virtual network functions and propose SFCPerf, a framework for automating performance evaluation of service function chaining. To demonstrate SFCPerf functionality, we evaluate different NFV scenarios, including a real security service function chain prototype, composed of our intrusion detection system and a firewall.


Bonafiglia, R., Cerrato, I., Ciaccia, F., Nemirovsky, M., and Risso, F. (2015). Assessing the performance ofvirtualization technologies for NFV: A preliminary benchmarking. In 20/5 Fourth European Workshop onSoftware Defined Networks, pages 67-72.

Callegati, F., Cerroni, W., Contoli, C., and Santandrea, G. (2014). Performance of network virtualization in cloudcomputing infrastructures: The OpenStack case. In JEEE 3rd International Conference on Cloud Networking(CloudNet), pages 132-137.

Chen, F., Ranjan, S., and Tan, P.-N. (2011). Detecting bots via incremental Is-svm learning with dynamic featureadaptation. In Proceedings of the 17th ACM SIGKDD International Conference on Knowledge Discovery andData Mining, KDD ’11, pages 386-394, New York, NY, USA. ACM.

Chowdhury, S., Khanzadeh, M., Akula, R., Zhang, F., Zhang, S., Medal, H., Marufuzzaman, M., and Bian, L.(2017). Botnet detection using graph-based feature clustering. Journal of Big Data, 4(1):14.

Emmerich, P., Raumer, D., Wohlfart, F., and Carle, G. (2014). Performance characteristics of virtual switching. InIEEE 3rd International Conference on Cloud Networking (CloudNet), pages 120-125.

Eswaran, D., Faloutsos, C., Guha, S., and Mishra, N. (2018). Spotlight: Detecting anomalies in streaming graphs.In Proceedings of the 24th ACM SIGKDD International Conference on Knowledge Discovery & Data Mining,KDD’ 18, pages 1378-1386, New York, NY, USA. ACM.

Iliofotou, M., Pappu, P., Faloutsos, M., Mitzenmacher, M., Singh, S., and Varghese, G. (2007). Network monitoringusing traffic dispersion graphs (tdgs). In Proceedings of the 7th ACM SIGCOMM Conference on InternetMeasurement, IMC ’07, pages 315-320, New York, NY, USA. ACM.

Kolias, C., Kambourakis, G., Stavrou, A., and Voas, J. (2017). DDoS in the IoT: Mirai and other botnets. Computer,50(7):80-84.

Li, W., Meng, W., Luo, X., and Kwok, L. F. (2016). Mvpsys: Toward practical multi-view based false alarmreduction system in network intrusion detection. Computers & Security, 60:177 — 192.

Liu, L., Saha, S., Torres, R., Xu, J., Tan, P-N., Nucci, A., and Mellia, M. (2014). Detecting malicious clients inISP networks using HTTP connectivity graph and flow information. In JEEE/ACM International Conferenceon Advances in Social Networks Analysis and Mining (ASONAM), pages 150-157. IEEE.

Manzoor, E., Milajerdi, S. M., and Akoglu, L. (2016). Fast memory-efficient anomaly detection in streamingheterogeneous graphs. In Proceedings of the 22nd ACM SIGKDD International Conference on KnowledgeDiscovery and Data Mining, pages 1035-1044. ACM.

Mijumbi, R., Serrat, J., Gorricho, J. L., Bouten, N., Turck, F. D., and Boutaba, R. (2016). Network functionvirtualization: State-of-the-art and research challenges. JEEE Communications Surveys Tutorials, 18(1):236—262.

Minggiang, Z., Hui, H., and Qian, W. (2012). A graph-based clustering algorithm for anomaly intrusion detection.In 2012 7th International Conference on Computer Science Education (ICCSE), pages 1311-1314.

Morales, C. (2018). Netscout arbor confirms 1.7 tbps ddos attack; the terabit attack era is upon us.

Rudis, B. (2018). The flip side of memcrashed.
SANZ, Igor Jochem; DUARTE, Otto Carlos M. B.. Graph-based Feature Enrichment for Online Intrusion Detection in Virtual Networks. In: CONCURSO DE TESES E DISSERTAÇÕES - SIMPÓSIO BRASILEIRO DE REDES DE COMPUTADORES E SISTEMAS DISTRIBUÍDOS (SBRC), 2. , 2019, Gramado. Anais [...]. Porto Alegre: Sociedade Brasileira de Computação, 2019 . p. 129-136. ISSN 2177-9384. DOI: