AI-Powered Darknets/Honeypots for Supporting Network Anomaly Detection

The Internet ecosystem is shifting to new technological paradigms. Devices are growing in number, diversity and amount of data transferred, thanks to the adoption of technologies such as IoT and 5G systems. Network monitoring is a core element of the infrastructure, providing detailed information about traffic, device statuses and protocol functioning. Automatic methods to assist in the monitoring of increasingly complex networks and in the identification of anomalies are needed to face novel attacks and system malfunctions. 

 The increasing complexity of the Internet however makes these tasks challenging. The number and the diversity of devices, protocols, and applications push up the amount of monitoring data to be analyzed. Reducing manual analysis and intervention of human experts is paramount in this scenario. Moreover, privacy requirements are more and more stringent, thus reducing the usefulness of monitoring data and applicability of standard approaches.  

 This project aims at investigating the use of multiple data sources and state of the art AI approaches to assist the analysis of security incidents and the detection of network anomalies. The student will investigate, in particular, how automatic darknets and honeypots can sustain network security operations. Darknet and honeypots have been used for capturing valuable data for seeding anomaly detection. However, many challenges arise for the operations of these tools at scale, such as the manual work to deploy honeypots able to cope with new attacks, as well as the time consuming analyses of new threats on very large darknet traces.  

 The student will use and adapt new AI algorithms to operate with large datasets coming from multiple darknets and honeypots. She/he will develop novel algorithms to learn attacks in an automatic way, relying on recent advances on AI, such as reinforcement learning, zero-shot learning and generative adversarial networks (GANs). As a final goal, the developed automatic infrastructure equipped with tuned anomaly detection algorithms will be applied to production networks to uncover novel attacks.

Several research questions arise to realize an AI-assisted approach for network security based on multiple darnets and honeypots. This project will investigate:  

• How to provision the monitoring probes in a network to cover the vast majority of anomalies while optimizing data capturing and processing? 
• How to incrementally learn new anomalies without relying on centralized data repositories and respecting privacy? 
• How to detect new anomalies without large annotated datasets of previously known anomalies? 
• How to describe the anomalies using multiple data sources so to provide useful knowledge and context to operators? 

How to exchange models and knowledge among monitoring probes and how to update existing models?

The candidate should have a good background in network security, Cloud computing and virtualization, anomaly detecting, machine learning and artificial intelligence.