Publication
Clustering Dynamically-Defined NetFlow and Windows Event Features for Intrusion Detection
| datacite.subject.fos | Engenharia e Tecnologia::Engenharia Eletrotécnica, Eletrónica e Informática | |
| dc.contributor.advisor | Correia , Miguel Nuno Dias Alves Pupo | |
| dc.contributor.advisor | Dias , Luís Filipe Xavier Mendonça | |
| dc.contributor.author | Pinheiro, João Pedro Esteves | |
| dc.date.accessioned | 2025-11-18T15:25:23Z | |
| dc.date.available | 2025-11-18T15:25:23Z | |
| dc.date.issued | 2023-05-12 | |
| dc.description.abstract | In recent years, the world has witnessed a dramatic increase in cyberattacks. The threat landscape is evolving unprecedentedly, leaving organizations vulnerable to cyberattacks. Intrusion Detection Systems (IDS) aim to protect and monitor the threatened networks. IDSs must evolve faster than attackers to defend current systems consistently and robustly. The main goal of this work is to show the benefits of including Microsoft (MS) Windows Events (MSWEs) in current IDSs, taking advantage of the full range of data types. MSWEs provide an in-depth representation of the behaviour of MS Windows machines. This system implements the dynamic extraction of both host and network features. The only user-defined instruction for feature extraction is the total number of features to extract. In addition, the system selects a fixed set of host and network features. The clustering process comprises three clustering algorithms working simultaneously to detect outliers. The system also explores four methods for outlier detection to overcome the difficulty of detecting multiple victims in the same attack. The proposed system is then evaluated with a public artificial dataset containing both data types. The evaluation metrics achieved by the different outlier detection metrics are then compared to similar approaches to demonstrate the benefits of including MSWEs in the system. The results show an increase of the F-score by 3%, recall by 5%, and the same precision compared with the best-performing similar approach. The results achieved by the proposed system emphasise the contributions offered by this work to the field of IDSs. | por |
| dc.identifier.tid | 203659090 | |
| dc.identifier.uri | http://hdl.handle.net/10400.26/59859 | |
| dc.language.iso | eng | |
| dc.rights.uri | N/A | |
| dc.subject | Cybersecurity | |
| dc.subject | Machine learning | |
| dc.subject | Intrusion Detection System | |
| dc.subject | Security Analytics | |
| dc.subject | NetFlow | |
| dc.subject | Logs. | |
| dc.title | Clustering Dynamically-Defined NetFlow and Windows Event Features for Intrusion Detection | por |
| dc.type | master thesis | |
| dspace.entity.type | Publication | |
| thesis.degree.grantor | Academia Militar | |
| thesis.degree.name | Mestrado em Engenharia Electrónica Militar |