The threats, faced by government and military networks, have increased in such a way that regular perimeter defense and endpoint security solutions are no longer sufficient. Sooner or later one or more hosts in our networks will be the victim of a targeted attack and therefore it is essential that we have the capability of detecting these compromised hosts as quickly as possible so we can limit the impact of the incident.
In this study we will develop a prototype system that combines detection algorithms, found in scientific literature, with new detection algorithms, developed in the context of the study. The detectors, as well as the algorithms that aggregate the evidence provided by the individual detectors, will implement domain knowledge provided by network security specialists.
Furthermore, the system will not decide by itself which connections are suspicious and which are not. It will rather incorporate a human expert in the decision loop and provide the expert with a visual tool for exploring the available data, guided by the outputs of the detectors.