Abstract: This document describes a system and method for detecting the presence of Internet of Things (IoTs) from network traffic that has undergone a Network Address Translation (NAT) process, i.e., NATed network traffic, regardless of whether the network traffic comprises IP Flow Information Export (IPFIX) type of traffic or Domain Name System (DNS) type of traffic. Such a capability is crucial as the adoption rate of IoTs have increased exponentially over the past few years. In order to protect IoTs from cyber-attacks, one would first have to understand what type of IoTs are being used, and how many/how widely used these IoTs are. Once the IoT landscape has been defined, cyber defenders may then dedicate resources to identify and subsequently address vulnerabilities that may be in these IoTs.

Abstract: System and method for detecting domain names that exhibit Domain Generation Algorithm (DGA) like behaviours from a stream of Domain Name System (DNS) records. In particular, this document describes a system comprising a deep learning classifier (DL-C) module for receiving and filtering the stream of DNS records before the filtered DNS records, which have been determined to possess domain names that exhibit DGA behaviour are provided to a series filter-classifier (SFC) module. The SFC module then groups the records into various series based on source IP, destination IP and time. For each series, it then filters away records that do not exhibit the dominant DGA characteristics of the series. Finally, for each series, it makes use of the remaining DNS records' timestamps to generate a time series of DGA occurrences and then, using this time series of occurrences, determine the number of DGA bursts throughout the time period of analysis.

Abstract: This document discloses a system and method for detecting and classifying potential malicious network behaviours or characteristics contained within data traffic. In particular, this document discloses a system comprising a data pre-processing module for processing the received data traffic before the processed data traffic is provided to an alert module communicatively connected to the data pre-processing module. The alert module, which comprises a trained autoencoder and a classifier neural network trained via self-taught learning, then determines, based on a set of partially labelled training data, whether potential malicious network behaviours that typically present themselves as network traffic anomalies are contained within the processed data traffic.

Abstract: This document describes a system and method for detecting domain names that exhibit Domain Generation Algorithm (DGA) like behaviours from a stream of Domain Name System (DNS) records. In particular, this document describes a system comprising a deep learning classifier (DL-C) module for receiving and filtering the stream of DNS records before the filtered DNS records, which have been determined to possess domain names that exhibit DGA behaviour are provided to a series filter-classifier (SFC) module. The SFC module then groups the records into various series based on source IP, destination IP and time. For each series, it then filters away records that do not exhibit the dominant DGA characteristics of the series. Finally, for each series, it makes use of the remaining DNS records' timestamps to generate a time series of DGA occurrences and then, using this time series of occurrences, determine the number of DGA bursts throughout the time period of analysis.

Abstract: This document discloses a system and method for detecting and classifying potential malicious network behaviours or characteristics contained within data traffic. In particular, this document discloses a system comprising a data pre-processing module for processing the received data traffic before the processed data traffic is provided to an alert module communicatively connected to the data pre-processing module. The alert module, which comprises a trained autoencoder and a classifier neural network trained via self-taught learning, then determines, based on a set of partially labelled training data, whether potential malicious network behaviours that typically present themselves as network traffic anomalies are contained within the processed data traffic.