Detection of security threats through NetFlow analysis

Michele's research deals with the detection of security threats through aggregate network information, specifically the Cisco's NetFlow format. The latter provides a summary of the communications in a network and helps to overcome the huge amount of processing power required by the application of deep packet inspection (DPI). Moreover, since NetFlow does not require the inspection of data content it is considered to be privacy friendly. On the other hand, moving from the packet granularity to the Netflow record one causes a consistent loss of information and renders the detection of cyber-attacks a challenge.

The research currently focuses on the detection of illegitimate cryptocurrency mining through malware infection. This type of attack has attracted threat actors' interest, becoming part of the top 10 most wanted malware in 2018. Even if the effects of malicious mining are not as disruptive as other threats such as ransomware, the cumulative effect of large-scale unauthorized cryptocurrency mining in an enterprise environment can be significant, as it consumes computational resources and forces business-critical assets to slow down or stop functioning effectively. These reasons, together with the current high interest in cryptocurrencies, are the main arguments motivating the investigation of new techniques for detecting illegitimate mining activities through network traffic analysis.