Tietotekniikan laitos

Cyber Security and Networking

last modified Oct 24, 2016 08:33 AM
For anomaly and cyber-attack detection, the scientific breakthrough is expected to come via the development advanced mathematical tools, which leverage the existing expertise of the MIT Department. Another key characteristic of the research is to use real data and real cases, offered by the companies worldwide to develop and test these methods.

Detection of Zero-Day Network Attacks
Advanced Data Analysis

Detection of Zero-Day Network Attacks

In this research, we focus on the anomaly-based intrusion detection approach. Such approach learns the features of event patterns which form normal behavior, and, by observing patterns that deviate from the established norms (anomalies), detects when an intrusion has occurred. Thus, systems which use the anomaly detection approach are modeled according to normal user behavior and, therefore, are able to detect zero-day attacks.

Research Group

Professor Timo Hämäläinen, Jarmo Siltanen (Ph.D.), Mikhail Zolotukhin (Ph.D.), Antti Juvonen (Ph.D.), Payam Vahdani Amoli (Ph.D.), Tero Kokkonen (Ph.D. student), Sanjay Kumar (Ph.D. student)

Research objectives

In  this  research,  we  focus  on  the  detection  and  prevention  of various  types  of  attacks  against  a computer  network  system based on the analysis and the discovery of patterns extracted from network traffic. Thus, our main objectives can be formulated as follows:

  • Data  collection: Inspection of network traffic of a computer system and collection of different sorts of statistics.
  • Preprocessing: Analysis of gathered data and extraction of the most relevant features.
  • Analysis: Development of data mining algorithms which are able to construct normal user behavior model based on the information obtained.
  • Detection: Application of this model to detect intrusions such as HTTP injections, scans, DDoS, botnets, worms and trojans spreading in online mode.
  • Evaluation: Testing algorithms with the help of Realistic Global Cyber Environment (RGCE) which is able to generate network traffic automatically based on realistic patterns that simulate or replicate end user traffic.


  • Flow-based detection of scans and brute-force attempts based on the analysis of time series.
  • Detection of malicious software executable files with the help of various machine learning techniques.

Recent publications

  • T. Sipola, A. Juvonen and J. Lehtonen. Anomaly Detection from Network Logs Using Diffusion Maps. Engineering Applications of Neural Networks, IFIP Advances in Information and Communication Technology, Vol. 363, pp. 172–181, 2011.
  • M. Zolotukhin, T. Hämäläinen and A. Juvonen. Online anomaly detection by using N-gram model and growing hierarchical self-organizing maps. Proceedings of the 8th International Wireless Communications and Mobile Computing Conference (IWCMC), pp. 47–52, 2012.
  • M. Zolotukhin and T. Hämäläinen. Support Vector Machine Integrated with Game-Theoretic Approach and Genetic Algorithm for the Detection and Classification of Malware. Proceedings of Globecom 2013 Workshop - the 1st International Workshop on Security and Privacy in Big Data, pp. 211–216, 2013.
  • P. Amoli and T. Hämäläinen. A Real Time  Unsuprvised  NIDS for Detecting Unknown and Encrypted Network  Attacks  in High Speed Network.  Proceedings of the 2nd IEEE international workshop on Measurements and Networking, pp. 149– 154, 2013.
  • M. Zolotukhin, T. Hämäläinen, T. Kokkonen and J. Siltanen. Analysis of HTTP requests for anomaly detection of web attacks. Proceedings of the 12th IEEE International Conference on Dependable, Autonomic and Secure Computing, pp. 406–411, 2014.

Advanced Data Analysis

The Advanced Data Analysis (ADA) research group deals with challenging real-world data analysis problems and tasks. The group collaborates with top academic partners in Israel and USA. We develop methods, techniques and algorithms for data mining, machine learning and anomaly detection in high dimensional data. The research is applied on real-world problems in various domains.

Research Group

Research Professor Gil David, PhD and M.Sc students

Research objectives

Current activities:

  • Detection of Advanced Persistence Threat
  • Trojans and malware detection
  • Detection of DNS tunneling
  • Process behavior analysis
  • Detection of botnets and malicious communication