Detecting Localised Anomalous Behaviour in a Computer Network
Temporal monitoring of computer network data for statistical anomalies provides a means for detecting malicious intruders. The high volumes of traffic typically flowing through these networks can make detecting important changes in structure extremely challenging. In this article, agile algorithms which readily scale to large networks are provided, assuming conditionally independent node and edge-based statistical models. As a first stage, changes in the data streams arising from edges (pairs of hosts) in the network are detected. A second stage analysis combines any anomalous edges to identify more general anomalous substructures in the network. The method is demonstrated on the entire internal computer network of Los Alamos National Laboratory, comprising approximately 50,000 hosts, using a data set which contains a real, sophisticated cyber attack. This attack is quickly identified from amongst the huge volume of data being processed.
- 3.Hummel, C.: Why crack when you can pass the hash. SANS 21 (2009)Google Scholar
- 4.Kolaczyk, E.D.: Statistical Analysis of Network Data: Methods and Models. Springer, New York (2000)Google Scholar
- 6.Lazarevic, A., Ozgur, A., Ertoz, L., Srivastava, J., Kumar, V.: A comparative study of anomaly detection schemes in network intrusion detection. In: Proceedings of the Third SIAM International Conference on Data Mining, pp. 25–36 (2003)Google Scholar
- 8.Noble, C.C., Cook, D.J.: Graph-based anomaly detection. In: Proceedings of the Ninth ACM SIGKDD International Conference on Knowledge Discovery and Data Mining, pp. 631–636. ACM (2003)Google Scholar
- 11.Sexton, J., Storlie, C., Neil, J., Kent, A.: Intruder detection based on graph structured hypothesis testing. In: 2013 6th International Symposium on Resilient Control Systems (ISRCS), pp. 86–91. IEEE (2013)Google Scholar