Detecting Localised Anomalous Behaviour in a Computer Network

  • Melissa Turcotte
  • Nicholas Heard
  • Joshua Neil
Part of the Lecture Notes in Computer Science book series (LNCS, volume 8819)


Temporal monitoring of computer network data for statistical anomalies provides a means for detecting malicious intruders. The high volumes of traffic typically flowing through these networks can make detecting important changes in structure extremely challenging. In this article, agile algorithms which readily scale to large networks are provided, assuming conditionally independent node and edge-based statistical models. As a first stage, changes in the data streams arising from edges (pairs of hosts) in the network are detected. A second stage analysis combines any anomalous edges to identify more general anomalous substructures in the network. The method is demonstrated on the entire internal computer network of Los Alamos National Laboratory, comprising approximately 50,000 hosts, using a data set which contains a real, sophisticated cyber attack. This attack is quickly identified from amongst the huge volume of data being processed.


Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.


  1. 1.
    Green, P.J.: Reversible jump Markov chain Monte Carlo computation and Bayesian model determination. Biometrika 82, 711–732 (1995)MathSciNetCrossRefzbMATHGoogle Scholar
  2. 2.
    Heard, N.A., Weston, D.J., Platanioti, K., Hand, D.J.: Bayesian anomaly detection methods for social networks. Annals of Applied Statistics 4(2), 645–662 (2010)MathSciNetCrossRefzbMATHGoogle Scholar
  3. 3.
    Hummel, C.: Why crack when you can pass the hash. SANS 21 (2009)Google Scholar
  4. 4.
    Kolaczyk, E.D.: Statistical Analysis of Network Data: Methods and Models. Springer, New York (2000)Google Scholar
  5. 5.
    Lambert, D., Liu, C.: Adaptive thresholds: Monitoring streams of network counts. Journal of the American Statistical Association 101(473), 78–88 (2006)MathSciNetCrossRefzbMATHGoogle Scholar
  6. 6.
    Lazarevic, A., Ozgur, A., Ertoz, L., Srivastava, J., Kumar, V.: A comparative study of anomaly detection schemes in network intrusion detection. In: Proceedings of the Third SIAM International Conference on Data Mining, pp. 25–36 (2003)Google Scholar
  7. 7.
    Neil, J., Storlie, C., Hash, C., Brugh, A., Fisk, M.: Scan statistics for the online detection of locally anomalous subgraphs. Technometrics 55(4), 403–414 (2013)MathSciNetCrossRefGoogle Scholar
  8. 8.
    Noble, C.C., Cook, D.J.: Graph-based anomaly detection. In: Proceedings of the Ninth ACM SIGKDD International Conference on Knowledge Discovery and Data Mining, pp. 631–636. ACM (2003)Google Scholar
  9. 9.
    Patcha, A., Park, J.: An overview of anomaly detection techniques: Existing solutions and latest technological trends. Computer Networks 51(12), 3448–3470 (2007)CrossRefGoogle Scholar
  10. 10.
    Priebe, C.E., Conroy, J.M., Marchette, D.J.: Scan statistics on Enron graphs. Computational and Mathematical Organization Theory 11(3), 229–247 (2005)CrossRefzbMATHGoogle Scholar
  11. 11.
    Sexton, J., Storlie, C., Neil, J., Kent, A.: Intruder detection based on graph structured hypothesis testing. In: 2013 6th International Symposium on Resilient Control Systems (ISRCS), pp. 86–91. IEEE (2013)Google Scholar
  12. 12.
    Sperotto, A., Schaffrath, G., Sadre, R., Morariu, C., Pras, A., Stiller, B.: An Overview of IP flow-based intrusion detection. IEEE Communications Surveys Tutorials 12(3), 343–356 (2010)CrossRefGoogle Scholar

Copyright information

© Springer International Publishing Switzerland 2014

Authors and Affiliations

  • Melissa Turcotte
    • 1
    • 2
  • Nicholas Heard
    • 3
  • Joshua Neil
    • 1
  1. 1.Los Alamos National LaboratoryACS-POLos AlamosUSA
  2. 2.Los Alamos National LaboratoryCNLSLos AlamosUSA
  3. 3.Imperial College London and Heilbronn InstituteUniversity of BristolUK

Personalised recommendations