Towards Useful Anomaly Detection for Back Office Networks

  • Ömer YükselEmail author
  • Jerry den Hartog
  • Sandro Etalle
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 10063)


In this paper we present a protocol-aware anomaly detection framework specifically designed for back office networks together with a new automatic method for feature selection that allows to dramatically reduce the false positive rate (FPR) without compromising the detection rate (DR). The system monitors SMB and MS-RPC (the main protocols in back office networks) and takes into consideration specific features of SMB such as the presence of file paths, which are noisy, yet contain information necessary to detect some attacks. As a part of the framework we introduce a new method to cut the FPR by carefully building and selecting the right set of features to be monitored. In back office networks this is a challenging task where manual selection requires carefully exploring the network traffic to choose from numerous potential features. Also features need to be resilient to irregularities in the traffic caused by human involvement. Our framework automates selection utilizing two new metrics to determine the ‘quality’ of a feature: stability, i.e. its robustness to false alarms and granularity, i.e. the relative amount of information contained. Our experiments show a significant improvement in FPR-DR trade-off when our framework is used to select features in detection of network-based exploits and malicious file accesses.


  1. 1.
    Hadžiosmanović, D., Simionato, L., Bolzoni, D., Zambon, E., Etalle, S.: N-gram against the machine: on the feasibility of the N-gram network analysis for binary protocols. In: Balzarotti, D., Stolfo, S.J., Cova, M. (eds.) RAID 2012. LNCS, vol. 7462, pp. 354–373. Springer, Heidelberg (2012). doi: 10.1007/978-3-642-33338-5_18 CrossRefGoogle Scholar
  2. 2.
    Costante, E., Hartog, J., Petković, M., Etalle, S., Pechenizkiy, M.: Hunting the unknown. In: Atluri, V., Pernul, G. (eds.) DBSec 2014. LNCS, vol. 8566, pp. 243–259. Springer, Heidelberg (2014). doi: 10.1007/978-3-662-43936-4_16 Google Scholar
  3. 3.
    Costante, E., Etalle, S., Fauri, D., den Hartog, J.I., Zannone, N.: A hybrid framework for data loss prevention and detection. In: Workshop on Research for Insider Threats (2016)Google Scholar
  4. 4.
    Yüksel, O., den Hartog, J., Etalle, S.: Reading between the fields: practical, effective intrusion detection for industrial control systems. In: Proceedings of the 31st Annual ACM Symposium on Applied Computing (SAC 2016), pp. 2063–2070. ACM (2016)Google Scholar
  5. 5.
    Kloft, M., Brefeld, U., Düessel, P., Gehl, C., Laskov, P.: Automatic feature selection for anomaly detection. In: Proceedings of the 1st ACM Workshop on Workshop on AISec (AISec 2008), pp. 71–76, NY, USA. ACM, New York (2008)Google Scholar
  6. 6.
    Gates, C., Li, N., Xu, Z., Chari, S.N., Molloy, I., Park, Y.: Detecting insider information theft using features from file access logs. In: Kutyłowski, M., Vaidya, J. (eds.) ESORICS 2014. LNCS, vol. 8713, pp. 383–400. Springer, Heidelberg (2014). doi: 10.1007/978-3-319-11212-1_22 Google Scholar
  7. 7.
    Bronk, C., Tikk-Ringas, E.: The cyber attack on saudi aramco. Survival 55(2), 81–96 (2013)CrossRefGoogle Scholar
  8. 8.
    Windows Protocols (2016). Accessed 29 Sep 2016
  9. 9.
    Bhuyan, M.H., Bhattacharyya, D.K., Kalita, J.K.: Network anomaly detection: methods, systems and tools. IEEE Commun. Surv. Tutor. 16(1), 303–336 (2014)CrossRefGoogle Scholar
  10. 10.
    Kunen, K.: Set Theory An Introduction to Independence Proofs, vol. 102. Elsevier, Amsterdam (2014)zbMATHGoogle Scholar
  11. 11.
    Eskin, E., Arnold, A., Prerau, M., Portnoy, L., Stolfo, S.: A geometric framework for unsupervised anomaly detection. In: Barbará, D., Jajodia, D. (eds.) Applications of Data Mining in Computer Security. Advances in Information Security, vol. 6, pp. 77–101. Springer, Heidelberg (2002)CrossRefGoogle Scholar
  12. 12.
    Combs, G., et al.: Wireshark (2015).
  13. 13.
    Guyon, I., Elisseeff, A.: An introduction to variable and feature selection. J. Mach. Learn. Res. 3, 1157–1182 (2003)zbMATHGoogle Scholar
  14. 14.
    Rapid7 LLC: The metasploit framework (2007)Google Scholar

Copyright information

© Springer International Publishing AG 2016

Authors and Affiliations

  • Ömer Yüksel
    • 1
    Email author
  • Jerry den Hartog
    • 1
  • Sandro Etalle
    • 1
    • 2
  1. 1.Eindhoven University of TechnologyEindhovenThe Netherlands
  2. 2.University of TwenteEnschedeThe Netherlands

Personalised recommendations