Skip to main content
SpringerLink
Log in
Book cover

International Conference on Mobile, Secure and Programmable Networking

MSPN 2015: Mobile, Secure, and Programmable Networking pp 134–150Cite as

Poisson-Based Anomaly Detection for Identifying Malicious User Behaviour

  • Conference paper
  • First Online:

Part of the book series: Lecture Notes in Computer Science ((LNCCN,volume 9395))

Abstract

Nowadays, malicious user behaviour that does not trigger access violation or alert of data leak is difficult to be detected. Using the stolen login credentials the intruder doing espionage will first try to stay undetected: silently collect data from the company network and use only resources he is authorised to access. To deal with such cases, a Poisson-based anomaly detection algorithm is proposed in this paper. Two extra measures make it possible to achieve high detection rates and meanwhile reduce number of false positive alerts: (1) checking probability first for the group, and then for single users and (2) selecting threshold automatically. To prove the proposed approach, we developed a special simulation testbed that emulates user behaviour in the virtual network environment. The proof-of-concept implementation has been integrated into our prototype of a SIEM system — Real-time Event Analysis and Monitoring System, where the emulated Active Directory logs from Microsoft Windows domain are extracted and normalised into Object Log Format for further processing and anomaly detection. The experimental results show that our algorithm was able to detect all events related to malicious activity and produced zero false positive results. Forethought as the module for our self-developed SIEM system based on the SAP HANA in-memory database, our solution is capable of processing high volumes of data and shows high efficiency on experimental dataset.

This is a preview of subscription content, log in via an institution.

Chapter
USD   29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD   34.99
Price excludes VAT (USA)
  • Available as EPUB and PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD   44.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Learn about institutional subscriptions

Notes

  1. 1.

    An insider could also intentionally avoid moving large portions of data or copying it to untrusted storage to stay undetected by Data Leak Prevention system.

  2. 2.

    Comma-separated values.

  3. 3.

    Before execution of the analysis, the captured Windows Events need to be parsed and filtered. During this step, we have extracted 1958 filtered events available for the analysis.

  4. 4.

    E.g., for a small enterprise with up to 10 users and few logon events per day on the sole company’s internal server it hardly makes sense to set a time interval to less than 1 day. While for a big company with thousands of employees it could be reasonable to calculate number of logon events per minute.

  5. 5.

    Number of anomalies for different values of \(threshold_{user}\) could be calculated in the similar way.

  6. 6.

    Similar to this approach, we use Algorithm 2 to find optimal value of \(threshold_{user}\). However, this value should be precomputed before we execute Algorithm 2. So there will be no suspicious user groups, that are checked on the line 5 of the Algorithm 2, since they are not found yet. Therefore, we disable this criteria for determining optimal threshold value and calculate Poisson’s probability on lines 6–7 of Algorithm 2 for all {user,workstation} pairs.

  7. 7.

    Curvature of interpolated function based on discrete data points, e.g. number of suspicious groups or anomalies for different threshold values.

References

  1. Nanda, S., Cker Chiueh, T.: Execution trace-driven automated attack signature generation. In: Proceedings - Annual Computer Security Applications Conference, ACSAC, pp. 195–204 (2008)

    Google Scholar 

  2. Modi, C., Patel, D., Borisaniya, B., Patel, H., Patel, A., Rajarajan, M.: A survey of intrusion detection techniques in cloud. J. Netw. Comput. Appl. 36(1), 42–57 (2013)

    Article  Google Scholar 

  3. Patel, A., Qassim, Q., Wills, C.: A survey of intrusion detection and prevention systems. Inf. Manag. Comput. Secur. 18(4), 277–290 (2010)

    Article  Google Scholar 

  4. Maciá-Fernández, G., Vázquez, E., Garcia-Teodoro, P.: Anomaly-based network intrusion detection: techniques, systems and challenges. Comput. Secur. 28(12), 18–28 (2009)

    Google Scholar 

  5. Scarfone, K., Mell, P.: Guide to intrusion detection and prevention systems (IDPS) (2007)

    Google Scholar 

  6. Ihler, A., Hutchins, J., Smyth, P.: Adaptive event detection with time-varying poisson processes. In: Proceedings of the 12th ACM SIGKDD International Conference on Knowledge Discovery and Data Mining - KDD 2006, p. 207. ACM Press, New York (2006)

    Google Scholar 

  7. Wu, S.X., Banzhaf, W.: The use of computational intelligence in intrusion detection systems: a review. Appl. Soft Comput. 10(1), 1–35 (2010)

    Article  Google Scholar 

  8. Berthier, R., Rhee, W., Bailey, M., Pal, P., Jahanian, F., Sanders, WH: Safeguarding academic accounts and resources with the University credential abuse auditing system. In: IEEE/IFIP International Conference on Dependable Systems and Networks (DSN 2012), pp. 1–8, IEEE, June 2012

    Google Scholar 

  9. Chapple, M.J., Chawla, N., Striegel, A.: Authentication anomaly detection: a case study on a virtual private network. In: Proceedings of the 3rd Annual ACM Workshop on Mining Network Data, pp. 0–5 (2007)

    Google Scholar 

  10. Oh, S.H., Lee, W.S.: An anomaly intrusion detection method by clustering normal user behavior. Comput. Secur. 22(7), 596–612 (2003)

    Article  Google Scholar 

  11. Liu, S., Kuhn, R.: Data loss prevention. IT Prof. 12(2), 10–13 (2010)

    Article  Google Scholar 

  12. Shabtai, A., Elovici, Y., Rokach, L.: A survey of data leakage detection and prevention solutions (2012)

    Google Scholar 

  13. Viswanath, B., Ahmad Bashir, M., Crovella, M., Guha, S., Gummadi, K.P., Krishnamurthy, B., Mislove, A.: Towards detecting anomalous user behavior in online social networks. In: Proceedings of the 23rd USENIX Security Symposium (USENIX Security)

    Google Scholar 

  14. Ringberg, H., Soule, A., Rexford, J., Diot, C.: Sensitivity of PCA for traffic anomaly detection. In: Proceedings of the 2007 ACM SIGMETRICS International Conference on Measurement and Modeling of Computer Systems - SIGMETRICS 2007, p. 109 (2007)

    Google Scholar 

  15. Salem, M.B., Stolfo, S.J.: Modeling user search behavior for masquerade detection. In: Sommer, R., Balzarotti, D., Maier, G. (eds.) RAID 2011. LNCS, vol. 6961, pp. 181–200. Springer, Heidelberg (2011)

    Chapter  Google Scholar 

  16. Mukkamala, S., Janoski, G., Sung, A.: Intrusion detection: support vector machines and neural networks. In: Proceedings of the IEEE International Joint Conference on Neural Networks (ANNIE), pp. 1702–1707 (2002)

    Google Scholar 

  17. Chen, W.-H., Hsu, S.-H., Shen, H.-P.: Application of SVM and ANN for intrusion detection. Comput. Oper. Res. 32(10), 2617–2634 (2005)

    Article  MATH  Google Scholar 

  18. Koc, L., Mazzuchi, T.A., Sarkani, S.: A network intrusion detection system based on a Hidden Naïve Bayes multiclass classifier. Expert Syst. Appl. 39(18), 13492–13500 (2012)

    Article  Google Scholar 

  19. Muda, Z., Yassin, W., Sulaiman, M.N., Udzir, N.I.: A K-Means and naive bayes learning approach for better intrusion detection. Inf. Tech. J. 10(3), 648–655 (2011)

    Article  Google Scholar 

  20. Ye, N., Zhang, Y., Borror, C.M.: Robustness of the markov-chain model for cyber-attack detection. IEEE Trans. Reliab. 53(1), 116–123 (2004)

    Article  Google Scholar 

  21. Khanna, R., Liu, H.: System approach to intrusion detection using hidden markov model. In: Proceeding of the 2006 International Conference on Communications and Mobile Computing - IWCMC 2006, p. 349. ACM Press, New York (2006)

    Google Scholar 

  22. Peddabachigari, S., Abraham, A., Grosan, C., Thomas, J.: Modeling intrusion detection system using hybrid intelligent systems. J. Netw. Comput. Appl. 30(1), 114–132 (2007)

    Article  Google Scholar 

  23. Chen, Y., Li, Y., Cheng, X., Guo, L.: Survey and taxonomy of feature selection algorithms in intrusion detection system. In: Lipmaa, H., Yung, M., Lin, D. (eds.) Inscrypt 2006. LNCS, vol. 4318, pp. 153–167. Springer, Heidelberg (2006)

    Chapter  Google Scholar 

  24. Klein, R.W., Roberts, S.D.: A time-varying poisson arrival process generator. Simulation 43(4), 193–195 (1984)

    Article  Google Scholar 

  25. Yu, H., Zheng, D., Zhao, B.Y., Zheng, W.: Understanding user behavior in large-scale video-on-demand systems (2006)

    Google Scholar 

  26. Remote desktop protocol. http://msdn.microsoft.com/en-us/library/aa383015.aspx

  27. Virtual network computing. http://www.hep.phy.cam.ac.uk/vnc_docs/index.html

  28. Python imaging library. http://www.pythonware.com/products/pil/

  29. Chandrasekaran, B.: Survey of network traffic models. Waschington University in St. Louis CSE, pp. 1–8 (2009)

    Google Scholar 

  30. Roschke, S., Cheng, F., Meinel, C.: An advanced IDS management architecture. J. Inf. Assur. Secur. 5, 246–255 (2010)

    Google Scholar 

  31. Real-time event analysis and monitoring system. https://hpi.de/en/meinel/security-tech/network-security/security-analytics/reams.html

  32. SAP HANA. http://www.saphana.com

  33. Sapegin, A., Jaeger, D., Azodi, A., Gawron, M., Cheng, F., Meinel, C.: Hierarchical object log format for normalisation of security events. In: 2013 9th International Conference on Information Assurance and Security (IAS), IAS 2013, pp. 25–30, IEEE, December 2013

    Google Scholar 

  34. Sapegin, A., Jaeger, D., Azodi, A., Gawron, M., Cheng, F., Meinel, C.: Normalisation of log messages for intrusion detection. J. Inf. Assur. Secur. 9(3), 167–176 (2014)

    Google Scholar 

  35. Ali, M.Q., Al-Shaer, E., Khan, H., Khayam, S.A.: Automated anomaly detector adaptation using adaptive threshold tuning. ACM Trans. Inf. Syst. Secur. (TISSEC) 15(4), 1–30 (2013)

    Article  Google Scholar 

Download references

Author information

Authors and Affiliations

  1. Hasso Plattner Institute (HPI), University of Potsdam, P.O.Box 900460, 14440, Potsdam, Germany

    Andrey Sapegin, Aragats Amirkhanyan, Marian Gawron, Feng Cheng & Christoph Meinel

Authors
  1. Andrey Sapegin
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Aragats Amirkhanyan
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Marian Gawron
    View author publications

    You can also search for this author in PubMed Google Scholar

  4. Feng Cheng
    View author publications

    You can also search for this author in PubMed Google Scholar

  5. Christoph Meinel
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Andrey Sapegin .

Editor information

Editors and Affiliations

  1. CNAM/CEDRIC, Paris, France

    Selma Boumerdassi

  2. CNAM/CEDRIC, Paris, France

    Samia Bouzefrane

  3. Institut Mines-Télécom -Télécom SudParis, Evry, France

    Éric Renault

Rights and permissions

Reprints and permissions

Copyright information

© 2015 Springer International Publishing Switzerland

About this paper

Cite this paper

Sapegin, A., Amirkhanyan, A., Gawron, M., Cheng, F., Meinel, C. (2015). Poisson-Based Anomaly Detection for Identifying Malicious User Behaviour. In: Boumerdassi, S., Bouzefrane, S., Renault, É. (eds) Mobile, Secure, and Programmable Networking. MSPN 2015. Lecture Notes in Computer Science(), vol 9395. Springer, Cham. https://doi.org/10.1007/978-3-319-25744-0_12

Download citation

  • DOI: https://doi.org/10.1007/978-3-319-25744-0_12

  • Published:

  • Publisher Name: Springer, Cham

  • Print ISBN: 978-3-319-25743-3

  • Online ISBN: 978-3-319-25744-0

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Search

Navigation