Poisson-Based Anomaly Detection for Identifying Malicious User Behaviour

  • Andrey SapeginEmail author
  • Aragats Amirkhanyan
  • Marian Gawron
  • Feng Cheng
  • Christoph Meinel
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 9395)


Nowadays, malicious user behaviour that does not trigger access violation or alert of data leak is difficult to be detected. Using the stolen login credentials the intruder doing espionage will first try to stay undetected: silently collect data from the company network and use only resources he is authorised to access. To deal with such cases, a Poisson-based anomaly detection algorithm is proposed in this paper. Two extra measures make it possible to achieve high detection rates and meanwhile reduce number of false positive alerts: (1) checking probability first for the group, and then for single users and (2) selecting threshold automatically. To prove the proposed approach, we developed a special simulation testbed that emulates user behaviour in the virtual network environment. The proof-of-concept implementation has been integrated into our prototype of a SIEM system — Real-time Event Analysis and Monitoring System, where the emulated Active Directory logs from Microsoft Windows domain are extracted and normalised into Object Log Format for further processing and anomaly detection. The experimental results show that our algorithm was able to detect all events related to malicious activity and produced zero false positive results. Forethought as the module for our self-developed SIEM system based on the SAP HANA in-memory database, our solution is capable of processing high volumes of data and shows high efficiency on experimental dataset.


Anomaly detection Intrusion detection User behaviour Authentication 


  1. 1.
    Nanda, S., Cker Chiueh, T.: Execution trace-driven automated attack signature generation. In: Proceedings - Annual Computer Security Applications Conference, ACSAC, pp. 195–204 (2008)Google Scholar
  2. 2.
    Modi, C., Patel, D., Borisaniya, B., Patel, H., Patel, A., Rajarajan, M.: A survey of intrusion detection techniques in cloud. J. Netw. Comput. Appl. 36(1), 42–57 (2013)CrossRefGoogle Scholar
  3. 3.
    Patel, A., Qassim, Q., Wills, C.: A survey of intrusion detection and prevention systems. Inf. Manag. Comput. Secur. 18(4), 277–290 (2010)CrossRefGoogle Scholar
  4. 4.
    Maciá-Fernández, G., Vázquez, E., Garcia-Teodoro, P.: Anomaly-based network intrusion detection: techniques, systems and challenges. Comput. Secur. 28(12), 18–28 (2009)Google Scholar
  5. 5.
    Scarfone, K., Mell, P.: Guide to intrusion detection and prevention systems (IDPS) (2007)Google Scholar
  6. 6.
    Ihler, A., Hutchins, J., Smyth, P.: Adaptive event detection with time-varying poisson processes. In: Proceedings of the 12th ACM SIGKDD International Conference on Knowledge Discovery and Data Mining - KDD 2006, p. 207. ACM Press, New York (2006)Google Scholar
  7. 7.
    Wu, S.X., Banzhaf, W.: The use of computational intelligence in intrusion detection systems: a review. Appl. Soft Comput. 10(1), 1–35 (2010)CrossRefGoogle Scholar
  8. 8.
    Berthier, R., Rhee, W., Bailey, M., Pal, P., Jahanian, F., Sanders, WH: Safeguarding academic accounts and resources with the University credential abuse auditing system. In: IEEE/IFIP International Conference on Dependable Systems and Networks (DSN 2012), pp. 1–8, IEEE, June 2012Google Scholar
  9. 9.
    Chapple, M.J., Chawla, N., Striegel, A.: Authentication anomaly detection: a case study on a virtual private network. In: Proceedings of the 3rd Annual ACM Workshop on Mining Network Data, pp. 0–5 (2007)Google Scholar
  10. 10.
    Oh, S.H., Lee, W.S.: An anomaly intrusion detection method by clustering normal user behavior. Comput. Secur. 22(7), 596–612 (2003)CrossRefGoogle Scholar
  11. 11.
    Liu, S., Kuhn, R.: Data loss prevention. IT Prof. 12(2), 10–13 (2010)CrossRefGoogle Scholar
  12. 12.
    Shabtai, A., Elovici, Y., Rokach, L.: A survey of data leakage detection and prevention solutions (2012)Google Scholar
  13. 13.
    Viswanath, B., Ahmad Bashir, M., Crovella, M., Guha, S., Gummadi, K.P., Krishnamurthy, B., Mislove, A.: Towards detecting anomalous user behavior in online social networks. In: Proceedings of the 23rd USENIX Security Symposium (USENIX Security)Google Scholar
  14. 14.
    Ringberg, H., Soule, A., Rexford, J., Diot, C.: Sensitivity of PCA for traffic anomaly detection. In: Proceedings of the 2007 ACM SIGMETRICS International Conference on Measurement and Modeling of Computer Systems - SIGMETRICS 2007, p. 109 (2007)Google Scholar
  15. 15.
    Salem, M.B., Stolfo, S.J.: Modeling user search behavior for masquerade detection. In: Sommer, R., Balzarotti, D., Maier, G. (eds.) RAID 2011. LNCS, vol. 6961, pp. 181–200. Springer, Heidelberg (2011) CrossRefGoogle Scholar
  16. 16.
    Mukkamala, S., Janoski, G., Sung, A.: Intrusion detection: support vector machines and neural networks. In: Proceedings of the IEEE International Joint Conference on Neural Networks (ANNIE), pp. 1702–1707 (2002)Google Scholar
  17. 17.
    Chen, W.-H., Hsu, S.-H., Shen, H.-P.: Application of SVM and ANN for intrusion detection. Comput. Oper. Res. 32(10), 2617–2634 (2005)CrossRefzbMATHGoogle Scholar
  18. 18.
    Koc, L., Mazzuchi, T.A., Sarkani, S.: A network intrusion detection system based on a Hidden Naïve Bayes multiclass classifier. Expert Syst. Appl. 39(18), 13492–13500 (2012)CrossRefGoogle Scholar
  19. 19.
    Muda, Z., Yassin, W., Sulaiman, M.N., Udzir, N.I.: A K-Means and naive bayes learning approach for better intrusion detection. Inf. Tech. J. 10(3), 648–655 (2011)CrossRefGoogle Scholar
  20. 20.
    Ye, N., Zhang, Y., Borror, C.M.: Robustness of the markov-chain model for cyber-attack detection. IEEE Trans. Reliab. 53(1), 116–123 (2004)CrossRefGoogle Scholar
  21. 21.
    Khanna, R., Liu, H.: System approach to intrusion detection using hidden markov model. In: Proceeding of the 2006 International Conference on Communications and Mobile Computing - IWCMC 2006, p. 349. ACM Press, New York (2006)Google Scholar
  22. 22.
    Peddabachigari, S., Abraham, A., Grosan, C., Thomas, J.: Modeling intrusion detection system using hybrid intelligent systems. J. Netw. Comput. Appl. 30(1), 114–132 (2007)CrossRefGoogle Scholar
  23. 23.
    Chen, Y., Li, Y., Cheng, X., Guo, L.: Survey and taxonomy of feature selection algorithms in intrusion detection system. In: Lipmaa, H., Yung, M., Lin, D. (eds.) Inscrypt 2006. LNCS, vol. 4318, pp. 153–167. Springer, Heidelberg (2006) CrossRefGoogle Scholar
  24. 24.
    Klein, R.W., Roberts, S.D.: A time-varying poisson arrival process generator. Simulation 43(4), 193–195 (1984)CrossRefGoogle Scholar
  25. 25.
    Yu, H., Zheng, D., Zhao, B.Y., Zheng, W.: Understanding user behavior in large-scale video-on-demand systems (2006)Google Scholar
  26. 26.
  27. 27.
  28. 28.
  29. 29.
    Chandrasekaran, B.: Survey of network traffic models. Waschington University in St. Louis CSE, pp. 1–8 (2009)Google Scholar
  30. 30.
    Roschke, S., Cheng, F., Meinel, C.: An advanced IDS management architecture. J. Inf. Assur. Secur. 5, 246–255 (2010)Google Scholar
  31. 31.
  32. 32.
  33. 33.
    Sapegin, A., Jaeger, D., Azodi, A., Gawron, M., Cheng, F., Meinel, C.: Hierarchical object log format for normalisation of security events. In: 2013 9th International Conference on Information Assurance and Security (IAS), IAS 2013, pp. 25–30, IEEE, December 2013Google Scholar
  34. 34.
    Sapegin, A., Jaeger, D., Azodi, A., Gawron, M., Cheng, F., Meinel, C.: Normalisation of log messages for intrusion detection. J. Inf. Assur. Secur. 9(3), 167–176 (2014)Google Scholar
  35. 35.
    Ali, M.Q., Al-Shaer, E., Khan, H., Khayam, S.A.: Automated anomaly detector adaptation using adaptive threshold tuning. ACM Trans. Inf. Syst. Secur. (TISSEC) 15(4), 1–30 (2013)CrossRefGoogle Scholar

Copyright information

© Springer International Publishing Switzerland 2015

Authors and Affiliations

  • Andrey Sapegin
    • 1
    Email author
  • Aragats Amirkhanyan
    • 1
  • Marian Gawron
    • 1
  • Feng Cheng
    • 1
  • Christoph Meinel
    • 1
  1. 1.Hasso Plattner Institute (HPI)University of PotsdamPotsdamGermany

Personalised recommendations