Abstract
Temporal monitoring of computer network data for statistical anomalies provides a means for detecting malicious intruders. The high volumes of traffic typically flowing through these networks can make detecting important changes in structure extremely challenging. In this article, agile algorithms which readily scale to large networks are provided, assuming conditionally independent node and edge-based statistical models. As a first stage, changes in the data streams arising from edges (pairs of hosts) in the network are detected. A second stage analysis combines any anomalous edges to identify more general anomalous substructures in the network. The method is demonstrated on the entire internal computer network of Los Alamos National Laboratory, comprising approximately 50,000 hosts, using a data set which contains a real, sophisticated cyber attack. This attack is quickly identified from amongst the huge volume of data being processed.
This is a preview of subscription content, log in via an institution to check access.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Preview
Unable to display preview. Download preview PDF.
References
Green, P.J.: Reversible jump Markov chain Monte Carlo computation and Bayesian model determination. Biometrika 82, 711–732 (1995)
Heard, N.A., Weston, D.J., Platanioti, K., Hand, D.J.: Bayesian anomaly detection methods for social networks. Annals of Applied Statistics 4(2), 645–662 (2010)
Hummel, C.: Why crack when you can pass the hash. SANS 21 (2009)
Kolaczyk, E.D.: Statistical Analysis of Network Data: Methods and Models. Springer, New York (2000)
Lambert, D., Liu, C.: Adaptive thresholds: Monitoring streams of network counts. Journal of the American Statistical Association 101(473), 78–88 (2006)
Lazarevic, A., Ozgur, A., Ertoz, L., Srivastava, J., Kumar, V.: A comparative study of anomaly detection schemes in network intrusion detection. In: Proceedings of the Third SIAM International Conference on Data Mining, pp. 25–36 (2003)
Neil, J., Storlie, C., Hash, C., Brugh, A., Fisk, M.: Scan statistics for the online detection of locally anomalous subgraphs. Technometrics 55(4), 403–414 (2013)
Noble, C.C., Cook, D.J.: Graph-based anomaly detection. In: Proceedings of the Ninth ACM SIGKDD International Conference on Knowledge Discovery and Data Mining, pp. 631–636. ACM (2003)
Patcha, A., Park, J.: An overview of anomaly detection techniques: Existing solutions and latest technological trends. Computer Networks 51(12), 3448–3470 (2007)
Priebe, C.E., Conroy, J.M., Marchette, D.J.: Scan statistics on Enron graphs. Computational and Mathematical Organization Theory 11(3), 229–247 (2005)
Sexton, J., Storlie, C., Neil, J., Kent, A.: Intruder detection based on graph structured hypothesis testing. In: 2013 6th International Symposium on Resilient Control Systems (ISRCS), pp. 86–91. IEEE (2013)
Sperotto, A., Schaffrath, G., Sadre, R., Morariu, C., Pras, A., Stiller, B.: An Overview of IP flow-based intrusion detection. IEEE Communications Surveys Tutorials 12(3), 343–356 (2010)
Author information
Authors and Affiliations
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2014 Springer International Publishing Switzerland
About this paper
Cite this paper
Turcotte, M., Heard, N., Neil, J. (2014). Detecting Localised Anomalous Behaviour in a Computer Network. In: Blockeel, H., van Leeuwen, M., Vinciotti, V. (eds) Advances in Intelligent Data Analysis XIII. IDA 2014. Lecture Notes in Computer Science, vol 8819. Springer, Cham. https://doi.org/10.1007/978-3-319-12571-8_28
Download citation
DOI: https://doi.org/10.1007/978-3-319-12571-8_28
Publisher Name: Springer, Cham
Print ISBN: 978-3-319-12570-1
Online ISBN: 978-3-319-12571-8
eBook Packages: Computer ScienceComputer Science (R0)