Abstract
Nowadays, malicious user behaviour that does not trigger access violation or alert of data leak is difficult to be detected. Using the stolen login credentials the intruder doing espionage will first try to stay undetected: silently collect data from the company network and use only resources he is authorised to access. To deal with such cases, a Poisson-based anomaly detection algorithm is proposed in this paper. Two extra measures make it possible to achieve high detection rates and meanwhile reduce number of false positive alerts: (1) checking probability first for the group, and then for single users and (2) selecting threshold automatically. To prove the proposed approach, we developed a special simulation testbed that emulates user behaviour in the virtual network environment. The proof-of-concept implementation has been integrated into our prototype of a SIEM system — Real-time Event Analysis and Monitoring System, where the emulated Active Directory logs from Microsoft Windows domain are extracted and normalised into Object Log Format for further processing and anomaly detection. The experimental results show that our algorithm was able to detect all events related to malicious activity and produced zero false positive results. Forethought as the module for our self-developed SIEM system based on the SAP HANA in-memory database, our solution is capable of processing high volumes of data and shows high efficiency on experimental dataset.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Notes
- 1.
An insider could also intentionally avoid moving large portions of data or copying it to untrusted storage to stay undetected by Data Leak Prevention system.
- 2.
Comma-separated values.
- 3.
Before execution of the analysis, the captured Windows Events need to be parsed and filtered. During this step, we have extracted 1958 filtered events available for the analysis.
- 4.
E.g., for a small enterprise with up to 10 users and few logon events per day on the sole company’s internal server it hardly makes sense to set a time interval to less than 1 day. While for a big company with thousands of employees it could be reasonable to calculate number of logon events per minute.
- 5.
Number of anomalies for different values of \(threshold_{user}\) could be calculated in the similar way.
- 6.
Similar to this approach, we use Algorithm 2 to find optimal value of \(threshold_{user}\). However, this value should be precomputed before we execute Algorithm 2. So there will be no suspicious user groups, that are checked on the line 5 of the Algorithm 2, since they are not found yet. Therefore, we disable this criteria for determining optimal threshold value and calculate Poisson’s probability on lines 6–7 of Algorithm 2 for all {user,workstation} pairs.
- 7.
Curvature of interpolated function based on discrete data points, e.g. number of suspicious groups or anomalies for different threshold values.
References
Nanda, S., Cker Chiueh, T.: Execution trace-driven automated attack signature generation. In: Proceedings - Annual Computer Security Applications Conference, ACSAC, pp. 195–204 (2008)
Modi, C., Patel, D., Borisaniya, B., Patel, H., Patel, A., Rajarajan, M.: A survey of intrusion detection techniques in cloud. J. Netw. Comput. Appl. 36(1), 42–57 (2013)
Patel, A., Qassim, Q., Wills, C.: A survey of intrusion detection and prevention systems. Inf. Manag. Comput. Secur. 18(4), 277–290 (2010)
Maciá-Fernández, G., Vázquez, E., Garcia-Teodoro, P.: Anomaly-based network intrusion detection: techniques, systems and challenges. Comput. Secur. 28(12), 18–28 (2009)
Scarfone, K., Mell, P.: Guide to intrusion detection and prevention systems (IDPS) (2007)
Ihler, A., Hutchins, J., Smyth, P.: Adaptive event detection with time-varying poisson processes. In: Proceedings of the 12th ACM SIGKDD International Conference on Knowledge Discovery and Data Mining - KDD 2006, p. 207. ACM Press, New York (2006)
Wu, S.X., Banzhaf, W.: The use of computational intelligence in intrusion detection systems: a review. Appl. Soft Comput. 10(1), 1–35 (2010)
Berthier, R., Rhee, W., Bailey, M., Pal, P., Jahanian, F., Sanders, WH: Safeguarding academic accounts and resources with the University credential abuse auditing system. In: IEEE/IFIP International Conference on Dependable Systems and Networks (DSN 2012), pp. 1–8, IEEE, June 2012
Chapple, M.J., Chawla, N., Striegel, A.: Authentication anomaly detection: a case study on a virtual private network. In: Proceedings of the 3rd Annual ACM Workshop on Mining Network Data, pp. 0–5 (2007)
Oh, S.H., Lee, W.S.: An anomaly intrusion detection method by clustering normal user behavior. Comput. Secur. 22(7), 596–612 (2003)
Liu, S., Kuhn, R.: Data loss prevention. IT Prof. 12(2), 10–13 (2010)
Shabtai, A., Elovici, Y., Rokach, L.: A survey of data leakage detection and prevention solutions (2012)
Viswanath, B., Ahmad Bashir, M., Crovella, M., Guha, S., Gummadi, K.P., Krishnamurthy, B., Mislove, A.: Towards detecting anomalous user behavior in online social networks. In: Proceedings of the 23rd USENIX Security Symposium (USENIX Security)
Ringberg, H., Soule, A., Rexford, J., Diot, C.: Sensitivity of PCA for traffic anomaly detection. In: Proceedings of the 2007 ACM SIGMETRICS International Conference on Measurement and Modeling of Computer Systems - SIGMETRICS 2007, p. 109 (2007)
Salem, M.B., Stolfo, S.J.: Modeling user search behavior for masquerade detection. In: Sommer, R., Balzarotti, D., Maier, G. (eds.) RAID 2011. LNCS, vol. 6961, pp. 181–200. Springer, Heidelberg (2011)
Mukkamala, S., Janoski, G., Sung, A.: Intrusion detection: support vector machines and neural networks. In: Proceedings of the IEEE International Joint Conference on Neural Networks (ANNIE), pp. 1702–1707 (2002)
Chen, W.-H., Hsu, S.-H., Shen, H.-P.: Application of SVM and ANN for intrusion detection. Comput. Oper. Res. 32(10), 2617–2634 (2005)
Koc, L., Mazzuchi, T.A., Sarkani, S.: A network intrusion detection system based on a Hidden Naïve Bayes multiclass classifier. Expert Syst. Appl. 39(18), 13492–13500 (2012)
Muda, Z., Yassin, W., Sulaiman, M.N., Udzir, N.I.: A K-Means and naive bayes learning approach for better intrusion detection. Inf. Tech. J. 10(3), 648–655 (2011)
Ye, N., Zhang, Y., Borror, C.M.: Robustness of the markov-chain model for cyber-attack detection. IEEE Trans. Reliab. 53(1), 116–123 (2004)
Khanna, R., Liu, H.: System approach to intrusion detection using hidden markov model. In: Proceeding of the 2006 International Conference on Communications and Mobile Computing - IWCMC 2006, p. 349. ACM Press, New York (2006)
Peddabachigari, S., Abraham, A., Grosan, C., Thomas, J.: Modeling intrusion detection system using hybrid intelligent systems. J. Netw. Comput. Appl. 30(1), 114–132 (2007)
Chen, Y., Li, Y., Cheng, X., Guo, L.: Survey and taxonomy of feature selection algorithms in intrusion detection system. In: Lipmaa, H., Yung, M., Lin, D. (eds.) Inscrypt 2006. LNCS, vol. 4318, pp. 153–167. Springer, Heidelberg (2006)
Klein, R.W., Roberts, S.D.: A time-varying poisson arrival process generator. Simulation 43(4), 193–195 (1984)
Yu, H., Zheng, D., Zhao, B.Y., Zheng, W.: Understanding user behavior in large-scale video-on-demand systems (2006)
Remote desktop protocol. http://msdn.microsoft.com/en-us/library/aa383015.aspx
Virtual network computing. http://www.hep.phy.cam.ac.uk/vnc_docs/index.html
Python imaging library. http://www.pythonware.com/products/pil/
Chandrasekaran, B.: Survey of network traffic models. Waschington University in St. Louis CSE, pp. 1–8 (2009)
Roschke, S., Cheng, F., Meinel, C.: An advanced IDS management architecture. J. Inf. Assur. Secur. 5, 246–255 (2010)
Real-time event analysis and monitoring system. https://hpi.de/en/meinel/security-tech/network-security/security-analytics/reams.html
SAP HANA. http://www.saphana.com
Sapegin, A., Jaeger, D., Azodi, A., Gawron, M., Cheng, F., Meinel, C.: Hierarchical object log format for normalisation of security events. In: 2013 9th International Conference on Information Assurance and Security (IAS), IAS 2013, pp. 25–30, IEEE, December 2013
Sapegin, A., Jaeger, D., Azodi, A., Gawron, M., Cheng, F., Meinel, C.: Normalisation of log messages for intrusion detection. J. Inf. Assur. Secur. 9(3), 167–176 (2014)
Ali, M.Q., Al-Shaer, E., Khan, H., Khayam, S.A.: Automated anomaly detector adaptation using adaptive threshold tuning. ACM Trans. Inf. Syst. Secur. (TISSEC) 15(4), 1–30 (2013)
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2015 Springer International Publishing Switzerland
About this paper
Cite this paper
Sapegin, A., Amirkhanyan, A., Gawron, M., Cheng, F., Meinel, C. (2015). Poisson-Based Anomaly Detection for Identifying Malicious User Behaviour. In: Boumerdassi, S., Bouzefrane, S., Renault, É. (eds) Mobile, Secure, and Programmable Networking. MSPN 2015. Lecture Notes in Computer Science(), vol 9395. Springer, Cham. https://doi.org/10.1007/978-3-319-25744-0_12
Download citation
DOI: https://doi.org/10.1007/978-3-319-25744-0_12
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-319-25743-3
Online ISBN: 978-3-319-25744-0
eBook Packages: Computer ScienceComputer Science (R0)