A Likelihood Ratio Detector for Identifying Within-Perimeter Computer Network Attacks

The rapid detection of attackers within firewalls of enterprise computer net- works is of paramount importance. Anomaly detectors address this problem by quantifying deviations from baseline statistical models of normal network behav- ior and signaling an intrusion when the observed data deviates significantly from the baseline model. However, many anomaly detectors do not take into account plausible attacker behavior. As a result, anomaly detectors are prone to a large number of false positives due to unusual but benign activity. This paper first in- troduces a stochastic model of attacker behavior which is motivated by real world attacker traversal. Then, we develop a likelihood ratio detector that compares the probability of observed network behavior under normal conditions against the case when an attacker has possibly compromised a subset of hosts within the network. Since the likelihood ratio detector requires integrating over the time each host be- comes compromised, we illustrate how to use Monte Carlo methods to compute the requisite integral. We then present Receiver Operating Characteristic (ROC) curves for various network parameterizations that show for any rate of true posi- tives, the rate of false positives for the likelihood ratio detector is no higher than that of a simple anomaly detector and is often lower. We conclude by demon- strating the superiority of the proposed likelihood ratio detector when the network topologies and parameterizations are extracted from real-world networks.

[1]  Kang G. Shin,et al.  Change-point monitoring for the detection of DoS attacks , 2004, IEEE Transactions on Dependable and Secure Computing.

[2]  Dong Xiang,et al.  Information-theoretic measures for anomaly detection , 2001, Proceedings 2001 IEEE Symposium on Security and Privacy. S&P 2001.

[3]  Lorrie Faith Cranor,et al.  School of phish: a real-world evaluation of anti-phishing training , 2009, SOUPS.

[4]  Dingde Jiang,et al.  How to reconstruct end-to-end traffic based on time-frequency analysis and artificial neural network , 2014 .

[5]  Cheng Yao,et al.  Multi-scale anomaly detection for high-speed network traffic , 2015, Trans. Emerg. Telecommun. Technol..

[6]  Karl N. Levitt,et al.  GrIDS A Graph-Based Intrusion Detection System for Large Networks , 1996 .

[7]  Lawrence B. Holder,et al.  Insider Threat Detection Using a Graph-Based Approach , 2010 .

[8]  David H. Wolpert,et al.  Estimating Functions of Distributions Defined over Spaces of Unknown Size , 2013, Entropy.

[9]  Dingde Jiang,et al.  Joint time-frequency sparse estimation of large-scale network traffic , 2011, Comput. Networks.

[10]  Christian P. Robert,et al.  Monte Carlo Statistical Methods , 2005, Springer Texts in Statistics.

[11]  D. Wolpert,et al.  Distribution-Valued Solution Concepts , 2013 .

[12]  Dingde Jiang,et al.  A novel hybrid prediction algorithm to network traffic , 2015, Ann. des Télécommunications.

[13]  Salvatore J. Stolfo,et al.  Data Mining Approaches for Intrusion Detection , 1998, USENIX Security Symposium.

[14]  Martin Roesch,et al.  Snort - Lightweight Intrusion Detection for Networks , 1999 .

[15]  D. Hand,et al.  Bayesian anomaly detection methods for social networks , 2010, 1011.1788.

[16]  D. Gillespie Exact Stochastic Simulation of Coupled Chemical Reactions , 1977 .

[17]  S. V. Wiel,et al.  Graph Based Statistical Analysis of Network Traffic , 2011 .

[18]  G. Maciá-Fernández,et al.  Anomaly-based network intrusion detection: Techniques, systems and challenges , 2009, Comput. Secur..

[19]  G ShinKang,et al.  Change-Point Monitoring for the Detection of DoS Attacks , 2004 .

[20]  Arnaud Doucet,et al.  An overview of sequential Monte Carlo methods for parameter estimation in general state-space models , 2009 .

[21]  Peng Zhang,et al.  A transform domain-based anomaly detection approach to network-wide traffic , 2014, J. Netw. Comput. Appl..

[22]  Gabriel Maciá-Fernández,et al.  Anomaly-based network intrusion detection: Techniques, systems and challenges , 2009, Comput. Secur..

[23]  U. Mitra,et al.  Detection of low-rate attacks in computer networks , 2008, IEEE INFOCOM Workshops 2008.

[24]  Lorie M. Liebrock,et al.  Differentiating User Authentication Graphs , 2013, 2013 IEEE Security and Privacy Workshops.

[25]  Hans-Peter Kriegel,et al.  Pattern Mining in Frequent Dynamic Subgraphs , 2006, Sixth International Conference on Data Mining (ICDM'06).

[26]  Qiang Li,et al.  Detecting New P2P Botnet with Multi-chart CUSUM , 2009, 2009 International Conference on Networks Security, Wireless Communications and Trusted Computing.

[27]  Risto Miikkulainen,et al.  Intrusion Detection with Neural Networks , 1997, NIPS.

[28]  Vern Paxson,et al.  Outside the Closed World: On Using Machine Learning for Network Intrusion Detection , 2010, 2010 IEEE Symposium on Security and Privacy.

[29]  VARUN CHANDOLA,et al.  Anomaly detection: A survey , 2009, CSUR.

[30]  Curtis B. Storlie,et al.  Scan Statistics for the Online Detection of Locally Anomalous Subgraphs , 2013, Technometrics.