A likelihood ratio anomaly detector for identifying within-perimeter computer network attacks

The rapid detection of attackers within firewalls of enterprise computer networks is of paramount importance. Anomaly detectors address this problem by quantifying deviations from baseline statistical models of normal network behavior and signaling an intrusion when the observed data deviates significantly from the baseline model. However, many anomaly detectors do not take into account plausible attacker behavior. As a result, anomaly detectors are prone to a large number of false positives due to unusual but benign activity. This paper first introduces a stochastic model of attacker behavior which is motivated by real world attacker traversal. Then, we develop a likelihood ratio detector that compares the probability of observed network behavior under normal conditions against the case when an attacker has possibly compromised a subset of hosts within the network. Since the likelihood ratio detector requires integrating over the time each host becomes compromised, we illustrate how to use Monte Carlo methods to compute the requisite integral. We then present Receiver Operating Characteristic (ROC) curves for various network parameterizations that show for any rate of true positives, the rate of false positives for the likelihood ratio detector is no higher than that of a simple anomaly detector and is often lower. We conclude by demonstrating the superiority of the proposed likelihood ratio detector when the network topologies and parameterizations are extracted from real-world networks.

[1]  Gabriel Maciá-Fernández,et al.  Anomaly-based network intrusion detection: Techniques, systems and challenges , 2009, Comput. Secur..

[2]  U. Mitra,et al.  Detection of low-rate attacks in computer networks , 2008, IEEE INFOCOM Workshops 2008.

[3]  Alexander D. Kent,et al.  Connected Components and Credential Hopping in Authentication Graphs , 2014, 2014 Tenth International Conference on Signal-Image Technology and Internet-Based Systems.

[4]  Arnaud Doucet,et al.  An overview of sequential Monte Carlo methods for parameter estimation in general state-space models , 2009 .

[5]  Christian P. Robert,et al.  Monte Carlo Statistical Methods , 2005, Springer Texts in Statistics.

[6]  D. Wolpert,et al.  Distribution-Valued Solution Concepts , 2013 .

[7]  Dong Xiang,et al.  Information-theoretic measures for anomaly detection , 2001, Proceedings 2001 IEEE Symposium on Security and Privacy. S&P 2001.

[8]  Lorrie Faith Cranor,et al.  School of phish: a real-world evaluation of anti-phishing training , 2009, SOUPS.

[9]  Macia-FernandezG.,et al.  Anomaly-based network intrusion detection , 2009 .

[10]  Hans-Peter Kriegel,et al.  Pattern Mining in Frequent Dynamic Subgraphs , 2006, Sixth International Conference on Data Mining (ICDM'06).

[11]  Peng Zhang,et al.  A transform domain-based anomaly detection approach to network-wide traffic , 2014, J. Netw. Comput. Appl..

[12]  Karl N. Levitt,et al.  GrIDS A Graph-Based Intrusion Detection System for Large Networks , 1996 .

[13]  Christian P. Robert,et al.  Monte Carlo Statistical Methods (Springer Texts in Statistics) , 2005 .

[14]  David H. Wolpert,et al.  Estimating Functions of Distributions Defined over Spaces of Unknown Size , 2013, Entropy.

[15]  D. Gillespie Exact Stochastic Simulation of Coupled Chemical Reactions , 1977 .

[16]  S. V. Wiel,et al.  Graph Based Statistical Analysis of Network Traffic , 2011 .

[17]  Martin Roesch,et al.  Snort - Lightweight Intrusion Detection for Networks , 1999 .

[18]  Dingde Jiang,et al.  How to reconstruct end-to-end traffic based on time-frequency analysis and artificial neural network , 2014 .

[19]  VARUN CHANDOLA,et al.  Anomaly detection: A survey , 2009, CSUR.

[20]  Curtis B. Storlie,et al.  Scan Statistics for the Online Detection of Locally Anomalous Subgraphs , 2013, Technometrics.

[21]  Salvatore J. Stolfo,et al.  Data Mining Approaches for Intrusion Detection , 1998, USENIX Security Symposium.

[22]  Dingde Jiang,et al.  Joint time-frequency sparse estimation of large-scale network traffic , 2011, Comput. Networks.

[23]  T.Y. Lin,et al.  Anomaly detection , 1994, Proceedings New Security Paradigms Workshop.

[24]  Cheng Yao,et al.  Multi-scale anomaly detection for high-speed network traffic , 2015, Trans. Emerg. Telecommun. Technol..

[25]  Lawrence B. Holder,et al.  Insider Threat Detection Using a Graph-Based Approach , 2010 .

[26]  Kang G. Shin,et al.  Change-point monitoring for the detection of DoS attacks , 2004, IEEE Transactions on Dependable and Secure Computing.

[27]  Qiang Li,et al.  Detecting New P2P Botnet with Multi-chart CUSUM , 2009, 2009 International Conference on Networks Security, Wireless Communications and Trusted Computing.

[28]  Risto Miikkulainen,et al.  Intrusion Detection with Neural Networks , 1997, NIPS.

[29]  Vern Paxson,et al.  Outside the Closed World: On Using Machine Learning for Network Intrusion Detection , 2010, 2010 IEEE Symposium on Security and Privacy.

[30]  Dingde Jiang,et al.  A novel hybrid prediction algorithm to network traffic , 2015, Ann. des Télécommunications.

[31]  Lorie M. Liebrock,et al.  Differentiating User Authentication Graphs , 2013, 2013 IEEE Security and Privacy Workshops.