But in many minutes even though the user may be

Info icon This preview shows pages 81–83. Sign up to view the full content.

from that machine. But in many minutes, even though the user may be present, she may not be making nonzero counts on this edge, since she may be communicating with some other machine, or not using the network at all. We only know that when she is not there, we will observe 0s on this edge. This presence/absence induces a switching process between a purely 0 count emission and one that admits positive counts. While, intuitively, there will be higher counts in the middle of the day than at night, in this chapter we use homogeneous models for the sake of simplicity. In this section, two models for capturing the switching behavior of the time series on each edge are discussed. In addition, a model for establishing the probability that a connection is observed between two computers that have not communicated in the past is given. We denote this behavior as a new edge . While new edges are observed under non-attack conditions, it is a hallmark of many attacks, and Copyright © 2014. Imperial College Press. All rights reserved. May not be reproduced in any form without permission from the publisher, except fair uses permitted under U.S. or applicable copyright law. EBSCO Publishing : eBook Collection (EBSCOhost) - printed on 2/16/2016 3:37 AM via CGC-GROUP OF COLLEGES (GHARUAN) AN: 779681 ; Heard, Nicholas, Adams, Niall M..; Data Analysis for Network Cyber-security Account: ns224671
Image of page 81

Info icon This preview has intentionally blurred sections. Sign up to view the full version.

82 J. Neil, C. Storlie, C. Hash and A. Brugh therefore an important behavior to model. Intuitively, many attackers are not aware of the normal communications patterns in a computer network, and tend to create many new edges as a result. This lack of awareness of normal behavior is a key difference between attackers and defenders, and one defenders must exploit to the fullest. 3.4.1. Observed Markov model The first and simplest model is a two-state observed Markov model (OMM), which we denote B t . If there was a nonzero count in time bin t , then B t = 1, otherwise B t = 0. This model has two parameters, p 01 = P ( B t = 1 | B t 1 = 0) and p 10 = P ( B t = 0 | B t 1 = 1). Its likelihood is given by L ( p 01 , p 10 | b 1 , . . . , b N ) = (1 p 01 ) n 00 p n 01 01 p n 10 10 (1 p 10 ) n 11 (3.3) where n ij is the number of times that the consecutive pair ( b i , b j ) was observed in the data. We assume that the initial state is fixed and known. Maximum likelihood estimates are given by ˆ p 01 = n 01 n 00 + n 01 and ˆ p 10 = n 10 n 10 + n 11 . While this model captures the burstiness, it ignores the distribution of the counts, and also does not reflect the underlying hidden process in many edges, which is that of a user being absent altogether (low state) versus the user being present (high state). 3.4.2. Hidden Markov model To address the issues not covered by the OMM, we employ a two-state HMM (Rabiner, 1989) with a degenerate distribution at zero for the low state, and a negative binomial emission density in the high state. Neg- ative binomial emission densities do not suffer from the equidispersion property of the Poisson (Pohlmeier and Ulrich, 1995), and a good jus- tification for using them to monitor for anomalies in network counts is given in Lambert and Liu (2006). This model is similar to the hurdle mod-
Image of page 82
Image of page 83
This is the end of the preview. Sign up to access the rest of the document.
  • Spring '12
  • Kushal Kanwar
  • Graph Theory, Statistical hypothesis testing, Imperial College Press, applicable copyright law

{[ snackBarMessage ]}

What students are saying

  • Left Quote Icon

    As a current student on this bumpy collegiate pathway, I stumbled upon Course Hero, where I can find study resources for nearly all my courses, get online help from tutors 24/7, and even share my old projects, papers, and lecture notes with other students.

    Student Picture

    Kiran Temple University Fox School of Business ‘17, Course Hero Intern

  • Left Quote Icon

    I cannot even describe how much Course Hero helped me this summer. It’s truly become something I can always rely on and help me. In the end, I was not only able to survive summer classes, but I was able to thrive thanks to Course Hero.

    Student Picture

    Dana University of Pennsylvania ‘17, Course Hero Intern

  • Left Quote Icon

    The ability to access any university’s resources through Course Hero proved invaluable in my case. I was behind on Tulane coursework and actually used UCLA’s materials to help me move forward and get everything together on time.

    Student Picture

    Jill Tulane University ‘16, Course Hero Intern