Anomalous parameter settings to insert an anomaly on

Info icon This preview shows pages 92–94. Sign up to view the full content.

topology and the attack path taken over that topology. Anomalous Parameter Settings. To insert an anomaly on a star, path, or caterpillar, we modify the historic parameters in each edge of the anoma- lous shape before simulating, but use the historic parameters for all other edges in the network. In the OMM simulation, the parameters on the anomaly shape were adjusted letting p anom 01 = ˆ p 01 + 0 . 2 on each of the anomalous path edges Copyright © 2014. Imperial College Press. All rights reserved. May not be reproduced in any form without permission from the publisher, except fair uses permitted under U.S. or applicable copyright law. EBSCO Publishing : eBook Collection (EBSCOhost) - printed on 2/16/2016 3:37 AM via CGC-GROUP OF COLLEGES (GHARUAN) AN: 779681 ; Heard, Nicholas, Adams, Niall M..; Data Analysis for Network Cyber-security Account: ns224671
Image of page 92

Info icon This preview has intentionally blurred sections. Sign up to view the full version.

Statistical Detection of Intruders Within Computer Networks 93 Table 3.1. Anomalous parameter change for simultations. P is an anomalous p 01 change, M is an anomalous μ change, and B is a change to both p 01 and μ . Type Anomalous Parameter Change P p anom 01 = ˆ p 01 + 0 . 2 M μ anom = ˆ μ + 1 B p anom 01 = ˆ p 01 + 0 . 2 , μ anom = ˆ μ + 1 (see Table 3.1). This increase was arrived at after consulting with cyber- security experts, whose intuition was that likely attacker behavior could be to transition to the active state once every two minutes. We choose to be more conservative, by inserting a one-in-five-minute anomaly. In the HMM simulations, we introduce three types of anomalies, sum- marized in Table 3.1. The high-state mean was raised in the M and B anomaly types, reflecting the fact that an attacker may act in a way that increases the historic mean by one count per minute. All parameters not mentioned in each type are left at their historic settings. Scanning Procedure. Once the data has been generated for a specific anomaly shape and model choice, for each of the 100 days of scanning: (1) Slide a window of length 30 minutes over the day, offsetting each consec- utive window by ten minutes. These choices were made after consulting with experts and examining real attacks. Thirty minutes is sufficient to capture many attack behaviors, but not so long that the true attack is buried in non-attack data. The ten-minute offset was chosen to balance processing time with quick response time, since shorter offsets require more processing, but longer offsets mean longer delays between alarms. (2) Within each window, select the edges of the entire data set for which there was at least one nonzero count in the window. This creates a subgraph of the overall graph. (3) For this subgraph, enumerate all 3-paths, and calculate their p -values. (4) If any path in this window has a p -value below the threshold, record all such paths, and examine no further windows for this day. The idea behind Step 4 is that once an anomaly is detected, the system would pass the results to an analyst. This analyst would possibly shut down the machines involved, and determine what, if any, true malicious activity was present, before allowing the machines back on the network. Therefore, Copyright © 2014. Imperial College Press. All rights reserved. May not be reproduced in any form without permission from the publisher, except fair uses permitted under
Image of page 93
Image of page 94
This is the end of the preview. Sign up to access the rest of the document.
  • Spring '12
  • Kushal Kanwar
  • Graph Theory, Statistical hypothesis testing, Imperial College Press, applicable copyright law

{[ snackBarMessage ]}

What students are saying

  • Left Quote Icon

    As a current student on this bumpy collegiate pathway, I stumbled upon Course Hero, where I can find study resources for nearly all my courses, get online help from tutors 24/7, and even share my old projects, papers, and lecture notes with other students.

    Student Picture

    Kiran Temple University Fox School of Business ‘17, Course Hero Intern

  • Left Quote Icon

    I cannot even describe how much Course Hero helped me this summer. It’s truly become something I can always rely on and help me. In the end, I was not only able to survive summer classes, but I was able to thrive thanks to Course Hero.

    Student Picture

    Dana University of Pennsylvania ‘17, Course Hero Intern

  • Left Quote Icon

    The ability to access any university’s resources through Course Hero proved invaluable in my case. I was behind on Tulane coursework and actually used UCLA’s materials to help me move forward and get everything together on time.

    Student Picture

    Jill Tulane University ‘16, Course Hero Intern