These models capture the bursty often human caused

Info icon This preview shows pages 71–73. Sign up to view the full content.

These models capture the bursty, often human-caused, behavior that dominates a large subset of the edges. Individual edge anomalies are common, but the network intrusions we seek to identify always involve coincident anomalies on multiple adjacent edges. We show empirically that adjacent edges are primarily independent and that the likelihood of a subgraph of multiple coincident edges can be evaluated using only models of individual edges. We define a new scan statistic in which subgraphs of specific sizes and shapes (out-stars and 3-paths) are tested. We show that identifying these building-block shapes is sufficient to correctly identify anomalies of various shapes with acceptable false discovery rates in both simulated and real-world examples. 3.1. Introduction In this chapter, we consider the problem of detecting locally anomalous activity in a set of time-dependent data having an underlying graph struc- ture. While the method proposed can be applied to a general setting in which data is extracted from a graph over time, and in which anomalies occur in connected subgraphs, we will focus exclusively on the detection of attacks within a large computer network. Specifically, we are interested in detecting those attacks that create connected subgraphs within which the communications have deviated from historic behavior in some window of time. 71 Copyright © 2014. Imperial College Press. All rights reserved. May not be reproduced in any form without permission from the publisher, except fair uses permitted under U.S. or applicable copyright law. EBSCO Publishing : eBook Collection (EBSCOhost) - printed on 2/16/2016 3:37 AM via CGC-GROUP OF COLLEGES (GHARUAN) AN: 779681 ; Heard, Nicholas, Adams, Niall M..; Data Analysis for Network Cyber-security Account: ns224671
Image of page 71

Info icon This preview has intentionally blurred sections. Sign up to view the full version.

72 J. Neil, C. Storlie, C. Hash and A. Brugh We start with a discussion of computer network data, and the under- lying graph induced by this network. 3.1.1. Basic graph concepts and computer network data A graph consists of nodes and edges (Kolaczyk, 2009). In the example of a computer network, nodes are computers and edges are a time series of directed communications between computers. In general, data can be collected over time from both nodes and edges. For this chapter, how- ever, we will only consider data extracted from network communications, with node data a subject of future work. The data we will focus on was obtained from NetFlow records (Bensley et al. , 1997; Brownlee et al. , 1997; Phaal et al. , 2001) gathered from one of Los Alamos National Laboratory’s (LANL’s) internal networks, over 30 days in 2010. Internet protocol (IP) addresses define nodes, and counts of connections per minute between IPs define a time series on the directed edge between those nodes, resulting in a total of 558,785 edges. Each edge is directed, in the sense that com- munications are marked with a source and destination, and an edge with reversed source and destination nodes is considered a separate edge from the forward direction. The data is observed every minute, and in a 30-minute period the network graph has in the order of 20,000 active nodes and 90,000 active edges.
Image of page 72
Image of page 73
This is the end of the preview. Sign up to access the rest of the document.
  • Spring '12
  • Kushal Kanwar
  • Graph Theory, Statistical hypothesis testing, Imperial College Press, applicable copyright law

{[ snackBarMessage ]}

What students are saying

  • Left Quote Icon

    As a current student on this bumpy collegiate pathway, I stumbled upon Course Hero, where I can find study resources for nearly all my courses, get online help from tutors 24/7, and even share my old projects, papers, and lecture notes with other students.

    Student Picture

    Kiran Temple University Fox School of Business ‘17, Course Hero Intern

  • Left Quote Icon

    I cannot even describe how much Course Hero helped me this summer. It’s truly become something I can always rely on and help me. In the end, I was not only able to survive summer classes, but I was able to thrive thanks to Course Hero.

    Student Picture

    Dana University of Pennsylvania ‘17, Course Hero Intern

  • Left Quote Icon

    The ability to access any university’s resources through Course Hero proved invaluable in my case. I was behind on Tulane coursework and actually used UCLA’s materials to help me move forward and get everything together on time.

    Student Picture

    Jill Tulane University ‘16, Course Hero Intern