Intuitively independence among the edges in a 2 path

Info icon This preview shows pages 80–82. Sign up to view the full content.

View Full Document Right Arrow Icon
Intuitively, independence among the edges in a 2-path (and in a 3- path) makes sense in the following way. In this chapter, the network is measured at the connection layer, layer 4 of the OSI model (Stallings, 1987), not at layer 3, which is the layer at which packets are routed. That is, end-to-end communications are measured. There is very little reason for a computer to generate connections to further computers as a result of being communicated with by some originating computer. There are exceptions, as will be apparent below, but these exceptions tend to be interesting in their own right. Detecting such flows is not a bad thing, it is a good thing, since attackers can tend to make correlated flows where there should be none. After the authors pointed out these highly correlated edges connected in a 2-path, network security personnel examined the behavior in detail. This study utilized LANL NetFlow records over a 30-day period. For each edge, the data consists of a per-minute recording of the indicator variable that is 1 if there is activity on that edge in that minute, and 0 otherwise. This results in a sequence of 40,320 binary values for each edge. The sample correlation between pairs of edges connected in a 2-path was calculated. In this data set, there were a total of 311,411 2-paths. Correlation was chosen as the measure used to gauge independence, since, in binary random variables, correlation equal to zero implies indepen- dence. Additionally, the independence assumption is being violated here, and the task then is to evaluate how severely the assumption is being vio- lated in the data. It is clear from the results that this assumption is not far from reality, and it is likely that this model will suffice for this application. In Figure 3.4 we plot the empirical cumulative distribution function (CDF) for the absolute values of these correlation statistics. Half of all correlations were less than 0.003 in absolute value, and only 1 in 1000 had R 2 value of larger than 6%. Note that under the independence assumption, the path GLRT is expressed as λ γ = e γ λ e (3.2) where λ e are the GLRT scores on each edge in window γ . Copyright © 2014. Imperial College Press. All rights reserved. May not be reproduced in any form without permission from the publisher, except fair uses permitted under U.S. or applicable copyright law. EBSCO Publishing : eBook Collection (EBSCOhost) - printed on 2/16/2016 3:37 AM via CGC-GROUP OF COLLEGES (GHARUAN) AN: 779681 ; Heard, Nicholas, Adams, Niall M..; Data Analysis for Network Cyber-security Account: ns224671
Image of page 80

Info iconThis preview has intentionally blurred sections. Sign up to view the full version.

View Full Document Right Arrow Icon
Statistical Detection of Intruders Within Computer Networks 81 Fig. 3.4. Empirical CDF of absolute value of correlations between pairs of edges con- nected in a 2-path. 3.4. Modeling, Estimation, and Hypothesis Testing As can be seen in Figure 3.1, it is common in communications between a pair of computers to observe a switching process. Intuitively, for many edges, this switching is caused by the human presence on the network. If a user is present at a machine, she may make nonzero counts on edges emanating from that machine. But in many minutes, even though the user may be
Image of page 81
Image of page 82
This is the end of the preview. Sign up to access the rest of the document.

{[ snackBarMessage ]}

What students are saying

  • Left Quote Icon

    As a current student on this bumpy collegiate pathway, I stumbled upon Course Hero, where I can find study resources for nearly all my courses, get online help from tutors 24/7, and even share my old projects, papers, and lecture notes with other students.

    Student Picture

    Kiran Temple University Fox School of Business ‘17, Course Hero Intern

  • Left Quote Icon

    I cannot even describe how much Course Hero helped me this summer. It’s truly become something I can always rely on and help me. In the end, I was not only able to survive summer classes, but I was able to thrive thanks to Course Hero.

    Student Picture

    Dana University of Pennsylvania ‘17, Course Hero Intern

  • Left Quote Icon

    The ability to access any university’s resources through Course Hero proved invaluable in my case. I was behind on Tulane coursework and actually used UCLA’s materials to help me move forward and get everything together on time.

    Student Picture

    Jill Tulane University ‘16, Course Hero Intern