Adaptive Change Detection for Relay-Like Behaviour

Author

Bodenham, Dean Adam ; Adams, Niall M.

Author_Institution

Dept. of Math., Imperial Coll. London, London, UK

fYear

2014

fDate

24-26 Sept. 2014

Firstpage

252

Lastpage

255

Abstract

Detecting anomalous behaviour in network flow data is challenging for a number of reasons, including both the computational demand associated with a large corporate network and the peculiar temporal characteristics of flow data. Relay-like behaviour refers to the rapid commencement of an out-going flow from a network device following the completion of an in-coming flow. This paper develops a computationally efficient and temporally adaptive methodology for detecting relay-like behaviour. The methodology is demonstrated on a real example of NETFLOW data. In addition to providing a detector, further uses of the methodology for combining anomalous events are discussed.

Keywords

security of data; NETFLOW data; adaptive change detection; anomalous behaviour detection; in-coming flow; network device; network flow data; out-going flow; relay-like behaviour; Adaptive estimation; Context; Detectors; Educational institutions; Monitoring; Relays; Servers;

fLanguage

English

Publisher

ieee

Conference_Titel

Intelligence and Security Informatics Conference (JISIC), 2014 IEEE Joint

Conference_Location

The Hague

Print_ISBN

978-1-4799-6363-8

Type

conf

DOI

10.1109/JISIC.2014.48

Filename

6975585

Link To Document

https://search.isc.ac/dl/search/defaultta.aspx?DTC=49&DC=175399