Title :
Towards improved detection of attackers in computer networks: New edges, fast updating, and host agents
Author :
Neil, Joshua ; Uphoff, Benjamin ; Hash, Curtis ; Storlie, Curtis
Author_Institution :
Los Alamos Nat. Lab., Los Alamos, NM, USA
Abstract :
This paper focuses on several important topics related to subgraph anomaly detection for computer networks. First, we briefly discuss a graph based view of a computer network consisting of nodes (computers) and edges (time-series of communications between computers), and how stochastic models of groups of edges can be used to identify local anomalous areas of the network indicating the traversal of attackers. Next, the concept of a new edge, an edge between two computers that have never communicated before, is introduced, and a model for establishing the probability of such an event is provided. We follow this with a discussion of exponentially weighted moving averages for updating models of edges. Next, as measuring network data for the purposes of anomaly detection is difficult we discuss a host agent designed specifically to gather this type of data. Finally, the performance of anomaly detection using this host agent to collect data is compared with that of DNS data.
Keywords :
computer network security; graph theory; moving average processes; software agents; computer network attacker detection; computer network graph based view; edge groups; edge model updating; exponentially weighted moving averages; host agent; local anomalous area identification; new edge concept; subgraph anomaly detection; Computational modeling; Computers; IP networks; Image edge detection; Servers; Testing; Dynamic Graph; Host Agent; Network Attack Detection;
Conference_Titel :
Resilient Control Systems (ISRCS), 2013 6th International Symposium on
Conference_Location :
San Francisco, CA
DOI :
10.1109/ISRCS.2013.6623779
