A likelihood ratio anomaly detector for identifying within-perimeter computer network attacks
详细信息 查看全文
- 作者:Justin Granaa ; jg3705a@student.american.edu" class="auth_mail" title="E-mail the corresponding author ; David Wolpertc ; david.h.wolpert@gmail.com" class="auth_mail" title="E-mail the corresponding author ; Joshua Neild ; joshua.neil@ey.com" class="auth_mail" title="E-mail the corresponding author ; Dongping Xiea ; xdp668@gmail.com" class="auth_mail" title="E-mail the corresponding author ; Tanmoy Bhattacharyab ; tanmoy@santafe.edu" class="auth_mail" title="E-mail the corresponding author ; Russell Bentb ; rbent@lanl.gov" class="auth_mail" title="E-mail the corresponding author
- 关键词:Anomaly detection ; Computer network defense ; Cyber security ; Likelihood ratio detection ; ROC analysis ; Model misspecification
- 刊名:Journal of Network and Computer Applications
- 出版年:2016
- 出版时间:May 2016
- 年:2016
- 卷:66
- 期:Complete
- 页码:166-179
- 全文大小:2251 K
文摘
The rapid detection of attackers within firewalls of enterprise computer networks is of paramount importance. Anomaly detectors address this problem by quantifying deviations from baseline statistical models of normal network behavior and signaling an intrusion when the observed data deviates significantly from the baseline model. However, many anomaly detectors do not take into account plausible attacker behavior. As a result, anomaly detectors are prone to a large number of false positives due to unusual but benign activity. This paper first introduces a stochastic model of attacker behavior which is motivated by real world attacker traversal. Then, we develop a likelihood ratio detector that compares the probability of observed network behavior under normal conditions against the case when an attacker has possibly compromised a subset of hosts within the network. Since the likelihood ratio detector requires integrating over the time each host becomes compromised, we illustrate how to use Monte Carlo methods to compute the requisite integral. We then present Receiver Operating Characteristic (ROC) curves for various network parameterizations that show for any rate of true positives, the rate of false positives for the likelihood ratio detector is no higher than that of a simple anomaly detector and is often lower. We conclude by demonstrating the superiority of the proposed likelihood ratio detector when the network topologies and parameterizations are extracted from real-world networks.