skip to main content
OSTI.GOV title logo U.S. Department of Energy
Office of Scientific and Technical Information

Title: Path scanning for the detection of anomalous subgraphs and use of DNS requests and host agents for anomaly/change detection and network situational awareness

Abstract

A system, apparatus, computer-readable medium, and computer-implemented method are provided for detecting anomalous behavior in a network. Historical parameters of the network are determined in order to determine normal activity levels. A plurality of paths in the network are enumerated as part of a graph representing the network, where each computing system in the network may be a node in the graph and the sequence of connections between two computing systems may be a directed edge in the graph. A statistical model is applied to the plurality of paths in the graph on a sliding window basis to detect anomalous behavior. Data collected by a Unified Host Collection Agent ("UHCA") may also be used to detect anomalous behavior.

Inventors:
; ; ; ; ; ;
Publication Date:
Research Org.:
Los Alamos National Lab. (LANL), Los Alamos, NM (United States)
Sponsoring Org.:
USDOE
OSTI Identifier:
1409817
Patent Number(s):
9,825,979
Application Number:
15/419,673
Assignee:
Los Alamos National Security, LLC (Los Alamos, NM) LANL
DOE Contract Number:  
AC52-06NA25396
Resource Type:
Patent
Resource Relation:
Patent File Date: 2017 Jan 30
Country of Publication:
United States
Language:
English
Subject:
97 MATHEMATICS AND COMPUTING

Citation Formats

Neil, Joshua Charles, Fisk, Michael Edward, Brugh, Alexander William, Hash, Curtis Lee, Storlie, Curtis Byron, Uphoff, Benjamin, and Kent, Alexander. Path scanning for the detection of anomalous subgraphs and use of DNS requests and host agents for anomaly/change detection and network situational awareness. United States: N. p., 2017. Web.
Neil, Joshua Charles, Fisk, Michael Edward, Brugh, Alexander William, Hash, Curtis Lee, Storlie, Curtis Byron, Uphoff, Benjamin, & Kent, Alexander. Path scanning for the detection of anomalous subgraphs and use of DNS requests and host agents for anomaly/change detection and network situational awareness. United States.
Neil, Joshua Charles, Fisk, Michael Edward, Brugh, Alexander William, Hash, Curtis Lee, Storlie, Curtis Byron, Uphoff, Benjamin, and Kent, Alexander. Tue . "Path scanning for the detection of anomalous subgraphs and use of DNS requests and host agents for anomaly/change detection and network situational awareness". United States. doi:. https://www.osti.gov/servlets/purl/1409817.
@article{osti_1409817,
title = {Path scanning for the detection of anomalous subgraphs and use of DNS requests and host agents for anomaly/change detection and network situational awareness},
author = {Neil, Joshua Charles and Fisk, Michael Edward and Brugh, Alexander William and Hash, Curtis Lee and Storlie, Curtis Byron and Uphoff, Benjamin and Kent, Alexander},
abstractNote = {A system, apparatus, computer-readable medium, and computer-implemented method are provided for detecting anomalous behavior in a network. Historical parameters of the network are determined in order to determine normal activity levels. A plurality of paths in the network are enumerated as part of a graph representing the network, where each computing system in the network may be a node in the graph and the sequence of connections between two computing systems may be a directed edge in the graph. A statistical model is applied to the plurality of paths in the graph on a sliding window basis to detect anomalous behavior. Data collected by a Unified Host Collection Agent ("UHCA") may also be used to detect anomalous behavior.},
doi = {},
journal = {},
number = ,
volume = ,
place = {United States},
year = {Tue Nov 21 00:00:00 EST 2017},
month = {Tue Nov 21 00:00:00 EST 2017}
}

Patent:

Save / Share:

Works referenced in this record:

Systems And Methods For A Simulated Network Attack Generator
patent-application, December 2009


A survey of coordinated attacks and collaborative intrusion detection
journal, February 2010

  • Zhou, Chenfeng Vincent; Leckie, Christopher; Karunasekera, Shanika
  • Computers & Security, Vol. 29, Issue 1, p. 124-140
  • DOI: 10.1016/j.cose.2009.06.008

Botnets: A survey
journal, February 2013

  • Silva, S√©rgio S. C.; Silva, Rodrigo M. P.; Pinto, Raquel C. G.
  • Computer Networks, Vol. 57, Issue 2, p. 378-403
  • DOI: 10.1016/j.comnet.2012.07.021

Identifying botnets by capturing group activities in DNS traffic
journal, January 2012


The link-prediction problem for social networks
journal, January 2007

  • Liben-Nowell, David; Kleinberg, Jon
  • Journal of the American Society for Information Science and Technology, Vol. 58, Issue 7, p. 1019-1031
  • DOI: 10.1002/asi.20591

Adaptive ROC-based ensembles of HMMs applied to anomaly detection
journal, January 2012