Skip to main content
OSTI.GOVU.S. Department of Energy Office of Scientific and Technical Information
U.S. Department of Energy
Office of Scientific and Technical Information
 

Compression Analytics for Classification and Anomaly Detection within Network Communication

Journal Article · · IEEE Transactions on Information Forensics and Security
 [1];  [1];  [1];  [1]
  1. Sandia National Lab. (SNL-NM), Albuquerque, NM (United States)
+ Show Author Affiliations

Here, the flexibility of network communication within Internet protocols is fundamental to network function, yet this same flexibility permits the possibility of malicious use. In particular, malicious behavior can masquerade as benign traffic, thus evading systems designed to catch misuse of network resources. However, perfect imitation of benign traffic is difficult, meaning that small unintentional deviations from normal can occur. Identifying these deviations requires that the defenders know what features reveal malicious behavior. Herein we present an application of compression-based analytics to network communication that can reduce the need for defenders to know a priori what features they need to examine. Motivating the approach is the idea that compression relies on the ability to discover and make use of predictable elements in information, thereby highlighting any deviations between expected and received content. We introduce a so-called “slice compression” score to identify malicious or anomalous communication in two ways. First, we apply normalized compression distances (NCDs) to classification problems and discuss methods for reducing the noise by excising application content (as opposed to protocol features) using slice compression. Second, we present a new technique for anomaly detection, referred to as slice compression for anomaly detection (SCADe). A diverse collection of datasets are analyzed to illustrate the efficacy of the proposed approaches. While our focus is network communication, other types of data are also considered to illustrate the generality of the method.

Research Organization:
Sandia National Laboratories (SNL-NM), Albuquerque, NM (United States)
Sponsoring Organization:
USDOE National Nuclear Security Administration (NNSA)
Grant/Contract Number:
AC04-94AL85000
OSTI ID:
1485466
Report Number(s):
SAND--2018-12123J; 669036
Journal Information:
IEEE Transactions on Information Forensics and Security, Journal Name: IEEE Transactions on Information Forensics and Security Journal Issue: 5 Vol. 14; ISSN 1556-6013
Publisher:
IEEECopyright Statement
Country of Publication:
United States
Language:
English

Cited By (1)

A Survey on Using Kolmogorov Complexity in Cybersecurity journal December 2019

Figures / Tables (13)

Fig. 1(p. 5)figure Fig. 1
Fig. 2(p. 6)figure Fig. 2
Fig. 3(p. 6)figure Fig. 3
Fig. 4(p. 7)figure Fig. 4
TABLE I(p. 7)table TABLE I
Fig. 5(p. 8)figure Fig. 5
Fig. 6(p. 8)figure Fig. 6
Fig. 10(p. 9)figure Fig. 10
Fig. 7(p. 9)figure Fig. 7
Fig. 8(p. 9)figure Fig. 8
Fig. 9(p. 9)figure Fig. 9
Fig. 11(p. 10)figure Fig. 11
Fig. 12(p. 10)figure Fig. 12

Similar Records

SCADA Protocol Anomaly Detection Utilizing Compression (SPADUC) 2013
Technical Report · Mon Dec 31 23:00:00 EST 2012 · OSTI ID:1070143
A Taxonomy and Feature set for Server-Side Identification of Proxies
Technical Report · Fri Jan 31 23:00:00 EST 2025 · OSTI ID:2530825
In-situ trainable intrusion detection system
Patent · Mon Nov 14 23:00:00 EST 2016 · OSTI ID:1332095

Related Subjects

97 MATHEMATICS AND COMPUTING
anomaly detection
classification algorithms
compression algorithms
random processes