Using new edges for anomaly detection in computer networks
Abstract
Creation of new edges in a network may be used as an indication of a potential attack on the network. Historical data of a frequency with which nodes in a network create and receive new edges may be analyzed. Baseline models of behavior among the edges in the network may be established based on the analysis of the historical data. A new edge that deviates from a respective baseline model by more than a predetermined threshold during a time window may be detected. The new edge may be flagged as potentially anomalous when the deviation from the respective baseline model is detected. Probabilities for both new and existing edges may be obtained for all edges in a path or other subgraph. The probabilities may then be combined to obtain a score for the path or other subgraph. A threshold may be obtained by calculating an empirical distribution of the scores under historical conditions.
- Inventors:
- Issue Date:
- Research Org.:
- Los Alamos National Lab. (LANL), Los Alamos, NM (United States)
- Sponsoring Org.:
- USDOE
- OSTI Identifier:
- 1459412
- Patent Number(s):
- 10015183
- Application Number:
- 15/637,475
- Assignee:
- Los Alamos National Security, LLC (Los Alamos, NM)
- Patent Classifications (CPCs):
-
G - PHYSICS G06 - COMPUTING G06F - ELECTRIC DIGITAL DATA PROCESSING
H - ELECTRICITY H04 - ELECTRIC COMMUNICATION TECHNIQUE H04L - TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- DOE Contract Number:
- AC52-06NA25396
- Resource Type:
- Patent
- Resource Relation:
- Patent File Date: 2017 Jun 29
- Country of Publication:
- United States
- Language:
- English
- Subject:
- 97 MATHEMATICS AND COMPUTING
Citation Formats
Neil, Joshua Charles. Using new edges for anomaly detection in computer networks. United States: N. p., 2018.
Web.
Neil, Joshua Charles. Using new edges for anomaly detection in computer networks. United States.
Neil, Joshua Charles. Tue .
"Using new edges for anomaly detection in computer networks". United States. https://www.osti.gov/servlets/purl/1459412.
@article{osti_1459412,
title = {Using new edges for anomaly detection in computer networks},
author = {Neil, Joshua Charles},
abstractNote = {Creation of new edges in a network may be used as an indication of a potential attack on the network. Historical data of a frequency with which nodes in a network create and receive new edges may be analyzed. Baseline models of behavior among the edges in the network may be established based on the analysis of the historical data. A new edge that deviates from a respective baseline model by more than a predetermined threshold during a time window may be detected. The new edge may be flagged as potentially anomalous when the deviation from the respective baseline model is detected. Probabilities for both new and existing edges may be obtained for all edges in a path or other subgraph. The probabilities may then be combined to obtain a score for the path or other subgraph. A threshold may be obtained by calculating an empirical distribution of the scores under historical conditions.},
doi = {},
journal = {},
number = ,
volume = ,
place = {United States},
year = {2018},
month = {7}
}
Works referenced in this record:
Detecting Anomalies Using End-to-End Path Measurements
conference, April 2008
- Naidu, K. V. M.; Panigrahi, D.; Rastogi, R.
- IEEE INFOCOM 2008 - The 27th Conference on Computer Communications
Alert correlation in a cooperative intrusion detection framework
conference, January 2002
- Cuppens, F.; Miege, A.
- Proceedings 2002 IEEE Symposium on Security and Privacy
Probabilistic Alert Correlation
book, January 2001
- Valdes, Alfonso; Skinner, Keith; Goos, Gerhard
- Recent Advances in Intrusion Detection, p. 54-68
Two-tier data-driven intrusion detection for automatic generation control in smart grid
conference, December 2014
- Ali, Muhammad Qasim; Yousefian, Reza; Al-Shaer, Ehab
- 2014 IEEE Conference on Communications and Network Security, p. 292-300
Adaptive ROC-based ensembles of HMMs applied to anomaly detection
journal, January 2012
- Khreich, Wael; Granger, Eric; Miri, Ali
- Pattern Recognition, Vol. 45, Issue 1, p. 208-230
A survey of coordinated attacks and collaborative intrusion detection
journal, February 2010
- Zhou, Chenfeng Vincent; Leckie, Christopher; Karunasekera, Shanika
- Computers & Security, Vol. 29, Issue 1, p. 124-140
Botnets: A survey
journal, February 2013
- Silva, Sérgio S. C.; Silva, Rodrigo M. P.; Pinto, Raquel C. G.
- Computer Networks, Vol. 57, Issue 2, p. 378-403
Discovering Collaborative Cyber Attack Patterns Using Social Network Analysis
conference, January 2011
- Du, Haitao; Yang, Shanchieh Jay; Salerno, John
- Social Computing, Behavioral-Cultural Modeling and Prediction, p. 129-136
The link-prediction problem for social networks
journal, January 2007
- Liben-Nowell, David; Kleinberg, Jon
- Journal of the American Society for Information Science and Technology, Vol. 58, Issue 7, p. 1019-1031
Scan Statistics for the Online Detection of Locally Anomalous Subgraphs
journal, August 2013
- Neil, Joshua; Hash, Curtis; Brugh, Alexander
- Technometrics, Vol. 55, Issue 4, p. 403-414
Anomaly detection: A survey
journal, July 2009
- Chandola, Varun; Banerjee, Arindam; Kumar, Vipin
- ACM Computing Surveys, Vol. 41, Issue 3, p. 1-58
Exploiting dynamicity in graph-based traffic analysis: techniques and applications
conference, January 2009
- Iliofotou, Marios; Faloutsos, Michalis; Mitzenmacher, Michael
- CoNEXT '09 Proceedings of the 5th international conference on Emerging networking experiments and technologies, p. 241-252
Bayesian anomaly detection methods for social networks
journal, August 2010
- Heard, Nicholas A.; Weston, David J.; Platanioti, Kiriaki
- The Annals of Applied Statistics, Vol. 4, Issue 2, p. 645-662
Identifying botnets by capturing group activities in DNS traffic
journal, January 2012
- Choi, Hyunsang; Lee, Heejo
- Computer Networks, Vol. 56, Issue 1, p. 20-33