Using new edges for anomaly detection in computer networks
Abstract
Creation of new edges in a network may be used as an indication of a potential attack on the network. Historical data of a frequency with which nodes in a network create and receive new edges may be analyzed. Baseline models of behavior among the edges in the network may be established based on the analysis of the historical data. A new edge that deviates from a respective baseline model by more than a predetermined threshold during a time window may be detected. The new edge may be flagged as potentially anomalous when the deviation from the respective baseline model is detected. Probabilities for both new and existing edges may be obtained for all edges in a path or other subgraph. The probabilities may then be combined to obtain a score for the path or other subgraph. A threshold may be obtained by calculating an empirical distribution of the scores under historical conditions.
- Inventors:
- Issue Date:
- Research Org.:
- Los Alamos National Laboratory (LANL), Los Alamos, NM (United States)
- Sponsoring Org.:
- USDOE
- OSTI Identifier:
- 1179789
- Patent Number(s):
- 9038180
- Application Number:
- 13/826,995
- Assignee:
- Los Alamos National Security, LLC (Los Alamos, NM)
- Patent Classifications (CPCs):
-
G - PHYSICS G06 - COMPUTING G06F - ELECTRIC DIGITAL DATA PROCESSING
G - PHYSICS G06 - COMPUTING G06N - COMPUTER SYSTEMS BASED ON SPECIFIC COMPUTATIONAL MODELS
- DOE Contract Number:
- AC52-06NA25396
- Resource Type:
- Patent
- Resource Relation:
- Patent File Date: 2013 Mar 14
- Country of Publication:
- United States
- Language:
- English
- Subject:
- 97 MATHEMATICS AND COMPUTING
Citation Formats
Neil, Joshua Charles. Using new edges for anomaly detection in computer networks. United States: N. p., 2015.
Web.
Neil, Joshua Charles. Using new edges for anomaly detection in computer networks. United States.
Neil, Joshua Charles. Tue .
"Using new edges for anomaly detection in computer networks". United States. https://www.osti.gov/servlets/purl/1179789.
@article{osti_1179789,
title = {Using new edges for anomaly detection in computer networks},
author = {Neil, Joshua Charles},
abstractNote = {Creation of new edges in a network may be used as an indication of a potential attack on the network. Historical data of a frequency with which nodes in a network create and receive new edges may be analyzed. Baseline models of behavior among the edges in the network may be established based on the analysis of the historical data. A new edge that deviates from a respective baseline model by more than a predetermined threshold during a time window may be detected. The new edge may be flagged as potentially anomalous when the deviation from the respective baseline model is detected. Probabilities for both new and existing edges may be obtained for all edges in a path or other subgraph. The probabilities may then be combined to obtain a score for the path or other subgraph. A threshold may be obtained by calculating an empirical distribution of the scores under historical conditions.},
doi = {},
journal = {},
number = ,
volume = ,
place = {United States},
year = {Tue May 19 00:00:00 EDT 2015},
month = {Tue May 19 00:00:00 EDT 2015}
}
Works referenced in this record:
Bayesian anomaly detection methods for social networks
journal, August 2010
- Heard, Nicholas A.; Weston, David J.; Platanioti, Kiriaki
- The Annals of Applied Statistics, Vol. 4, Issue 2, p. 645-662
Scan Statistics on Enron Graphs
journal, October 2005
- Priebe, Carey E.; Conroy, John M.; Marchette, David J.
- Computational and Mathematical Organization Theory, Vol. 11, Issue 3, p. 229-247
The link-prediction problem for social networks
journal, January 2007
- Liben-Nowell, David; Kleinberg, Jon
- Journal of the American Society for Information Science and Technology, Vol. 58, Issue 7, p. 1019-1031
A survey of coordinated attacks and collaborative intrusion detection
journal, February 2010
- Zhou, Chenfeng Vincent; Leckie, Christopher; Karunasekera, Shanika
- Computers & Security, Vol. 29, Issue 1, p. 124-140
Alert correlation in a cooperative intrusion detection framework
conference, January 2002
- Cuppens, F.; Miege, A.
- Proceedings 2002 IEEE Symposium on Security and Privacy
Botnets: A survey
journal, February 2013
- Silva, Sérgio S. C.; Silva, Rodrigo M. P.; Pinto, Raquel C. G.
- Computer Networks, Vol. 57, Issue 2, p. 378-403
Identifying botnets by capturing group activities in DNS traffic
journal, January 2012
- Choi, Hyunsang; Lee, Heejo
- Computer Networks, Vol. 56, Issue 1, p. 20-33
Probabilistic Alert Correlation
book, January 2001
- Valdes, Alfonso; Skinner, Keith; Goos, Gerhard
- Recent Advances in Intrusion Detection, p. 54-68
Scan Statistics for the Online Detection of Locally Anomalous Subgraphs
journal, August 2013
- Neil, Joshua; Hash, Curtis; Brugh, Alexander
- Technometrics, Vol. 55, Issue 4, p. 403-414
Features generation for use in computer network intrusion detection
patent, December 2003
- Diep, Thanh A.; Botros, Sherif; Izenson, Martin D.
- US Patent Document 6,671,811
Anomaly detection
patent, March 2008
- Ide, Tsuyoshi; Yoda, Kunikazu; Kashima, Hisashi
- US Patent Document 7,346,803
Method and system for content distribution network security
patent, March 2013
- Macwan, Sanjay; Chawla, Deepak; de los Reyes, Gustavo
- US Patent Document 8,397,298
Adaptive behavioral intrusion detection systems and methods
patent, May 2013
- Stute, Michael Roy
- US Patent Document 8,448,247
Peer-to-peer (P2P) botnet tracking at backbone level
patent, January 2014
- Coskun, Baris; Baliga, Arati
- US Patent Document 8,627,473
System and method for exposing malicious sources using mobile IP messages
patent, February 2014
- Choyi, Vinod Kumar; Abdel-Aziz, Bassem
- US Patent Document 8,650,630
Method and apparatus for verifying the integrity and security of computer networks and implementing counter measures
patent-application, November 2002
- Hrabik, Michael; Guilfoyle, Jeffrey; Mac Beaver, Edward
- US Patent Application 10/196472; 20020178383
Flow-based detection of network intrusions
patent-application, June 2003
- Copeland, John A. III
- US Patent Application 10/000396; 20030105976
Network security monitoring system
patent-application, July 2004
- Bhattacharya, Partha; Lawrence, Jan Christian
- US Patent Application 10/443946; 20040133672
Adaptive behavioral intrusion detection systems and methods
patent-application, February 2005
- Stute, Michael
- US Patent Application 10/504731; 20050044406
Method and system for analyzing multidimensional data
patent-application, March 2006
- Ashiri, Amir
- US Patent Application 11/199383; 20060053136
Systems and methods for testing and evaluating an intrusion detection system
patent-application, November 2006
- Rubin, Shai A.; Jha, Somesh; Miller, Barton P.
- US Patent Application 11/294585; 20060253906
Intelligent intrusion detection system utilizing enhanced graph-matching of network activity with context data
patent-application, September 2007
- Coffman, Thayne Richard
- US Patent Application 11/367943; 20070209074
Tactical And Strategic Attack Detection And Prediction
patent-application, September 2007
- Gilbert, Logan; Morgan, Robert J.; Keen, Arthur A.
- US Patent Application 11/688540; 20070226796
Method of Detecting Anomalous Behaviour in a Computer Network
patent-application, October 2007
- Belakhdar, Omar; Bados, Pedro; Flatings, Boi
- US Patent Application 11/578866; 20070240207
Methods and Systems for Determining Entropy Metrics for Networks
patent-application, January 2009
- Johnson, Joseph E.
- US Patent Application 12/158424; 20090024549
Systems And Methods For A Simulated Network Attack Generator
patent-application, December 2009
- White, Christopher Dyson; Ratcliffe, III, Chester Randolph; Espinosa, John Christian
- US Patent Application 12/487633; 20090320137
Intrusion Event Correlation System
patent-application, July 2010
- Noel, Steven E.; Robertson, Eric B.; Jajodia, Sushil
- US Patent Application 12/758135; 20100192226
Device and Method for Detecting and Diagnosing Correlated Network Anomalies
patent-application, June 2011
- Wang, Jia; Lall, Ashwin; Mahimkar, Ajay
- US Patent Application 12/646388; 20110154119
Generating A Multiple-Prerequisite Attack Graph
September 2011
- Lippmann, Richard P.; Ingols, Kyle W.; Piwowarski, Keith J.
- US Patent Application 13/104454; 20110231937
Systems and Methods for Virtualized Malware Detection
patent-application, May 2013
- Golshan, Ali; Binder, James S.
- US Patent Application 13/288917; 20130117849
Method And Apparatus For Machine To Machine Network Security Monitoring In A Communications Network
patent-application, May 2013
- Sheleheda, Daniel; Bowen, Donald J.; Cama, Cynthia
- US Patent Application 13/301529; 20130127618
Predicting Attacks Based On Probabilistic Game-Theory
patent-application, November 2013
- Christodorescu, Mihai; Korzhyk, Dmytro; Sailer, Reiner
- US Patent Application 13/478290; 20130318615
Works referencing / citing this record:
Using new edges for anomaly detection in computer networks
patent, May 2015
- Neil, Joshua Charles
- US Patent Document 9,038,180