skip to main content

Title: Graph anomalies in cyber communications

Enterprises monitor cyber traffic for viruses, intruders and stolen information. Detection methods look for known signatures of malicious traffic or search for anomalies with respect to a nominal reference model. Traditional anomaly detection focuses on aggregate traffic at central nodes or on user-level monitoring. More recently, however, traffic is being viewed more holistically as a dynamic communication graph. Attention to the graph nature of the traffic has expanded the types of anomalies that are being sought. We give an overview of several cyber data streams collected at Los Alamos National Laboratory and discuss current work in modeling the graph dynamics of traffic over the network. We consider global properties and local properties within the communication graph. A method for monitoring relative entropy on multiple correlated properties is discussed in detail.
Authors:
 [1] ;  [1] ;  [1] ;  [1] ;  [1]
  1. Los Alamos National Laboratory
Publication Date:
OSTI Identifier:
1046548
Report Number(s):
LA-UR-11-00221; LA-UR-11-221
TRN: US201215%%509
DOE Contract Number:
AC52-06NA25396
Resource Type:
Conference
Resource Relation:
Conference: INFORMS Computing Society Conference ; January 9, 2011 ; Monterery, CA
Research Org:
Los Alamos National Lab. (LANL), Los Alamos, NM (United States)
Sponsoring Org:
USDOE
Country of Publication:
United States
Language:
English
Subject:
97 MATHEMATICAL METHODS AND COMPUTING; COMMUNICATIONS; DETECTION; ENTROPY; LANL; MONITORING; MONITORS; SIMULATION; VIRUSES