Automatic Construction of Anomaly Detectors from Graphical Models
- ORNL
Detection of rare or previously unseen attacks in cyber security presents a central challenge: how does one search for a sufficiently wide variety of types of anomalies and yet allow the process to scale to increasingly complex data? In particular, creating each anomaly detector manually and training each one separately presents untenable strains on both human and computer resources. In this paper we propose a systematic method for constructing a potentially very large number of complementary anomaly detectors from a single probabilistic model of the data. Only one model needs to be trained, but numerous detectors can then be implemented. This approach promises to scale better than manual methods to the complex heterogeneity of real-life data. As an example, we develop a Latent Dirichlet Allocation probability model of TCP connections entering Oak Ridge National Laboratory. We show that several detectors can be automatically constructed from the model and will provide anomaly detection at flow, sub-flow, and host (both server and client) levels. This demonstrates how the fundamental connection between anomaly detection and probabilistic modeling can be exploited to develop more robust operational solutions.
- Research Organization:
- Oak Ridge National Lab. (ORNL), Oak Ridge, TN (United States)
- Sponsoring Organization:
- USDOE Laboratory Directed Research and Development (LDRD) Program
- DOE Contract Number:
- DE-AC05-00OR22725
- OSTI ID:
- 1081686
- Resource Relation:
- Conference: 2011 IEEE Symposium on Computational Intelligence in Cyber Security, Paris, France, 20110411, 20110415
- Country of Publication:
- United States
- Language:
- English
Similar Records
General-purpose Unsupervised Cyber Anomaly Detection via Non-negative Tensor Factorization
Cyber Friendly Fire