Graph anomalies in cyber communications
Abstract
Enterprises monitor cyber traffic for viruses, intruders and stolen information. Detection methods look for known signatures of malicious traffic or search for anomalies with respect to a nominal reference model. Traditional anomaly detection focuses on aggregate traffic at central nodes or on user-level monitoring. More recently, however, traffic is being viewed more holistically as a dynamic communication graph. Attention to the graph nature of the traffic has expanded the types of anomalies that are being sought. We give an overview of several cyber data streams collected at Los Alamos National Laboratory and discuss current work in modeling the graph dynamics of traffic over the network. We consider global properties and local properties within the communication graph. A method for monitoring relative entropy on multiple correlated properties is discussed in detail.
- Authors:
-
- Los Alamos National Laboratory
- Publication Date:
- Research Org.:
- Los Alamos National Laboratory (LANL), Los Alamos, NM (United States)
- Sponsoring Org.:
- USDOE
- OSTI Identifier:
- 1046548
- Report Number(s):
- LA-UR-11-00221; LA-UR-11-221
TRN: US201215%%509
- DOE Contract Number:
- AC52-06NA25396
- Resource Type:
- Conference
- Resource Relation:
- Conference: INFORMS Computing Society Conference ; January 9, 2011 ; Monterery, CA
- Country of Publication:
- United States
- Language:
- English
- Subject:
- 97 MATHEMATICAL METHODS AND COMPUTING; COMMUNICATIONS; DETECTION; ENTROPY; LANL; MONITORING; MONITORS; SIMULATION; VIRUSES
Citation Formats
Vander Wiel, Scott A, Storlie, Curtis B, Sandine, Gary, Hagberg, Aric A, and Fisk, Michael. Graph anomalies in cyber communications. United States: N. p., 2011.
Web.
Vander Wiel, Scott A, Storlie, Curtis B, Sandine, Gary, Hagberg, Aric A, & Fisk, Michael. Graph anomalies in cyber communications. United States.
Vander Wiel, Scott A, Storlie, Curtis B, Sandine, Gary, Hagberg, Aric A, and Fisk, Michael. 2011.
"Graph anomalies in cyber communications". United States. https://www.osti.gov/servlets/purl/1046548.
@article{osti_1046548,
title = {Graph anomalies in cyber communications},
author = {Vander Wiel, Scott A and Storlie, Curtis B and Sandine, Gary and Hagberg, Aric A and Fisk, Michael},
abstractNote = {Enterprises monitor cyber traffic for viruses, intruders and stolen information. Detection methods look for known signatures of malicious traffic or search for anomalies with respect to a nominal reference model. Traditional anomaly detection focuses on aggregate traffic at central nodes or on user-level monitoring. More recently, however, traffic is being viewed more holistically as a dynamic communication graph. Attention to the graph nature of the traffic has expanded the types of anomalies that are being sought. We give an overview of several cyber data streams collected at Los Alamos National Laboratory and discuss current work in modeling the graph dynamics of traffic over the network. We consider global properties and local properties within the communication graph. A method for monitoring relative entropy on multiple correlated properties is discussed in detail.},
doi = {},
url = {https://www.osti.gov/biblio/1046548},
journal = {},
number = ,
volume = ,
place = {United States},
year = {Tue Jan 11 00:00:00 EST 2011},
month = {Tue Jan 11 00:00:00 EST 2011}
}