A likelihood ratio anomaly detector for identifying within-perimeter computer network attacks

Grana, Justin; Wolpert, David; Neil, Joshua; Xie, Dongping; Bhattacharya, Tanmoy; Bent, Russell

doi:10.1016/j.jnca.2016.03.008

Title: A likelihood ratio anomaly detector for identifying within-perimeter computer network attacks

Journal Article · Fri Mar 11 00:00:00 EST 2016 · Journal of Network and Computer Applications

DOI:https://doi.org/10.1016/j.jnca.2016.03.008· OSTI ID:1340924

Grana, Justin ^[1]; Wolpert, David ^[2]; Neil, Joshua ^[3]; Xie, Dongping ^[1]; Bhattacharya, Tanmoy ^[4]; Bent, Russell ^[4]

American Univ., Washington, DC (United States). Economics Dept.
Santa Fe Inst. (SFI), Santa Fe, NM (United States)
Ernst and Young, Denver, CO (United States)
Los Alamos National Lab. (LANL), Los Alamos, NM (United States)

The rapid detection of attackers within firewalls of enterprise computer networks is of paramount importance. Anomaly detectors address this problem by quantifying deviations from baseline statistical models of normal network behavior and signaling an intrusion when the observed data deviates significantly from the baseline model. But, many anomaly detectors do not take into account plausible attacker behavior. As a result, anomaly detectors are prone to a large number of false positives due to unusual but benign activity. Our paper first introduces a stochastic model of attacker behavior which is motivated by real world attacker traversal. Then, we develop a likelihood ratio detector that compares the probability of observed network behavior under normal conditions against the case when an attacker has possibly compromised a subset of hosts within the network. Since the likelihood ratio detector requires integrating over the time each host becomes compromised, we illustrate how to use Monte Carlo methods to compute the requisite integral. We then present Receiver Operating Characteristic (ROC) curves for various network parameterizations that show for any rate of true positives, the rate of false positives for the likelihood ratio detector is no higher than that of a simple anomaly detector and is often lower. Finally, we demonstrate the superiority of the proposed likelihood ratio detector when the network topologies and parameterizations are extracted from real-world networks.

View Accepted Manuscript (DOE)

Cite

Export

Save

Research Organization:: Los Alamos National Lab. (LANL), Los Alamos, NM (United States)

Sponsoring Organization:: USDOE

Grant/Contract Number:: AC52-06NA25396

OSTI ID:: 1340924

Report Number(s):: LA-UR-16-22440

Journal Information:: Journal of Network and Computer Applications, Vol. 66, Issue C; ISSN 1084-8045

Publisher:: ElsevierCopyright Statement

Country of Publication:: United States

Language:: English

Citation Metrics:

Cited by: 8 works

Citation information provided by
Web of Science

Similar Records

Detection of DoS Attacks Using ARFIMA Modeling of GOOSE Communication in IEC 61850 Substations

Journal Article · Thu Oct 01 00:00:00 EDT 2020 · Energies · OSTI ID:1340924

Elbez, Ghada; Keller, Hubert B.; Bohara, Atul; +2 more

Denial of Service Attack Detection via Differential Analysis of Generalized Entropy Progressions

Conference · Mon Aug 28 00:00:00 EDT 2023 · OSTI ID:1340924

Subasi, Omer; Manzano Franco, Joseph B.; Barker, Kevin J.

Data Mining for Security Information: A Survey

Conference · Thu Apr 19 00:00:00 EDT 2001 · OSTI ID:1340924

Brugger, S T; Kelley, M; Sumikawa, K; +1 more

Related Subjects

97 MATHEMATICS AND COMPUTING
Anomaly detection
Computer network defense
Cyber security
Likelihood ratio detection
ROC analysis
Model misspecification

Title: A likelihood ratio anomaly detector for identifying within-perimeter computer network attacks

Citation Formats

Similar Records

Related Subjects