A likelihood ratio anomaly detector for identifying within-perimeter computer network attacks
- American Univ., Washington, DC (United States). Economics Dept.
- Santa Fe Inst. (SFI), Santa Fe, NM (United States)
- Ernst and Young, Denver, CO (United States)
- Los Alamos National Lab. (LANL), Los Alamos, NM (United States)
The rapid detection of attackers within firewalls of enterprise computer networks is of paramount importance. Anomaly detectors address this problem by quantifying deviations from baseline statistical models of normal network behavior and signaling an intrusion when the observed data deviates significantly from the baseline model. But, many anomaly detectors do not take into account plausible attacker behavior. As a result, anomaly detectors are prone to a large number of false positives due to unusual but benign activity. Our paper first introduces a stochastic model of attacker behavior which is motivated by real world attacker traversal. Then, we develop a likelihood ratio detector that compares the probability of observed network behavior under normal conditions against the case when an attacker has possibly compromised a subset of hosts within the network. Since the likelihood ratio detector requires integrating over the time each host becomes compromised, we illustrate how to use Monte Carlo methods to compute the requisite integral. We then present Receiver Operating Characteristic (ROC) curves for various network parameterizations that show for any rate of true positives, the rate of false positives for the likelihood ratio detector is no higher than that of a simple anomaly detector and is often lower. Finally, we demonstrate the superiority of the proposed likelihood ratio detector when the network topologies and parameterizations are extracted from real-world networks.
- Research Organization:
- Los Alamos National Lab. (LANL), Los Alamos, NM (United States)
- Sponsoring Organization:
- USDOE
- Grant/Contract Number:
- AC52-06NA25396
- OSTI ID:
- 1340924
- Report Number(s):
- LA-UR-16-22440
- Journal Information:
- Journal of Network and Computer Applications, Vol. 66, Issue C; ISSN 1084-8045
- Publisher:
- ElsevierCopyright Statement
- Country of Publication:
- United States
- Language:
- English
Web of Science
Similar Records
Denial of Service Attack Detection via Differential Analysis of Generalized Entropy Progressions
Data Mining for Security Information: A Survey