skip to main content
OSTI.GOV title logo U.S. Department of Energy
Office of Scientific and Technical Information

Title: Path scanning for the detection of anomalous subgraphs and use of DNS requests and host agents for anomaly/change detection and network situational awareness

Abstract

A system, apparatus, computer-readable medium, and computer-implemented method are provided for detecting anomalous behavior in a network. Historical parameters of the network are determined in order to determine normal activity levels. A plurality of paths in the network are enumerated as part of a graph representing the network, where each computing system in the network may be a node in the graph and the sequence of connections between two computing systems may be a directed edge in the graph. A statistical model is applied to the plurality of paths in the graph on a sliding window basis to detect anomalous behavior. Data collected by a Unified Host Collection Agent ("UHCA") may also be used to detect anomalous behavior.

Inventors:
; ; ; ; ; ;
Publication Date:
Research Org.:
Los Alamos National Laboratory (LANL), Los Alamos, NM (United States)
Sponsoring Org.:
USDOE
OSTI Identifier:
1409817
Patent Number(s):
9,825,979
Application Number:
15/419,673
Assignee:
Los Alamos National Security, LLC (Los Alamos, NM)
DOE Contract Number:  
AC52-06NA25396
Resource Type:
Patent
Resource Relation:
Patent File Date: 2017 Jan 30
Country of Publication:
United States
Language:
English
Subject:
97 MATHEMATICS AND COMPUTING

Citation Formats

Neil, Joshua Charles, Fisk, Michael Edward, Brugh, Alexander William, Hash, Curtis Lee, Storlie, Curtis Byron, Uphoff, Benjamin, and Kent, Alexander. Path scanning for the detection of anomalous subgraphs and use of DNS requests and host agents for anomaly/change detection and network situational awareness. United States: N. p., 2017. Web.
Neil, Joshua Charles, Fisk, Michael Edward, Brugh, Alexander William, Hash, Curtis Lee, Storlie, Curtis Byron, Uphoff, Benjamin, & Kent, Alexander. Path scanning for the detection of anomalous subgraphs and use of DNS requests and host agents for anomaly/change detection and network situational awareness. United States.
Neil, Joshua Charles, Fisk, Michael Edward, Brugh, Alexander William, Hash, Curtis Lee, Storlie, Curtis Byron, Uphoff, Benjamin, and Kent, Alexander. 2017. "Path scanning for the detection of anomalous subgraphs and use of DNS requests and host agents for anomaly/change detection and network situational awareness". United States. https://www.osti.gov/servlets/purl/1409817.
@article{osti_1409817,
title = {Path scanning for the detection of anomalous subgraphs and use of DNS requests and host agents for anomaly/change detection and network situational awareness},
author = {Neil, Joshua Charles and Fisk, Michael Edward and Brugh, Alexander William and Hash, Curtis Lee and Storlie, Curtis Byron and Uphoff, Benjamin and Kent, Alexander},
abstractNote = {A system, apparatus, computer-readable medium, and computer-implemented method are provided for detecting anomalous behavior in a network. Historical parameters of the network are determined in order to determine normal activity levels. A plurality of paths in the network are enumerated as part of a graph representing the network, where each computing system in the network may be a node in the graph and the sequence of connections between two computing systems may be a directed edge in the graph. A statistical model is applied to the plurality of paths in the graph on a sliding window basis to detect anomalous behavior. Data collected by a Unified Host Collection Agent ("UHCA") may also be used to detect anomalous behavior.},
doi = {},
url = {https://www.osti.gov/biblio/1409817}, journal = {},
number = ,
volume = ,
place = {United States},
year = {Tue Nov 21 00:00:00 EST 2017},
month = {Tue Nov 21 00:00:00 EST 2017}
}

Works referenced in this record:

Features generation for use in computer network intrusion detection
patent, December 2003


Anomaly detection
patent, March 2008


Attack graph aggregation
patent, December 2009


Distributed network management
patent, December 2011


Method and system for content distribution network security
patent, March 2013


Using social graphs to combat malicious attacks
patent, April 2013


Wireless network edge guardian
patent, November 2013


Proactive on-line diagnostics in a manageable network
patent-application, February 2002


Method and apparatus for verifying the integrity and security of computer networks and implementing counter measures
patent-application, November 2002


Flow-based detection of network intrusions
patent-application, June 2003


Network security monitoring system
patent-application, July 2004


Database user behavior monitor system and method
patent-application, September 2005


Systems and methods for testing and evaluating an intrusion detection system
patent-application, November 2006


Tactical And Strategic Attack Detection And Prediction
patent-application, September 2007


Method of Detecting Anomalous Behaviour in a Computer Network
patent-application, October 2007


Traffic Control System And Management Server
patent-application, April 2008


Systems And Methods For A Simulated Network Attack Generator
patent-application, December 2009


Method And Apparatus For Network Anomaly Detection
patent-application, November 2010


Apparatuses And Methods For Detecting Anomalous Event In Network
patent-application, June 2011


Device and Method for Detecting and Diagnosing Correlated Network Anomalies
patent-application, June 2011


Generating A Multiple-Prerequisite Attack Graph
September 2011


Applying Antimalware Logic without Revealing the Antimalware Logic to Adversaries
patent-application, December 2012


Systems and Methods for Virtualized Malware Detection
patent-application, May 2013


Method And Apparatus For Machine To Machine Network Security Monitoring In A Communications Network
patent-application, May 2013


Predicting Attacks Based On Probabilistic Game-Theory
patent-application, November 2013


System and Method for Assessing Whether a Communication Contains an Attack
patent-application, February 2014


Method For Detecting Anomaly Action Within A Computer Network
patent-application, June 2014


A survey of coordinated attacks and collaborative intrusion detection
journal, February 2010


Bayesian anomaly detection methods for social networks
journal, August 2010


Botnets: A survey
journal, February 2013


Identifying botnets by capturing group activities in DNS traffic
journal, January 2012


The link-prediction problem for social networks
journal, January 2007

  • Liben-Nowell, David; Kleinberg, Jon
  • Journal of the American Society for Information Science and Technology, Vol. 58, Issue 7, p. 1019-1031
  • https://doi.org/10.1002/asi.20591

Scan Statistics for the Online Detection of Locally Anomalous Subgraphs
journal, August 2013


Adaptive ROC-based ensembles of HMMs applied to anomaly detection
journal, January 2012


Two-tier data-driven intrusion detection for automatic generation control in smart grid
conference, December 2014