Intruder detection based on graph structured hypothesis testing

Joseph Sexton, Curtis Storlie, Joshua Neil, Alexander Kent

Research output: Chapter in Book/Report/Conference proceedingConference contribution

2 Scopus citations

Abstract

Anomaly based network intruder detection is considered. In particular, we view anomaly detection as a statistical hypothesis testing problem. The null hypothesis associated with each host is that it is acting normally, while the alternative is that the host is acting abnormally. When considered in relation to the network traffic, these host-level hypotheses form a graphically structured hypothesis testing problem. Some network intrusions will form linked regions in this graph where the null hypotheses are false. This will be the case when an intruder traverses the network, or when a coordinated attack is performed targeting the same set of machines. Other network intrusions can lead to multiple unrelated hosts acting abnormally, such as when multiple attackers are acting more or less independently. We consider model based approaches for detecting these different types of disruptions to the network activity. For instance, network traversal is modeled as a random walk through the network stringing together multiple abnormally acting machines. A coordinated attack targeting a single machine is modeled as multiple anomalous hosts connecting to a randomly selected target. The advantage of modeling the attacker patterns is that, under ideal conditions, this defines an optimal detector of the intruders. This optimal detector depends on unknown parameters, and is therefore less attractive for practical use. We describe pragmatic approaches that, in simulations, achieve close to optimal detection rates. The methodology is applied to a real-world network intrusion, clearly identifying the attack.

Original languageEnglish (US)
Title of host publicationProceedings - 2013 6th International Symposium on Resilient Control Systems, ISRCS 2013
PublisherIEEE Computer Society
Pages86-91
Number of pages6
ISBN (Print)9781479905034
DOIs
StatePublished - 2013
Event2013 6th International Symposium on Resilient Control Systems, ISRCS 2013 - San Francisco, CA, United States
Duration: Aug 13 2013Aug 15 2013

Publication series

NameProceedings - 2013 6th International Symposium on Resilient Control Systems, ISRCS 2013

Other

Other2013 6th International Symposium on Resilient Control Systems, ISRCS 2013
Country/TerritoryUnited States
CitySan Francisco, CA
Period8/13/138/15/13

ASJC Scopus subject areas

  • Control and Systems Engineering

Fingerprint

Dive into the research topics of 'Intruder detection based on graph structured hypothesis testing'. Together they form a unique fingerprint.

Cite this