Towards improved detection of attackers in computer networks: New edges, fast updating, and host agents

Joshua Neil; Benjamin Uphoff; Curtis Hash; Curtis Storlie

doi:10.1109/ISRCS.2013.6623779

Towards improved detection of attackers in computer networks: New edges, fast updating, and host agents

Joshua Neil, Benjamin Uphoff, Curtis Hash, Curtis Storlie

Quantitative Health Sciences

Research output: Chapter in Book/Report/Conference proceeding › Conference contribution

5 Scopus citations

Abstract

This paper focuses on several important topics related to subgraph anomaly detection for computer networks. First, we briefly discuss a graph based view of a computer network consisting of nodes (computers) and edges (time-series of communications between computers), and how stochastic models of groups of edges can be used to identify local anomalous areas of the network indicating the traversal of attackers. Next, the concept of a new edge, an edge between two computers that have never communicated before, is introduced, and a model for establishing the probability of such an event is provided. We follow this with a discussion of exponentially weighted moving averages for updating models of edges. Next, as measuring network data for the purposes of anomaly detection is difficult we discuss a host agent designed specifically to gather this type of data. Finally, the performance of anomaly detection using this host agent to collect data is compared with that of DNS data.

Original language	English (US)
Title of host publication	Proceedings - 2013 6th International Symposium on Resilient Control Systems, ISRCS 2013
Publisher	IEEE Computer Society
Pages	218-224
Number of pages	7
ISBN (Print)	9781479905034
DOIs	https://doi.org/10.1109/ISRCS.2013.6623779
State	Published - 2013
Event	2013 6th International Symposium on Resilient Control Systems, ISRCS 2013 - San Francisco, CA, United States Duration: Aug 13 2013 → Aug 15 2013

Publication series

Name	Proceedings - 2013 6th International Symposium on Resilient Control Systems, ISRCS 2013

Other

Other	2013 6th International Symposium on Resilient Control Systems, ISRCS 2013
Country/Territory	United States
City	San Francisco, CA
Period	8/13/13 → 8/15/13

Keywords

Dynamic Graph
Host Agent
Network Attack Detection

ASJC Scopus subject areas

Control and Systems Engineering

Access to Document

10.1109/ISRCS.2013.6623779

Cite this

Neil, J., Uphoff, B., Hash, C., & Storlie, C. (2013). Towards improved detection of attackers in computer networks: New edges, fast updating, and host agents. In Proceedings - 2013 6th International Symposium on Resilient Control Systems, ISRCS 2013 (pp. 218-224). Article 6623779 (Proceedings - 2013 6th International Symposium on Resilient Control Systems, ISRCS 2013). IEEE Computer Society. https://doi.org/10.1109/ISRCS.2013.6623779

Towards improved detection of attackers in computer networks: New edges, fast updating, and host agents. / Neil, Joshua; Uphoff, Benjamin; Hash, Curtis et al.
Proceedings - 2013 6th International Symposium on Resilient Control Systems, ISRCS 2013. IEEE Computer Society, 2013. p. 218-224 6623779 (Proceedings - 2013 6th International Symposium on Resilient Control Systems, ISRCS 2013).

Research output: Chapter in Book/Report/Conference proceeding › Conference contribution

Neil, J, Uphoff, B, Hash, C & Storlie, C 2013, Towards improved detection of attackers in computer networks: New edges, fast updating, and host agents. in Proceedings - 2013 6th International Symposium on Resilient Control Systems, ISRCS 2013., 6623779, Proceedings - 2013 6th International Symposium on Resilient Control Systems, ISRCS 2013, IEEE Computer Society, pp. 218-224, 2013 6th International Symposium on Resilient Control Systems, ISRCS 2013, San Francisco, CA, United States, 8/13/13. https://doi.org/10.1109/ISRCS.2013.6623779

Neil J, Uphoff B, Hash C, Storlie C. Towards improved detection of attackers in computer networks: New edges, fast updating, and host agents. In Proceedings - 2013 6th International Symposium on Resilient Control Systems, ISRCS 2013. IEEE Computer Society. 2013. p. 218-224. 6623779. (Proceedings - 2013 6th International Symposium on Resilient Control Systems, ISRCS 2013). doi: 10.1109/ISRCS.2013.6623779

Neil, Joshua ; Uphoff, Benjamin ; Hash, Curtis et al. / Towards improved detection of attackers in computer networks : New edges, fast updating, and host agents. Proceedings - 2013 6th International Symposium on Resilient Control Systems, ISRCS 2013. IEEE Computer Society, 2013. pp. 218-224 (Proceedings - 2013 6th International Symposium on Resilient Control Systems, ISRCS 2013).

@inproceedings{447f88f8e41f44f6ab666983dbecf6a5,

title = "Towards improved detection of attackers in computer networks: New edges, fast updating, and host agents",

abstract = "This paper focuses on several important topics related to subgraph anomaly detection for computer networks. First, we briefly discuss a graph based view of a computer network consisting of nodes (computers) and edges (time-series of communications between computers), and how stochastic models of groups of edges can be used to identify local anomalous areas of the network indicating the traversal of attackers. Next, the concept of a new edge, an edge between two computers that have never communicated before, is introduced, and a model for establishing the probability of such an event is provided. We follow this with a discussion of exponentially weighted moving averages for updating models of edges. Next, as measuring network data for the purposes of anomaly detection is difficult we discuss a host agent designed specifically to gather this type of data. Finally, the performance of anomaly detection using this host agent to collect data is compared with that of DNS data.",

keywords = "Dynamic Graph, Host Agent, Network Attack Detection",

author = "Joshua Neil and Benjamin Uphoff and Curtis Hash and Curtis Storlie",

year = "2013",

doi = "10.1109/ISRCS.2013.6623779",

language = "English (US)",

isbn = "9781479905034",

series = "Proceedings - 2013 6th International Symposium on Resilient Control Systems, ISRCS 2013",

publisher = "IEEE Computer Society",

pages = "218--224",

booktitle = "Proceedings - 2013 6th International Symposium on Resilient Control Systems, ISRCS 2013",

note = "2013 6th International Symposium on Resilient Control Systems, ISRCS 2013 ; Conference date: 13-08-2013 Through 15-08-2013",

}

TY - GEN

T1 - Towards improved detection of attackers in computer networks

T2 - 2013 6th International Symposium on Resilient Control Systems, ISRCS 2013

AU - Neil, Joshua

AU - Uphoff, Benjamin

AU - Hash, Curtis

AU - Storlie, Curtis

PY - 2013

Y1 - 2013

N2 - This paper focuses on several important topics related to subgraph anomaly detection for computer networks. First, we briefly discuss a graph based view of a computer network consisting of nodes (computers) and edges (time-series of communications between computers), and how stochastic models of groups of edges can be used to identify local anomalous areas of the network indicating the traversal of attackers. Next, the concept of a new edge, an edge between two computers that have never communicated before, is introduced, and a model for establishing the probability of such an event is provided. We follow this with a discussion of exponentially weighted moving averages for updating models of edges. Next, as measuring network data for the purposes of anomaly detection is difficult we discuss a host agent designed specifically to gather this type of data. Finally, the performance of anomaly detection using this host agent to collect data is compared with that of DNS data.

AB - This paper focuses on several important topics related to subgraph anomaly detection for computer networks. First, we briefly discuss a graph based view of a computer network consisting of nodes (computers) and edges (time-series of communications between computers), and how stochastic models of groups of edges can be used to identify local anomalous areas of the network indicating the traversal of attackers. Next, the concept of a new edge, an edge between two computers that have never communicated before, is introduced, and a model for establishing the probability of such an event is provided. We follow this with a discussion of exponentially weighted moving averages for updating models of edges. Next, as measuring network data for the purposes of anomaly detection is difficult we discuss a host agent designed specifically to gather this type of data. Finally, the performance of anomaly detection using this host agent to collect data is compared with that of DNS data.

KW - Dynamic Graph

KW - Host Agent

KW - Network Attack Detection

UR - http://www.scopus.com/inward/record.url?scp=84890096053&partnerID=8YFLogxK

UR - http://www.scopus.com/inward/citedby.url?scp=84890096053&partnerID=8YFLogxK

U2 - 10.1109/ISRCS.2013.6623779

DO - 10.1109/ISRCS.2013.6623779

M3 - Conference contribution

AN - SCOPUS:84890096053

SN - 9781479905034

T3 - Proceedings - 2013 6th International Symposium on Resilient Control Systems, ISRCS 2013

SP - 218

EP - 224

BT - Proceedings - 2013 6th International Symposium on Resilient Control Systems, ISRCS 2013

PB - IEEE Computer Society

Y2 - 13 August 2013 through 15 August 2013

ER -

Towards improved detection of attackers in computer networks: New edges, fast updating, and host agents

Abstract

Publication series

Other

Keywords

ASJC Scopus subject areas

Access to Document

Other files and links

Fingerprint

Cite this