TY - GEN
T1 - Towards improved detection of attackers in computer networks
T2 - 2013 6th International Symposium on Resilient Control Systems, ISRCS 2013
AU - Neil, Joshua
AU - Uphoff, Benjamin
AU - Hash, Curtis
AU - Storlie, Curtis
PY - 2013
Y1 - 2013
N2 - This paper focuses on several important topics related to subgraph anomaly detection for computer networks. First, we briefly discuss a graph based view of a computer network consisting of nodes (computers) and edges (time-series of communications between computers), and how stochastic models of groups of edges can be used to identify local anomalous areas of the network indicating the traversal of attackers. Next, the concept of a new edge, an edge between two computers that have never communicated before, is introduced, and a model for establishing the probability of such an event is provided. We follow this with a discussion of exponentially weighted moving averages for updating models of edges. Next, as measuring network data for the purposes of anomaly detection is difficult we discuss a host agent designed specifically to gather this type of data. Finally, the performance of anomaly detection using this host agent to collect data is compared with that of DNS data.
AB - This paper focuses on several important topics related to subgraph anomaly detection for computer networks. First, we briefly discuss a graph based view of a computer network consisting of nodes (computers) and edges (time-series of communications between computers), and how stochastic models of groups of edges can be used to identify local anomalous areas of the network indicating the traversal of attackers. Next, the concept of a new edge, an edge between two computers that have never communicated before, is introduced, and a model for establishing the probability of such an event is provided. We follow this with a discussion of exponentially weighted moving averages for updating models of edges. Next, as measuring network data for the purposes of anomaly detection is difficult we discuss a host agent designed specifically to gather this type of data. Finally, the performance of anomaly detection using this host agent to collect data is compared with that of DNS data.
KW - Dynamic Graph
KW - Host Agent
KW - Network Attack Detection
UR - http://www.scopus.com/inward/record.url?scp=84890096053&partnerID=8YFLogxK
UR - http://www.scopus.com/inward/citedby.url?scp=84890096053&partnerID=8YFLogxK
U2 - 10.1109/ISRCS.2013.6623779
DO - 10.1109/ISRCS.2013.6623779
M3 - Conference contribution
AN - SCOPUS:84890096053
SN - 9781479905034
T3 - Proceedings - 2013 6th International Symposium on Resilient Control Systems, ISRCS 2013
SP - 218
EP - 224
BT - Proceedings - 2013 6th International Symposium on Resilient Control Systems, ISRCS 2013
PB - IEEE Computer Society
Y2 - 13 August 2013 through 15 August 2013
ER -