A Likelihood Ratio Detector for Identifying Within-Perimeter Computer Network Attacks
Guardat en:
| Publicat a: | arXiv.org (Sep 1, 2016), p. n/a |
|---|---|
| Autor principal: | |
| Altres autors: | , , , , |
| Publicat: |
Cornell University Library, arXiv.org
|
| Matèries: | |
| Accés en línia: | Citation/Abstract Full text outside of ProQuest |
| Etiquetes: |
Sense etiquetes, Sigues el primer a etiquetar aquest registre!
|
MARC
| LEADER | 00000nab a2200000uu 4500 | ||
|---|---|---|---|
| 001 | 2079558273 | ||
| 003 | UK-CbPIL | ||
| 022 | |a 2331-8422 | ||
| 035 | |a 2079558273 | ||
| 045 | 0 | |b d20160901 | |
| 100 | 1 | |a Grana, Justin | |
| 245 | 1 | |a A Likelihood Ratio Detector for Identifying Within-Perimeter Computer Network Attacks | |
| 260 | |b Cornell University Library, arXiv.org |c Sep 1, 2016 | ||
| 513 | |a Working Paper | ||
| 520 | 3 | |a The rapid detection of attackers within firewalls of enterprise computer net- works is of paramount importance. Anomaly detectors address this problem by quantifying deviations from baseline statistical models of normal network behav- ior and signaling an intrusion when the observed data deviates significantly from the baseline model. However, many anomaly detectors do not take into account plausible attacker behavior. As a result, anomaly detectors are prone to a large number of false positives due to unusual but benign activity. This paper first in- troduces a stochastic model of attacker behavior which is motivated by real world attacker traversal. Then, we develop a likelihood ratio detector that compares the probability of observed network behavior under normal conditions against the case when an attacker has possibly compromised a subset of hosts within the network. Since the likelihood ratio detector requires integrating over the time each host be- comes compromised, we illustrate how to use Monte Carlo methods to compute the requisite integral. We then present Receiver Operating Characteristic (ROC) curves for various network parameterizations that show for any rate of true posi- tives, the rate of false positives for the likelihood ratio detector is no higher than that of a simple anomaly detector and is often lower. We conclude by demon- strating the superiority of the proposed likelihood ratio detector when the network topologies and parameterizations are extracted from real-world networks. | |
| 653 | |a Sensors | ||
| 653 | |a Detectors | ||
| 653 | |a Intrusion | ||
| 653 | |a Firewalls | ||
| 653 | |a Statistical analysis | ||
| 653 | |a Statistical models | ||
| 653 | |a Computer networks | ||
| 653 | |a Computer simulation | ||
| 653 | |a Likelihood ratio | ||
| 653 | |a Network topologies | ||
| 653 | |a Monte Carlo simulation | ||
| 653 | |a Cybersecurity | ||
| 700 | 1 | |a Wolpert, David | |
| 700 | 1 | |a Neil, Joshua | |
| 700 | 1 | |a Xie, Dongping | |
| 700 | 1 | |a Bhattacharya, Tanmoy | |
| 700 | 1 | |a Bent, Russel | |
| 773 | 0 | |t arXiv.org |g (Sep 1, 2016), p. n/a | |
| 786 | 0 | |d ProQuest |t Engineering Database | |
| 856 | 4 | 1 | |3 Citation/Abstract |u https://www.proquest.com/docview/2079558273/abstract/embedded/L8HZQI7Z43R0LA5T?source=fedsrch |
| 856 | 4 | 0 | |3 Full text outside of ProQuest |u http://arxiv.org/abs/1609.00104 |