Cyber Anomaly Detection Using Graph-node Role-dynamics

12/06/2018
by   Anthony Palladino, et al.
0

Intrusion detection systems (IDSs) generate valuable knowledge about network security, but an abundance of false alarms and a lack of methods to capture the interdependence among alerts hampers their utility for network defense. Here, we explore a graph-based approach for fusing alerts generated by multiple IDSs (e.g., Snort, OSSEC, and Bro). Our approach generates a weighted graph of alert fields (not network topology) that makes explicit the connections between multiple alerts, IDS systems, and other cyber artifacts. We use this multi-modal graph to identify anomalous changes in the alert patterns of a network. To detect the anomalies, we apply the role-dynamics approach, which has successfully identified anomalies in social media, email, and IP communication graphs. In the cyber domain, each node (alert field) in the fused IDS alert graph is assigned a probability distribution across a small set of roles based on that node's features. A cyber attack should trigger IDS alerts and cause changes in the node features, but rather than track every feature for every alert-field node individually, roles provide a succinct, integrated summary of those feature changes. We measure changes in each node's probabilistic role assignment over time, and identify anomalies as deviations from expected roles. We test our approach using simulations including three weeks of normal background traffic, as well as cyber attacks that occur near the end of the simulations. This paper presents a novel approach to multi-modal data fusion and a novel application of role dynamics within the cyber-security domain. Our results show a drastic decrease in the false-positive rate when considering our anomaly indicator instead of the IDS alerts themselves, thereby reducing alarm fatigue and providing a promising avenue for threat intelligence in network defense.

READ FULL TEXT
research
08/02/2012

A hybrid artificial immune system and Self Organising Map for network intrusion detection

Network intrusion detection is the problem of detecting unauthorised use...
research
05/06/2021

Honeyboost: Boosting honeypot performance with data fusion and anomaly detection

With cyber incidents and data breaches becoming increasingly common, bei...
research
11/26/2020

Fast and Accurate Anomaly Detection in Dynamic Graphs with a Two-Pronged Approach

Given a dynamic graph stream, how can we detect the sudden appearance of...
research
05/15/2020

Structural Temporal Graph Neural Networks for Anomaly Detection in Dynamic Graphs

Detecting anomalies in dynamic graphs is a vital task, with numerous pra...
research
02/02/2016

GraphPrints: Towards a Graph Analytic Method for Network Anomaly Detection

This paper introduces a novel graph-analytic approach for detecting anom...
research
01/04/2018

Robust PCA for Anomaly Detection in Cyber Networks

This paper uses network packet capture data to demonstrate how Robust Pr...
research
04/27/2023

Detecting inner-LAN anomalies using hierarchical forecasting

Increasing activity and the number of devices online are leading to incr...

Please sign up or login with your details

Forgot password? Click here to reset