Scan statistics for the online detection of locally anomalous subgraphs

Identifying anomalies in computer networks is a challenging and complex problem. Often, anomalies occur in extremely local areas of the network. Locality is complex in this setting, since we have an underlying graph structure. To identify local anomalies, we introduce a scan statistic for data extracted from the edges of a graph over time. In the computer network setting, the data on these edges are multivariate measures of the communications between two distinct machines, over time. We describe two shapes for capturing locality in the graph: the star and the k-path. While the star shape is not new to the literature, the path shape, when used as a scan window, appears to be novel. Both of these shapes are motivated by hacker behaviors observed in real attacks. A hacker who is using a single central machine to examine other machines creates a star-shaped anomaly on the edges emanating from the central node. Paths represent traversal of a hacker through a network, using a set of machines in sequence. To identify local anomalies, these shapes are enumerated over the entire graph, over a set of sliding time windows. Local statistics in each window are compared with their historic behavior to capture anomalies within the window. These local statistics are model-based. To capture the communications between computers, we have applied two different models, observed and hidden Markov models, to each edge in the network. These models have been effective in handling various aspects of this type of data, but do not completely describe the data. Therefore, we also present ongoing work in the modeling of host-to-host communications in a computer network. Data speeds on larger networks require online detection to be nimble. We describe a full anomaly detection system, which has been applied to a corporate sized network and achieves better than real-time analysis speed. We present results on simulated data whose parameters were estimated from real network data. In addition, we present a result from our analysis of a real, corporate-sized network data set. These results are very encouraging, since the detection corresponded to exactly the type of behavior we hope to detect

ARF : an Automated Real-Time Fuzzy Logic Threat Evaluation System.

Intrusion Detection has emerged as a powerful component of network security systems. A wide range of hardware and software components exist to meet most basic security needs on all platforms. These systems log system usage that could be considered as a breach of security in many networks. However, signature based intrusion detection systems have one catastrophic downfall, in that the number of alerts being logged can quickly outgrow the amount of resources necessary to investigate this anomalous behavior. This thesis explores the use of a fuzzy logic based analysis engine that gives an overall threat level of an intrusion detection sensor, prioritizing alerts that are the most threatening. This application gives security personnel a launching point to determine where security holes exist and a snapshot of the threats that exist in a system. The fuzzy logic system is based on a set of membership functions that define certain metrics from an alert dataset and a set of rules that determine a threat level based on the defined metrics. This application functions as a proof of concept prototype for an administrative tool that can analyze multiple sensors across multiple networks and give a reasonable output of the threat level across a series of intrusion detection sensors on a network. Initial testing indicates promising performance results for testing the threat level of a remote sensor using this methodology

Scalable Honeypot Monitoring and Analytics

Honeypot systems with a large number of instances pose new challenges in terms of monitoring and analytics. They produce a significant amount of data and require the analyst to monitor every new honeypot instance in the system. Specifically, current approaches require each honeypot instance to be monitored and analysed individually. Therefore, these cannot scale to support scenarios in which a large number of honeypots are used. Furthermore, amalgamating data from a large number of honeypots presents new opportunities to analyse trends. This thesis proposes a scalable monitoring and analytics system that is designed to address this challenge. It consists of three components: monitoring, analysis and visualisation. The system automatically monitors each new honeypot, reduces the amount of collected data and stores it centrally. All gathered data is analysed in order to identify patterns of attacker behaviour. Visualisation conveniently displays the analysed data to an analyst. A user study was performed to evaluate the system. It shows that the solution has met the requirements posed to a scalable monitoring and analytics system. In particular, the monitoring and analytics can be implemented using only open-source software and does not noticeably impact the performance of individual honeypots or the scalability of the overall honeypot system. The thesis also discusses several variations and extensions, including detection of new patterns, and the possibility of providing feedback when used in an educational setting, monitoring attacks by information-security students