An Improved Composite Hypothesis Test for Markov Models with Applications in Network Anomaly Detection

Recent work has proposed the use of a composite hypothesis Hoeffding test for statistical anomaly detection. Setting an appropriate threshold for the test given a desired false alarm probability involves approximating the false alarm probability. To that end, a large deviations asymptotic is typically used which, however, often results in an inaccurate setting of the threshold, especially for relatively small sample sizes. This, in turn, results in an anomaly detection test that does not control well for false alarms. In this paper, we develop a tighter approximation using the Central Limit Theorem (CLT) under Markovian assumptions. We apply our result to a network anomaly detection application and demonstrate its advantages over earlier work.Comment: 6 pages, 6 figures; final version for CDC 201

Robust Anomaly Detection in Dynamic Networks

We propose two robust methods for anomaly detection in dynamic networks in which the properties of normal traffic are time-varying. We formulate the robust anomaly detection problem as a binary composite hypothesis testing problem and propose two methods: a model-free and a model-based one, leveraging techniques from the theory of large deviations. Both methods require a family of Probability Laws (PLs) that represent normal properties of traffic. We devise a two-step procedure to estimate this family of PLs. We compare the performance of our robust methods and their vanilla counterparts, which assume that normal traffic is stationary, on a network with a diurnal normal pattern and a common anomaly related to data exfiltration. Simulation results show that our robust methods perform better than their vanilla counterparts in dynamic networks.Comment: 6 pages. MED conferenc

Network anomaly detection: a survey and comparative analysis of stochastic and deterministic methods

7 pages. 1 more figure than final CDC 2013 versionWe present five methods to the problem of network anomaly detection. These methods cover most of the common techniques in the anomaly detection field, including Statistical Hypothesis Tests (SHT), Support Vector Machines (SVM) and clustering analysis. We evaluate all methods in a simulated network that consists of nominal data, three flow-level anomalies and one packet-level attack. Through analyzing the results, we point out the advantages and disadvantages of each method and conclude that combining the results of the individual methods can yield improved anomaly detection results

Anomaly detection using adaptive resonance theory

Thesis (M.S.)--Boston UniversityThis thesis focuses on the problem of anomaly detection in computer networks. Anomalies are often malicious intrusion attempts that represent a serious threat to network security. Adaptive Resonance Theory (ART) is used as a classification scheme for identifying malicious network traffic. ART was originally developed as a theory to explain how the human eye categorizes visual patterns. For network intrusion detection, the core ART algorithm is implemented as a clustering algorithm that groups network traffic into clusters. A machine learning process allows the number of clusters to change over time to best conform to the data. Network traffic is characterized by network flows, which represent a packet, or series of packets, between two distinct nodes on a network. These flows can contain a number of attributes, including IP addresses, ports, size, and duration. These attributes form a multi-dimensional vector that is used in the clustering process. Once data is clustered along the defined dimensions, anomalies are identified as data points that do not match known good or nominal network traffic. The ART clustering algorithm is tested on a realistic network environment that was generated using the network flow simulation tool FS. The clustering results for this simulation show very promising detection rates for the ART clustering algorithm

Utilizing Machine Learning Classifiers to Identify SSH Brute Force Attacks

SSH brute force attacks are a type of network attack in which an attacker tries to guess the username and password of a user on the Secure Shell protocol. This kind of attack is simple to perform, and the results from a successfully compromised system can lead to a number of destructive outcomes. Because of its simplicity and potential payout, large networks experience many instances of these attacks in their traffic, and current prevention methods rely heavily on per-machine logs that, in aggregate, take up a large amount of space. This paper explores the usage of machine learning algorithms in detecting and preventing these kinds of attacks as an alternative to the firewall techniques used today. We use three different classifiers - naïve Bayes, K-nearest neighbors, and decision trees - on a publicly available dataset of labeled network flows to try and classify unknown network flows into benign and SSH brute force categories. Our results show that machine learning is very well suited for this task, with all of our classifiers having accuracy scores of over 85% in the classification of our test data

Detection and optimization problems with applications in smart cities

This dissertation proposes solutions to a selected set of detection and optimization problems, whose applications are focused on transportation systems. The goal is to help build smarter and more efficient transportation systems, hence smarter cities. Problems with dynamics evolving in two different time-scales are considered: (1) In a fast time-scale, the dissertation considers the problem of detection, especially statistical anomaly detection in real-time. From a theoretical perspective and under Markovian assumptions, novel threshold estimators are derived for the widely used Hoeffding test. This results in a test with a much better ability to control false alarms while maintaining a high detection rate. From a practical perspective, the improved test is applied to detecting non-typical traffic jams in the Boston road network using real traffic data reported by the Waze smartphone navigation application. The detection results can alert the drivers to reroute so as to avoid the corresponding areas and provide the most urgent "targets" to the Transportation department and/or emergency services to intervene and remedy the underlying cause resulting in these jams, thus, improving transportation systems and contributing to the smart city agenda. (2) In a slower time-scale, the dissertation investigates a host of optimization problems, including estimation and adjustment of Origin-Destination (OD) demand, traffic assignment, recovery of travel cost functions, and joint recovery of travel cost functions and OD demand (joint problem). Integrating these problems leads to a data-driven predictive model which serves to diagnose/control/optimize the transportation network. To ensure good accuracy of the predictive model and increase its robustness and consistency, several novel formulations for the travel cost function recovery problem and the joint problem are proposed. A data-driven framework is proposed to evaluate the Price-of-Anarchy (PoA; a metric assessing the degree of congestion under selfish user-centric routing vs. socially-optimal system-centric routing). For the case where the PoA is larger than expected, three viable strategies are proposed to reduce it. To demonstrate the effectiveness and efficiency of the proposed approaches, case-studies are conducted on three benchmark transportation networks using synthetic data and an actual road network (from Eastern Massachusetts (EMA)) using real traffic data. Moreover, to facilitate research in the transportation community, the largest highway subnetwork of EMA has been released as a new benchmark network

Anomaly detection and dynamic decision making for stochastic systems

Thesis (Ph.D.)--Boston UniversityThis dissertation focuses on two types of problems, both of which are related to systems with uncertainties. The first problem concerns network system anomaly detection. We present several stochastic and deterministic methods for anomaly detection of networks whose normal behavior is not time-varying. Our methods cover most of the common techniques in the anomaly detection field. We evaluate all methods in a simulated network that consists of nominal data, three flow-level anomalies and one packet-level attack. Through analyzing the results, we summarize the advantages and the disadvantages of each method. As a next step, we propose two robust stochastic anomaly detection methods for networks whose normal behavior is time-varying. We develop a procedure for learning the underlying family of patterns that characterize a time-varying network. This procedure first estimates a large class of patterns from network data and then refines it to select a representative subset. The latter part formulates the refinement problem using ideas from set covering via integer programming. Then we propose two robust methods, one model-free and one model-based, to evaluate whether a sequence of observations is drawn from the learned patterns. Simulation results show that the robust methods have significant advantages over the alternative stationary methods in time-varying networks. The final anomaly detection setting we consider targets the detection of botnets before they launch an attack. Our method analyzes the social graph of the nodes in a network and consists of two stages: (i) network anomaly detection based on large deviations theory and (ii) community detection based on a refined modularity measure. We apply our method on real-world botnet traffic and compare its performance with other methods. The second problem considered by this dissertation concerns sequential decision mak- ings under uncertainty, which can be modeled by a Markov Decision Processes (MDPs). We focus on methods with an actor-critic structure, where the critic part estimates the gradient of the overall objective with respect to tunable policy parameters and the actor part optimizes a policy with respect to these parameters. Most existing actor- critic methods use Temporal Difference (TD) learning to estimate the gradient and steepest gradient ascent to update the policies. Our first contribution is to propose an actor-critic method that uses a Least Squares Temporal Difference (LSTD) method, which is known to converge faster than the TD methods. Our second contribution is to develop a new Newton-like actor-critic method that performs better especially for ill-conditioned problems. We evaluate our methods in problems motivated from robot motion control