Time correlated anomaly detection based on inferences
conference contribution
posted on 2013-01-01, 00:00authored byA Olabelurin, G Kallos, Yang Xiang, R Bloomfield, S Veluru, M Rajarajan
Anomaly detection techniques are used to find the presence of anomalous activities in a network by comparing traffic data activities against a "normal" baseline. Although it has several advantages which include detection of "zero-day" attacks, the question surrounding absolute definition of systems deviations from its "normal" behaviour is important to reduce the number of false positives in the system. This study proposes a novel multi-agent network-based framework known as Statistical model for Correlation and Detection (SCoDe), an anomaly detection framework that looks for timecorrelated anomalies by leveraging statistical properties of a large network, monitoring the rate of events occurrence based on their intensity. SCoDe is an instantaneous learning-based anomaly detector, practically shifting away from the conventional technique of having a training phase prior to detection. It does acquire its training using the improved extension of Exponential Weighted Moving Average (EWMA) which is proposed in this study. SCoDe does not require any previous knowledge of the network traffic, or network administrators chosen reference window as normal but effectively builds upon the statistical properties from different attributes of the network traffic, to correlate undesirable deviations in order to identify abnormal patterns. The approach is generic as it can be easily modified to fit particular types of problems, with a predefined attribute, and it is highly robust because of the proposed statistical approach. The proposed framework was targeted to detect attacks that increase the number of activities on the network server, examples which include Distributed Denial of Service (DDoS) and, flood and flash-crowd events. This paper provides a mathematical foundation for SCoDe, describing the specific implementation and testing of the approach based on a network log file generated from the cyber range simulation experiment of the industrial partner of this project.
History
Event
Information Warfare and Security. European Conference (12th : 2013 : Jyvaskyla, Finland)
Pagination
351 - 360
Publisher
Academic Conference and Publishing International Limited
Location
Jyvaskyla, Finland
Place of publication
[Jyvaskyla, Finland]
Start date
2013-07-11
End date
2013-07-12
ISSN
2048-8610
eISSN
2048-8602
ISBN-13
9781909507340
ISBN-10
1909507342
Language
eng
Publication classification
E1 Full written paper - refereed
Copyright notice
2013, ECIWS
Editor/Contributor(s)
R Kuusisto, E Kurkinen
Title of proceedings
ECIWS 2013 : Proceedings of the European Conference on Information Warfare and Security