Guardado en:
Detalles Bibliográficos
Autores principales: Kandanaarachchi, Sevvandi, Abolghasemi, Mahdi, Ochiai, Hideya, Rao, Asha, Sanderson, Conrad
Formato: Preprint
Publicado: 2023
Materias:
Acceso en línea:https://arxiv.org/abs/2304.13941
Etiquetas: Agregar Etiqueta
Sin Etiquetas, Sea el primero en etiquetar este registro!
_version_ 1866911714656649216
author Kandanaarachchi, Sevvandi
Abolghasemi, Mahdi
Ochiai, Hideya
Rao, Asha
Sanderson, Conrad
author_facet Kandanaarachchi, Sevvandi
Abolghasemi, Mahdi
Ochiai, Hideya
Rao, Asha
Sanderson, Conrad
contents Continuously evolving cyber-attacks against industrial networks reduce the effectiveness of signature-based detection methods. Once malware has infiltrated a network (for example, entering via an unsecured device), it can infect further network nodes and carry out malicious activity. Infected nodes can exhibit unusual behaviour in their use of Address Resolution Protocol (ARP) calls within the network. In order to detect such anomalous nodes, we propose a two-stage method: (i) modelling of ARP call behaviour via hierarchical time series prediction methods, and (ii) exploiting Extreme Value Theory (EVT) to robustly detect whether deviations from expected behaviour are anomalous. EVT is able to handle heavy-tailed distributions which are exhibited by internet traffic. Empirical evaluations on a real-life dataset containing over 10M ARP calls from 362 nodes show that the proposed method results in considerably reduced number of false positives, addressing the problem of alert fatigue commonly reported by security professionals.
format Preprint
id arxiv_https___arxiv_org_abs_2304_13941
institution arXiv
publishDate 2023
record_format arxiv
spellingShingle Detection of Anomalous Network Nodes via Hierarchical Prediction and Extreme Value Theory
Kandanaarachchi, Sevvandi
Abolghasemi, Mahdi
Ochiai, Hideya
Rao, Asha
Sanderson, Conrad
Cryptography and Security
Continuously evolving cyber-attacks against industrial networks reduce the effectiveness of signature-based detection methods. Once malware has infiltrated a network (for example, entering via an unsecured device), it can infect further network nodes and carry out malicious activity. Infected nodes can exhibit unusual behaviour in their use of Address Resolution Protocol (ARP) calls within the network. In order to detect such anomalous nodes, we propose a two-stage method: (i) modelling of ARP call behaviour via hierarchical time series prediction methods, and (ii) exploiting Extreme Value Theory (EVT) to robustly detect whether deviations from expected behaviour are anomalous. EVT is able to handle heavy-tailed distributions which are exhibited by internet traffic. Empirical evaluations on a real-life dataset containing over 10M ARP calls from 362 nodes show that the proposed method results in considerably reduced number of false positives, addressing the problem of alert fatigue commonly reported by security professionals.
title Detection of Anomalous Network Nodes via Hierarchical Prediction and Extreme Value Theory
topic Cryptography and Security
url https://arxiv.org/abs/2304.13941