This work addresses new approaches to behavioral analysis of networks and hosts for the purposes of security
monitoring and anomaly detection. Most commonly used approaches simply implement anomaly detectors for
one, or a few, simple metrics and those metrics can exhibit unacceptable false alarm rates. For instance, the
anomaly score of network communication is defined as the reciprocal of the likelihood that a given host uses a
particular protocol (or destination);this definition may result in an unrealistically high threshold for alerting to
avoid being flooded by false positives.
We demonstrate that selecting and adapting the metrics and thresholds, on a host-by-host or protocol-by-protocol
basis can be done by established multivariate analyses such as PCA. We will show how to determine
one or more metrics, for each network host, that records the highest available amount of information regarding
the baseline behavior, and shows relevant deviances reliably. We describe the methodology used to pick from a
large selection of available metrics, and illustrate a method for comparing the resulting classifiers.
Using our approach we are able to reduce the resources required to properly identify misbehaving hosts,
protocols, or networks, by dedicating system resources to only those metrics that actually matter in detecting
network deviations.
Access to the requested content is limited to institutions that have purchased or subscribe to SPIE eBooks.
You are receiving this notice because your organization may not have SPIE eBooks access.*
*Shibboleth/Open Athens users─please
sign in
to access your institution's subscriptions.
To obtain this item, you may purchase the complete book in print or electronic format on
SPIE.org.
INSTITUTIONAL Select your institution to access the SPIE Digital Library.
PERSONAL Sign in with your SPIE account to access your personal subscriptions or to use specific features such as save to my library, sign up for alerts, save searches, etc.