Training eective cyber operatives requires realistic network environments that incorporate the structural and
social complexities representative of the real world. Network trac generators facilitate repeatable experiments
for the development, training and testing of cyber operations. However, current network trac generators, ranging from simple load testers to complex frameworks, fail to capture the realism inherent in actual environments.
In order to improve the realism of network trac generated by these systems, it is necessary to quantitatively
measure the level of realism in generated trac with respect to the environment being mimicked. We categorize
realism measures into statistical, content, and behavioral measurements, and propose various metrics that can
be applied at each level to indicate how eectively the generated trac mimics the real world.
This work presents a collection of methods that is used to effectively identify users of computers systems based on their
particular usage of the software and the network. Not only are we able to identify individual computer users by their
behavioral patterns, we are also able to detect significant deviations in their typical computer usage over time, or compared
to a group of their peers. For instance, most people have a small, and relatively unique selection of regularly visited
websites, certain email services, daily work hours, and typical preferred applications for mandated tasks. We argue that
these habitual patterns are sufficiently specific to identify fully anonymized network users.
We demonstrate that with only a modest data collection capability, profiles of individual computer users can be constructed
so as to uniquely identify a profiled user from among their peers. As time progresses and habits or circumstances
change, the methods presented update each profile so that changes in user behavior can be reliably detected over both
abrupt and gradual time frames, without losing the ability to identify the profiled user.
The primary benefit of our methodology allows one to efficiently detect deviant behaviors, such as subverted user
accounts, or organizational policy violations. Thanks to the relative robustness, these techniques can be used in scenarios
with very diverse data collection capabilities, and data privacy requirements. In addition to behavioral change detection,
the generated profiles can also be compared against pre-defined examples of known adversarial patterns.
This work addresses new approaches to behavioral analysis of networks and hosts for the purposes of security
monitoring and anomaly detection. Most commonly used approaches simply implement anomaly detectors for
one, or a few, simple metrics and those metrics can exhibit unacceptable false alarm rates. For instance, the
anomaly score of network communication is defined as the reciprocal of the likelihood that a given host uses a
particular protocol (or destination);this definition may result in an unrealistically high threshold for alerting to
avoid being flooded by false positives.
We demonstrate that selecting and adapting the metrics and thresholds, on a host-by-host or protocol-by-protocol
basis can be done by established multivariate analyses such as PCA. We will show how to determine
one or more metrics, for each network host, that records the highest available amount of information regarding
the baseline behavior, and shows relevant deviances reliably. We describe the methodology used to pick from a
large selection of available metrics, and illustrate a method for comparing the resulting classifiers.
Using our approach we are able to reduce the resources required to properly identify misbehaving hosts,
protocols, or networks, by dedicating system resources to only those metrics that actually matter in detecting
network deviations.
KEYWORDS: Sensors, Network security, Information security, Process modeling, Data modeling, Computer security, Systems modeling, Internet, Homeland security, Radar
One significant drawback to currently available security products is their inabilty to correlate diverse sensor input. For
instance, by only using network intrusion detection data, a root kit installed through a weak username-password combination
may go unnoticed. Similarly, an administrator may never make the link between deteriorating response times from the
database server and an attacker exfiltrating trusted data, if these facts aren't presented together.
Current Security Information Management Systems (SIMS) can collect and represent diverse data but lack sufficient
correlation algorithms. By using a Process Query System, we were able to quickly bring together data flowing from many
sources, including NIDS, HIDS, server logs, CPU load and memory usage, etc. We constructed PQS models that describe
dynamic behavior of complicated attacks and failures, allowing us to detect and differentiate simultaneous sophisticated
attacks on a target network.
In this paper, we discuss the benefits of implementing such a multistage cyber attack detection system using PQS. We
focus on how data from multiple sources can be combined and used to detect and track comprehensive network security
events that go unnoticed using conventional tools.
Access to the requested content is limited to institutions that have purchased or subscribe to SPIE eBooks.
You are receiving this notice because your organization may not have SPIE eBooks access.*
*Shibboleth/Open Athens users─please
sign in
to access your institution's subscriptions.
To obtain this item, you may purchase the complete book in print or electronic format on
SPIE.org.
INSTITUTIONAL Select your institution to access the SPIE Digital Library.
PERSONAL Sign in with your SPIE account to access your personal subscriptions or to use specific features such as save to my library, sign up for alerts, save searches, etc.