Slow-Paced Persistent Network Attacks Analysis and Detection Using Spectrum Analysis

Chen, Li Ming; Hsiao, Shun-Wen; Chen, Meng Chang; Liao, Wanjiun

doi:10.1109/jsyst.2014.2348567

Cited by 7 publications

(3 citation statements)

References 20 publications

(24 reference statements)

Supporting

Mentioning

Contrasting

Order By: Relevance

“…Nearly all studies conducting spectral analysis of network logs for the purpose of intrusion detection use datasets where known "attack" time series are artificially overlaid on top of (either real or synthetic) benign network traffic [2,5,9,12], allowing for algorithmic design to be tailored to the characteristics of the known malicious signal. By contrast, we apply our algorithm to network logs obtained from a large partner organization, where presence of attacks, as well as instances of benign periodic activity, are unknown and unlabeled, and which exhibit larger volumes of automated traffic than can be parsed through manually to separate malicious from benign.…”

Section: Related Workmentioning

confidence: 99%

See 1 more Smart Citation

Visualizing Automatically Detected Periodic Network Activity

Gove¹,

Deason²

2018

Preprint

View full text Add to dashboard Cite

Malware frequently leaves periodic signals in network logs, but these signals are easily drowned out by non-malicious periodic network activity, such as software updates and other polling activity. This paper describes a novel algorithm based on Discrete Fourier Transforms capable of detecting multiple distinct period lengths in a given timeseries. We pair the output of this algorithm with aggregation summary tables that give users information scent about which detections are worth investigating based on the metadata of the log events rather than the periodic signal. A visualization of selected detections enables users to see all detected period lengths per entity, and compare detections between entities to check for coordinated activity. We evaluate our approach on real-world netflow and DNS data from a large organization, demonstrating how to successfully find malicious periodic activity in a large pool of noise and non-malicious periodic activity.

show abstract

Section: Related Workmentioning

confidence: 99%

“…Chen et al [9] propose an adaptive method to iteratively test for progressively longer periods. This iterative procedure stops when a significant period is detected, and therefore, unlike the method we propose, cannot identify multiple periods present in the same signal.…”

Section: Related Workmentioning

confidence: 99%

Visualizing Automatically Detected Periodic Network Activity

Gove¹,

Deason²

2018

Preprint

View full text Add to dashboard Cite

show abstract

“…The problem of periodicity detection in computer network traffic has been extensively studied in the computer science literature. Common approaches include spectral analysis (Barbosa et al 2012;AsSadhan and Moura 2014;Price-Williams et al 2017), which are often combined with thresholding methods (Bartlett et al 2011;Huynh et al 2016;Chen et al 2016). Alternatives include modelling of inter-arrival times (Bilge et al 2012;Qiao et al 2012;Hubballi and Goyal 2013), where distributional assumptions are imposed and the behaviour is tested under the null of no periodicities (He et al 2009;McPherson and Ortega 2011).…”

Section: Introductionmentioning

confidence: 99%

Classification of periodic arrivals in event time data for filtering computer network traffic

Passino

Heard

2020

Stat Comput

View full text Add to dashboard Cite

Periodic patterns can often be observed in real-world event time data, possibly mixed with non-periodic arrival times. For modelling purposes, it is necessary to correctly distinguish the two types of events. This task has particularly important implications in computer network security; there, separating automated polling traffic and human-generated activity in a computer network is important for building realistic statistical models for normal activity, which in turn can be used for anomaly detection. Since automated events commonly occur at a fixed periodicity, statistical tests using Fourier analysis can efficiently detect whether the arrival times present an automated component. In this article, sequences of arrival times which contain automated events are further examined, to separate polling and non-periodic activity. This is first achieved using a simple mixture model on the unit circle based on the angular positions of each event time on the p-clock, where p represents the main periodicity associated with the automated activity; this model is then extended by combining a second source of information, the time of day of each event. Efficient implementations exploiting conjugate Bayesian models are discussed, and performance is assessed on real network flow data collected at Imperial College London.

show abstract