Statistical frameworks for detecting tunnelling in cyber defence using big data

Daniel John Lawson; Patrick T G Rubin-Delanchy; Nicholas A Heard; Niall M Adams

doi:10.1109/JISIC.2014.47

Statistical frameworks for detecting tunnelling in cyber defence using big data

Daniel John Lawson, Patrick T G Rubin-Delanchy, Nicholas A Heard, Niall M Adams

Research output: Contribution to conference › Conference Paper › peer-review

2 Citations (Scopus)

455 Downloads (Pure)

Abstract

How can we effectively use costly statistical models in the defence of large computer networks? Statistical modelling and machine learning are potentially powerful ways to detect threats as they do not require a human level understanding of the attack. However, they are rarely applied in practice as the computational cost of deploying all but the most simple algorithms can become implausibly large. Here we describe a multilevel approach to statistical modelling in which descriptions of the normal running of the network are built up from the lower netflow level to higher-level sessions and graph-level descriptions. Statistical models at low levels are most capable of detecting the unusual activity that might be a result of malicious software or hackers, but are too costly to run over the whole network. We develop a fast algorithm to identify tunnelling behaviour at the session level using 'telescoping' of sessions containing other sessions, and demonstrate that this allows a statistical model to be run at scale on netflow timings. The method is applied to a toy dataset using an artificial 'attack'.

Original language	English
Pages	248-251
Number of pages	4
DOIs	https://doi.org/10.1109/JISIC.2014.47
Publication status	Published - 26 Sept 2014
Event	Intelligence and Security Informatics Conference (JISIC), 2014 IEEE Joint - The Hague, Netherlands Duration: 24 Sept 2014 → 26 Sept 2014

Conference

Conference	Intelligence and Security Informatics Conference (JISIC), 2014 IEEE Joint
Country/Territory	Netherlands
City	The Hague
Period	24/09/14 → 26/09/14

Bibliographical note

Print ISBN: 978-1-4799-6363-8

Keywords

statistics
Cyber Security
Big Data

Access to Document

10.1109/JISIC.2014.47

LawsonEtAl2014-StatisticalCyberDefenseBigData
Copyright © 2014 IEEE. Personal use of this material is permitted. Permission from IEEE must be obtained for all other uses, in any current or future media, including reprinting/republishing this material for advertising or promotional purposes, creating new collective works, for resale or redistribution to servers or lists, or reuse of any copyrighted component of this work in other works.
Accepted author manuscript, 237 KB

Handle.net

Persistent link

Cite this

@conference{5fe54bc30594435eb75cf231b4c58c9b,

title = "Statistical frameworks for detecting tunnelling in cyber defence using big data",

abstract = "How can we effectively use costly statistical models in the defence of large computer networks? Statistical modelling and machine learning are potentially powerful ways to detect threats as they do not require a human level understanding of the attack. However, they are rarely applied in practice as the computational cost of deploying all but the most simple algorithms can become implausibly large. Here we describe a multilevel approach to statistical modelling in which descriptions of the normal running of the network are built up from the lower netflow level to higher-level sessions and graph-level descriptions. Statistical models at low levels are most capable of detecting the unusual activity that might be a result of malicious software or hackers, but are too costly to run over the whole network. We develop a fast algorithm to identify tunnelling behaviour at the session level using 'telescoping' of sessions containing other sessions, and demonstrate that this allows a statistical model to be run at scale on netflow timings. The method is applied to a toy dataset using an artificial 'attack'.",

keywords = "statistics, Cyber Security, Big Data",

author = "Lawson, {Daniel John} and Rubin-Delanchy, {Patrick T G} and Heard, {Nicholas A} and Adams, {Niall M}",

note = "Print ISBN: 978-1-4799-6363-8; Intelligence and Security Informatics Conference (JISIC), 2014 IEEE Joint ; Conference date: 24-09-2014 Through 26-09-2014",

year = "2014",

month = sep,

day = "26",

doi = "10.1109/JISIC.2014.47",

language = "English",

pages = "248--251",

}

TY - CONF

T1 - Statistical frameworks for detecting tunnelling in cyber defence using big data

AU - Lawson, Daniel John

AU - Rubin-Delanchy, Patrick T G

AU - Heard, Nicholas A

AU - Adams, Niall M

N1 - Print ISBN: 978-1-4799-6363-8

PY - 2014/9/26

Y1 - 2014/9/26

N2 - How can we effectively use costly statistical models in the defence of large computer networks? Statistical modelling and machine learning are potentially powerful ways to detect threats as they do not require a human level understanding of the attack. However, they are rarely applied in practice as the computational cost of deploying all but the most simple algorithms can become implausibly large. Here we describe a multilevel approach to statistical modelling in which descriptions of the normal running of the network are built up from the lower netflow level to higher-level sessions and graph-level descriptions. Statistical models at low levels are most capable of detecting the unusual activity that might be a result of malicious software or hackers, but are too costly to run over the whole network. We develop a fast algorithm to identify tunnelling behaviour at the session level using 'telescoping' of sessions containing other sessions, and demonstrate that this allows a statistical model to be run at scale on netflow timings. The method is applied to a toy dataset using an artificial 'attack'.

AB - How can we effectively use costly statistical models in the defence of large computer networks? Statistical modelling and machine learning are potentially powerful ways to detect threats as they do not require a human level understanding of the attack. However, they are rarely applied in practice as the computational cost of deploying all but the most simple algorithms can become implausibly large. Here we describe a multilevel approach to statistical modelling in which descriptions of the normal running of the network are built up from the lower netflow level to higher-level sessions and graph-level descriptions. Statistical models at low levels are most capable of detecting the unusual activity that might be a result of malicious software or hackers, but are too costly to run over the whole network. We develop a fast algorithm to identify tunnelling behaviour at the session level using 'telescoping' of sessions containing other sessions, and demonstrate that this allows a statistical model to be run at scale on netflow timings. The method is applied to a toy dataset using an artificial 'attack'.

KW - statistics

KW - Cyber Security

KW - Big Data

U2 - 10.1109/JISIC.2014.47

DO - 10.1109/JISIC.2014.47

M3 - Conference Paper

SP - 248

EP - 251

T2 - Intelligence and Security Informatics Conference (JISIC), 2014 IEEE Joint

Y2 - 24 September 2014 through 26 September 2014

ER -

Statistical frameworks for detecting tunnelling in cyber defence using big data

Abstract

Conference

Bibliographical note

Keywords

Access to Document

Handle.net

Fingerprint

Cite this