Statistical frameworks for detecting tunnelling in cyber defence using big data

Daniel John Lawson, Patrick T G Rubin-Delanchy, Nicholas A Heard, Niall M Adams

Research output: Contribution to conferenceConference Paperpeer-review

2 Citations (Scopus)
434 Downloads (Pure)


How can we effectively use costly statistical models in the defence of large computer networks? Statistical modelling and machine learning are potentially powerful ways to detect threats as they do not require a human level understanding of the attack. However, they are rarely applied in practice as the computational cost of deploying all but the most simple algorithms can become implausibly large. Here we describe a multilevel approach to statistical modelling in which descriptions of the normal running of the network are built up from the lower netflow level to higher-level sessions and graph-level descriptions. Statistical models at low levels are most capable of detecting the unusual activity that might be a result of malicious software or hackers, but are too costly to run over the whole network. We develop a fast algorithm to identify tunnelling behaviour at the session level using 'telescoping' of sessions containing other sessions, and demonstrate that this allows a statistical model to be run at scale on netflow timings. The method is applied to a toy dataset using an artificial 'attack'.
Original languageEnglish
Number of pages4
Publication statusPublished - 26 Sept 2014
EventIntelligence and Security Informatics Conference (JISIC), 2014 IEEE Joint - The Hague, Netherlands
Duration: 24 Sept 201426 Sept 2014


ConferenceIntelligence and Security Informatics Conference (JISIC), 2014 IEEE Joint
CityThe Hague

Bibliographical note

Print ISBN: 978-1-4799-6363-8


  • statistics
  • Cyber Security
  • Big Data


Dive into the research topics of 'Statistical frameworks for detecting tunnelling in cyber defence using big data'. Together they form a unique fingerprint.

Cite this