Statistical frameworks for detecting tunnelling in cyber defence using big data

Daniel John Lawson, Patrick T G Rubin-Delanchy, Nicholas A Heard, Niall M Adams

Research output: Contribution to conferenceConference Paperpeer-review

2 Citations (Scopus)
368 Downloads (Pure)

Abstract

How can we effectively use costly statistical models in the defence of large computer networks? Statistical modelling and machine learning are potentially powerful ways to detect threats as they do not require a human level understanding of the attack. However, they are rarely applied in practice as the computational cost of deploying all but the most simple algorithms can become implausibly large. Here we describe a multilevel approach to statistical modelling in which descriptions of the normal running of the network are built up from the lower netflow level to higher-level sessions and graph-level descriptions. Statistical models at low levels are most capable of detecting the unusual activity that might be a result of malicious software or hackers, but are too costly to run over the whole network. We develop a fast algorithm to identify tunnelling behaviour at the session level using 'telescoping' of sessions containing other sessions, and demonstrate that this allows a statistical model to be run at scale on netflow timings. The method is applied to a toy dataset using an artificial 'attack'.
Original languageEnglish
Pages248-251
Number of pages4
DOIs
Publication statusPublished - 26 Sep 2014
EventIntelligence and Security Informatics Conference (JISIC), 2014 IEEE Joint - The Hague, Netherlands
Duration: 24 Sep 201426 Sep 2014

Conference

ConferenceIntelligence and Security Informatics Conference (JISIC), 2014 IEEE Joint
CountryNetherlands
CityThe Hague
Period24/09/1426/09/14

Bibliographical note

Print ISBN: 978-1-4799-6363-8

Keywords

  • statistics
  • Cyber Security
  • Big Data

Fingerprint Dive into the research topics of 'Statistical frameworks for detecting tunnelling in cyber defence using big data'. Together they form a unique fingerprint.

Cite this