Community-based anomaly detection

Kód výsledku v IS VaVaI

<a href="https://www.isvavai.cz/riv?ss=detail&h=RIV%2F68407700%3A21230%2F18%3A00324718" target="_blank" >RIV/68407700:21230/18:00324718 - isvavai.cz</a>

Nalezeny alternativní kódy

RIV/68407700:21240/18:00324718

Výsledek na webu

<a href="http://dx.doi.org/10.1109/WIFS.2018.8630772" target="_blank" >http://dx.doi.org/10.1109/WIFS.2018.8630772</a>

DOI - Digital Object Identifier

<a href="http://dx.doi.org/10.1109/WIFS.2018.8630772" target="_blank" >10.1109/WIFS.2018.8630772</a>

Jazyk výsledku

angličtina

Název v původním jazyce

Community-based anomaly detection

Popis výsledku v původním jazyce

Network behaviour anomaly detection systems can detect zero-day attacks and work even with encrypted traffic. They maintain a model of normal behaviour and report any deviation as anomaly. Typically, a separated model for each host is generated or there is one model for the whole network. The model of normal can be built for the whole network or for each network host separately. The per host models suffer from a small amount of noisy data as the behaviour of a single user is typically not very stable. The single model for the whole network is more robust to fluctuations, but it is trying to find a normal behaviour of a group of hosts with possibly diverse behaviour. We propose a method for clustering network hosts based on their network behaviour to create groups of hosts that behave similarly. The anomaly detection models trained on such groups of network hosts are more robust to fluctuations of the behaviour of individual hosts when compared to the per host models. It is able to detect finer anomalies (e.g. stealthy data ex-filtration) that would be otherwise hidden by modelling diversely behaving network hosts together.

Název v anglickém jazyce

Community-based anomaly detection

Popis výsledku anglicky

Network behaviour anomaly detection systems can detect zero-day attacks and work even with encrypted traffic. They maintain a model of normal behaviour and report any deviation as anomaly. Typically, a separated model for each host is generated or there is one model for the whole network. The model of normal can be built for the whole network or for each network host separately. The per host models suffer from a small amount of noisy data as the behaviour of a single user is typically not very stable. The single model for the whole network is more robust to fluctuations, but it is trying to find a normal behaviour of a group of hosts with possibly diverse behaviour. We propose a method for clustering network hosts based on their network behaviour to create groups of hosts that behave similarly. The anomaly detection models trained on such groups of network hosts are more robust to fluctuations of the behaviour of individual hosts when compared to the per host models. It is able to detect finer anomalies (e.g. stealthy data ex-filtration) that would be otherwise hidden by modelling diversely behaving network hosts together.

Druh

D - Stať ve sborníku

CEP obor

—

OECD FORD obor

10201 - Computer sciences, information science, bioinformathics (hardware development to be 2.2, social aspect to be 5.8)

Projekt

—

Návaznosti

S - Specificky vyzkum na vysokych skolach

Rok uplatnění

2018

Kód důvěrnosti údajů

S - Úplné a pravdivé údaje o projektu nepodléhají ochraně podle zvláštních právních předpisů

Název statě ve sborníku

Proceedings of IEEE International Workshop on Information Forensics and Security 2018

ISBN

—

ISSN

2157-4766

e-ISSN

2157-4766

Počet stran výsledku

6

Strana od-do

—

Název nakladatele

IEEE Signal Processing Society

Místo vydání

New Jersey

Místo konání akce

Hong Kong

Datum konání akce

11. 12. 2018

Typ akce podle státní příslušnosti

WRD - Celosvětová akce

Kód UT WoS článku

000461290400014