Abstract
In this paper we present a protocol-aware anomaly detection framework specifically designed for back office networks together with a new automatic method for feature selection that allows to dramatically reduce the false positive rate (FPR) without compromising the detection rate (DR). The system monitors SMB and MS-RPC (the main protocols in back office networks) and takes into consideration specific features of SMB such as the presence of file paths, which are noisy, yet contain information necessary to detect some attacks. As a part of the framework we introduce a new method to cut the FPR by carefully building and selecting the right set of features to be monitored. In back office networks this is a challenging task where manual selection requires carefully exploring the network traffic to choose from numerous potential features. Also features need to be resilient to irregularities in the traffic caused by human involvement. Our framework automates selection utilizing two new metrics to determine the ‘quality’ of a feature: stability, i.e. its robustness to false alarms and granularity, i.e. the relative amount of information contained. Our experiments show a significant improvement in FPR-DR trade-off when our framework is used to select features in detection of network-based exploits and malicious file accesses.
This work has been supported by the NWO through the SpySpot project (no. 628.001.004).
This is a preview of subscription content, log in via an institution to check access.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
References
Hadžiosmanović, D., Simionato, L., Bolzoni, D., Zambon, E., Etalle, S.: N-gram against the machine: on the feasibility of the N-gram network analysis for binary protocols. In: Balzarotti, D., Stolfo, S.J., Cova, M. (eds.) RAID 2012. LNCS, vol. 7462, pp. 354–373. Springer, Heidelberg (2012). doi:10.1007/978-3-642-33338-5_18
Costante, E., Hartog, J., Petković, M., Etalle, S., Pechenizkiy, M.: Hunting the unknown. In: Atluri, V., Pernul, G. (eds.) DBSec 2014. LNCS, vol. 8566, pp. 243–259. Springer, Heidelberg (2014). doi:10.1007/978-3-662-43936-4_16
Costante, E., Etalle, S., Fauri, D., den Hartog, J.I., Zannone, N.: A hybrid framework for data loss prevention and detection. In: Workshop on Research for Insider Threats (2016)
Yüksel, O., den Hartog, J., Etalle, S.: Reading between the fields: practical, effective intrusion detection for industrial control systems. In: Proceedings of the 31st Annual ACM Symposium on Applied Computing (SAC 2016), pp. 2063–2070. ACM (2016)
Kloft, M., Brefeld, U., Düessel, P., Gehl, C., Laskov, P.: Automatic feature selection for anomaly detection. In: Proceedings of the 1st ACM Workshop on Workshop on AISec (AISec 2008), pp. 71–76, NY, USA. ACM, New York (2008)
Gates, C., Li, N., Xu, Z., Chari, S.N., Molloy, I., Park, Y.: Detecting insider information theft using features from file access logs. In: Kutyłowski, M., Vaidya, J. (eds.) ESORICS 2014. LNCS, vol. 8713, pp. 383–400. Springer, Heidelberg (2014). doi:10.1007/978-3-319-11212-1_22
Bronk, C., Tikk-Ringas, E.: The cyber attack on saudi aramco. Survival 55(2), 81–96 (2013)
Windows Protocols (2016). https://msdn.microsoft.com/en-us/library/jj712081.aspx. Accessed 29 Sep 2016
Bhuyan, M.H., Bhattacharyya, D.K., Kalita, J.K.: Network anomaly detection: methods, systems and tools. IEEE Commun. Surv. Tutor. 16(1), 303–336 (2014)
Kunen, K.: Set Theory An Introduction to Independence Proofs, vol. 102. Elsevier, Amsterdam (2014)
Eskin, E., Arnold, A., Prerau, M., Portnoy, L., Stolfo, S.: A geometric framework for unsupervised anomaly detection. In: Barbará, D., Jajodia, D. (eds.) Applications of Data Mining in Computer Security. Advances in Information Security, vol. 6, pp. 77–101. Springer, Heidelberg (2002)
Combs, G., et al.: Wireshark (2015). http://www.wireshark.org/
Guyon, I., Elisseeff, A.: An introduction to variable and feature selection. J. Mach. Learn. Res. 3, 1157–1182 (2003)
Rapid7 LLC: The metasploit framework (2007)
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2016 Springer International Publishing AG
About this paper
Cite this paper
Yüksel, Ö., den Hartog, J., Etalle, S. (2016). Towards Useful Anomaly Detection for Back Office Networks. In: Ray, I., Gaur, M., Conti, M., Sanghi, D., Kamakoti, V. (eds) Information Systems Security. ICISS 2016. Lecture Notes in Computer Science(), vol 10063. Springer, Cham. https://doi.org/10.1007/978-3-319-49806-5_30
Download citation
DOI: https://doi.org/10.1007/978-3-319-49806-5_30
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-319-49805-8
Online ISBN: 978-3-319-49806-5
eBook Packages: Computer ScienceComputer Science (R0)