It may take weeks or months before a stealthy attack is detected. As networks scale up in size and speed, monitoring for such attempts is increasingly a challenge; collection and inspection of individual packets is difficult as the volume and the rate of traffic rise. This paper presents an efficient method to overcome such a challenge. Data reduction has become an integral part of passive network monitoring, which could be motivated as long as it preserves the required level of precision. This paper examines the feasibility of employing traffic sampling together with a simple, but a systematic, data fusion technique for monitoring; and whether the design of the network affects on non-sampling error. Proposed approach is capable of monitoring for stealthy suspicious activities using 10%-20% size sampling rates without degrading the quality of detections.
Insider attacks are often subtle and slow, or preceded by behavioral indicators such as organizational rulebreaking which provide the potential for early warning of malicious intent; both these cases pose the problem of identifying attacks from limited evidence contained within a large volume of event data collected from multiple sources over a long period. This paper proposes a scalable solution to this problem by maintaining long-term estimates that individuals or nodes are attackers, rather than retaining event data for post-facto analysis. These estimates are then used as triggers for more detailed investigation. We identify essential attributes of event data, allowing the use of a wide range of indicators, and show how to apply Bayesian statistics to maintain incremental estimates without global updating. The paper provides a theoretical account of the process, a worked example, and a discussion of its practical implications. The work includes examples that identify subtle attack behaviour in subverted network nodes, but the process is not network-specific and is capable of integrating evidence from other sources, such as behavioral indicators, document access logs and financial records, in addition to events identified by network monitoring.
scite is a Brooklyn-based organization that helps researchers better discover and understand research articles through Smart Citations–citations that display the context of the citation and describe whether the article provides supporting or contrasting evidence. scite is used by students and researchers from around the world and is funded in part by the National Science Foundation and the National Institute on Drug Abuse of the National Institutes of Health.