Social Network Approach to Anomaly Detection in Network Systems

Kołaczek, Grzegorz; Prusiewicz, Agnieszka

doi:10.5772/15365

Cited by 2 publications

(2 citation statements)

References 21 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…By using comparative metrics of network's structure during normal and abnormal operation, we can discover security policy breaches in a network. One can assume that network communication between nodes, constitutes a social network of users and their applications, so the appropriate methods of social network formal analysis can be applied [12]. In on-line social systems perpetrators of malicious behavior often display patterns of interaction that are quite different from regular users, which can be identified through the application of anomaly detection techniques.…”

Section: Motivationmentioning

confidence: 99%

Combining ensemble methods and social network metrics for improving accuracy of OCSVM on intrusion detection in SCADA systems

Μαγλαράς

Jiang

Cruz

2016

Journal of Information Security and Applications

View full text Add to dashboard Cite

Modern Supervisory Control and Data Acquisition SCADA systems used by the electric utility industry to monitor and control electric power generation, transmission and distribution are recognized today as critical components of the electric power delivery infrastructure. SCADA systems are large, complex and incorporate increasing numbers of widely distributed components. The presence of a real time intrusion detection mechanism, which can cope with different types of attacks, is of great importance, in order to defend a system against cyber attacks This defense mechanism must be distributed, cheap and above all accurate, since false positive alarms, or mistakes regarding the origin of the intrusion mean severe costs for the system. Recently an integrated detection mechanism, namely IT-OCSVM was proposed, which is distributed in a SCADA network as a part of a distributed intrusion detection system (IDS), providing accurate data about the origin and the time of an intrusion. In this paper we also analyze the architecture of the integrated detection mechanism and we perform extensive simulations based on real cyber attacks in a small SCADA testbed in order to evaluate the performance of the proposed mechanism. using comparative metrics of network's structure during normal and abnormal operation, we can discover security policy breaches in a network. One can assume that network communication between nodes, constitutes a social network of users and their applications, so the appropriate methods of social network formal analysis can be applied [12]. In on-line social systems perpetrators of malicious behavior often display patterns of interaction that are quite different from regular users, which can be identified through the application of anomaly detection techniques. Thus, in accordance [8,7], network anomalies can be defined as patterns of interaction that significantly differ from the norm and in order to capture the appropriate patterns of interaction, specific aspects of entities' behavior are used (e.g. email analysis). Similar to this, in a SCADA system, individual entities demonstrate a quite different communication behavior when infected, in terms of mean packet generation frequency (traffic burst), protocol distribution or interaction pattern.Discovering anomalies in the context of a network system is a challenging issue due to the complexity of the environment and the different nature of the induced attacks. Regarding node behavior related decisions it makes sense to ask more than one decision mechanism, since this practice assures a more trusted final decision. Ensemble systems of classifiers are widely used for intrusion detection in networks [5,21]. These aim to include mutually complementary individual classifiers, which are characterized by high diversity in terms of classifier structure [24], internal parameters [11] or classifier inputs [13].In real time systems, in addition to fast response and accuracy limited communication between detection modules is also desirable. By sending an explicit message...

show abstract

Section: Motivationmentioning

confidence: 99%

Combining ensemble methods and social network metrics for improving accuracy of OCSVM on intrusion detection in SCADA systems

Μαγλαράς

Jiang

Cruz

2016

Journal of Information Security and Applications

View full text Add to dashboard Cite

show abstract

“…By using comparative metrics of network's structure during normal and abnormal operation, we can discover security policy breaches in a network. One can assume that network communication between nodes constitutes a social network of users and their applications, so the appropriate methods of social network formal analysis can be applied (Kołaczek and Prusiewicz, 2011). In on-line social systems perpetrators of malicious behavior often display patterns of interaction that are quite different from regular users, which can be identified through the application of anomaly detection techniques.…”

Section: Motivationmentioning

confidence: 99%

Intrusion detection in SCADA systems using machine learning techniques

Μαγλαράς

Jiang

2014

2014 Science and Information Conference

139

View full text Add to dashboard Cite

© 2014 The Science and Information (SAI) Organization.In this paper we present a intrusion detection module capable of detecting malicious network traffic in a SCADA (Supervisory Control and Data Acquisition) system. Malicious data in a SCADA system disrupt its correct functioning and tamper with its normal operation. OCSVM (One-Class Support Vector Machine) is an intrusion detection mechanism that does not need any labeled data for training or any information about the kind of anomaly is expecting for the detection process. This feature makes it ideal for processing SCADA environment data and automate SCADA performance monitoring. The OCSVM module developed is trained by network traces off line and detect anomalies in the system real time. The module is part of an IDS (Intrusion Detection System) system developed under CockpitCI project and communicates with the other parts of the system by the exchange of IDMEF (Intrusion Detection Message Exchange Format) messages that carry information about the source of the incident, the time and a classification of the alarm

show abstract

Social Network Approach to Anomaly Detection in Network Systems

Cited by 2 publications

References 21 publications

Combining ensemble methods and social network metrics for improving accuracy of OCSVM on intrusion detection in SCADA systems

Combining ensemble methods and social network metrics for improving accuracy of OCSVM on intrusion detection in SCADA systems

Intrusion detection in SCADA systems using machine learning techniques

Contact Info

Product

Resources

About