A model for reasoning about persistence and causation
Computational Intelligence
Multivariate Statistical Analysis of Audit Trails for Host-Based Intrusion Detection
IEEE Transactions on Computers
Bayesian Event Classification for Intrusion Detection
ACSAC '03 Proceedings of the 19th Annual Computer Security Applications Conference
Flow classification by histograms: or how to go on safari in the internet
Proceedings of the joint international conference on Measurement and modeling of computer systems
Attack Plan Recognition and Prediction Using Causal Networks
ACSAC '04 Proceedings of the 20th Annual Computer Security Applications Conference
Internet traffic classification using bayesian analysis techniques
SIGMETRICS '05 Proceedings of the 2005 ACM SIGMETRICS international conference on Measurement and modeling of computer systems
Profiling internet backbone traffic: behavior models and applications
Proceedings of the 2005 conference on Applications, technologies, architectures, and protocols for computer communications
Mining anomalies using traffic feature distributions
Proceedings of the 2005 conference on Applications, technologies, architectures, and protocols for computer communications
BLINC: multilevel traffic classification in the dark
Proceedings of the 2005 conference on Applications, technologies, architectures, and protocols for computer communications
ICW '05 Proceedings of the 2005 Systems Communications
Host-based detection of worms through peer-to-peer cooperation
Proceedings of the 2005 ACM workshop on Rapid malcode
Combining filtering and statistical methods for anomaly detection
IMC '05 Proceedings of the 5th ACM SIGCOMM conference on Internet Measurement
Proceedings of the 2007 workshop on Large scale attack defense
An adaptive anomaly detector for worm detection
SYSML'07 Proceedings of the 2nd USENIX workshop on Tackling computer systems problems with machine learning techniques
Extending continuous time Bayesian networks
AAAI'05 Proceedings of the 20th national conference on Artificial intelligence - Volume 2
Continuous time particle filtering
IJCAI'05 Proceedings of the 19th international joint conference on Artificial intelligence
Continuous time bayesian networks
UAI'02 Proceedings of the Eighteenth conference on Uncertainty in artificial intelligence
Importance Sampling for Continuous Time Bayesian Networks
The Journal of Machine Learning Research
Intrusion detection using continuous time Bayesian networks
Journal of Artificial Intelligence Research
Continuous time Bayesian network classifiers
Journal of Biomedical Informatics
Hi-index | 0.00 |
We consider the problem of detecting host-level attacks in network traffic using unsupervised learning. We model the normal behavior of a host's traffic from its signature logs, and flag suspicious traces differing from this norm. In particular, we use continuous time Bayesian networks learned from historic non-attack data and flag future event sequences whose likelihood under this normal model is below a threshold. Our method differs from previous approaches in explicitly modeling temporal dependencies in the network traffic. Our model is therefore more sensitive to subtle variations in the sequences of network events. We present two simple extensions that allow for instantaneous events that do not result in state changes, and simultaneous transitions of two variables. Our approach does not require expensive labeling or prior exposure to the attack type. We illustrate the power of our method in detecting attacks with comparisons to other methods on real network traces.