Intrusion as (anti)social communication: characterization and detection

Authors:
Qi Ding;Natallia Katenka;Paul Barford;Eric Kolaczyk;Mark Crovella
Affiliations:
Boston University, Boston, MA, USA;Boston University, Boston, MA, USA;University of Wisconsin - Madison, Madison, WI, USA;Boston University, Boston, MA, USA;Boston University, Boston, MA, USA
Venue:
Proceedings of the 18th ACM SIGKDD international conference on Knowledge discovery and data mining
Year:
2012

Citing 11
Cited 1

Bro: a system for detecting network intruders in real-time

Computer Networks: The International Journal of Computer and Telecommunications Networking
Internet intrusions: global characteristics and prevalence

SIGMETRICS '03 Proceedings of the 2003 ACM SIGMETRICS international conference on Measurement and modeling of computer systems
Graph-based anomaly detection

Proceedings of the ninth ACM SIGKDD international conference on Knowledge discovery and data mining
Exploratory Social Network Analysis with Pajek

Exploratory Social Network Analysis with Pajek
Automatic Generation and Analysis of NIDS Attacks

ACSAC '04 Proceedings of the 20th Annual Computer Security Applications Conference
Snort - Lightweight Intrusion Detection for Networks

LISA '99 Proceedings of the 13th USENIX conference on System administration
Relevance search and anomaly detection in bipartite graphs

ACM SIGKDD Explorations Newsletter
Sensitivity of PCA for traffic anomaly detection

Proceedings of the 2007 ACM SIGMETRICS international conference on Measurement and modeling of computer systems
On Signatures for Communication Graphs

ICDE '08 Proceedings of the 2008 IEEE 24th International Conference on Data Engineering
Unveiling core network-wide communication patterns through application traffic activity graph decomposition

Proceedings of the eleventh international joint conference on Measurement and modeling of computer systems
Statistical Analysis of Network Data: Methods and Models

Statistical Analysis of Network Data: Methods and Models

Estimating the number of hosts corresponding to an intrusion alert while preserving privacy

Journal of Computer and System Sciences

Quantified Score

Hi-index	0.00

Visualization

Abstract

A reasonable definition of intrusion is: entering a community to which one does not belong. This suggests that in a network, intrusion attempts may be detected by looking for communication that does not respect community boundaries. In this paper, we examine the utility of this concept for identifying malicious network sources. In particular, our goal is to explore whether this concept allows a core-network operator using flow data to augment signature-based systems located at network edges. We show that simple measures of communities can be defined for flow data that allow a remarkably effective level of intrusion detection simply by looking for flows that do not respect those communities. We validate our approach using labeled intrusion attempt data collected at a large number of edge networks. Our results suggest that community-based methods can offer an important additional dimension for intrusion detection systems.