short-paper

GraphPrints: Towards a Graph Analytic Method for Network Anomaly Detection

Authors:

Christopher R. Harshaw,

Robert A. Bridges,

Michael D. Iannacone,

Joel W. Reed,

John R. GoodallAuthors Info & Claims

CISRC '16: Proceedings of the 11th Annual Cyber and Information Security Research Conference

Article No.: 15, Pages 1 - 4

https://doi.org/10.1145/2897795.2897806

Published: 05 April 2016 Publication History

Get Access

Abstract

This paper introduces a novel graph-analytic approach for detecting anomalies in network flow data called GraphPrints. Building on foundational network-mining techniques, our method represents time slices of traffic as a graph, then counts graphlets---small induced subgraphs that describe local topology. By performing outlier detection on the sequence of graphlet counts, anomalous intervals of traffic are identified, and furthermore, individual IPs experiencing abnormal behavior are singled-out. Initial testing of GraphPrints is performed on real network data with an implanted anomaly. Evaluation shows false positive rates bounded by 2.84% at the time-interval level, and 0.05% at the IP-level with 100% true positive rates at both.

References

[1]

R. A. Bridges, J. P. Collins, E. M. Ferragut, J. A. Laska, and B. D. Sullivan. Multi-level anomaly detection on time-varying graph data. In Proceedings of the 2015 IEEE/ACM International Conference on Advances in Social Networks Analysis and Mining 2015, pages 579--583. ACM, 2015.

Digital Library

Google Scholar

[2]

M. Halappanavar, S. Choudhury, E. Hogan, P. Hui, J. Johnson, I. Ray, and L. Holder. Towards a network-of-networks framework for cyber security. In Intelligence and Security Informatics (ISI), 2013 IEEE International Conference on, pages 106--108. IEEE, 2013.

Crossref

Google Scholar

[3]

R. Milo, S. Shen-Orr, S. Itzkovitz, N. Kashtan, D. Chklovskii, and U. Alon. Network motifs: simple building blocks of complex networks. Science, 298(5594):824--827, 2002.

Crossref

Google Scholar

[4]

F. Pedregosa, G. Varoquaux, A. Gramfort, V. Michel, B. Thirion, O. Grisel, M. Blondel, P. Prettenhofer, R. Weiss, V. Dubourg, J. Vanderplas, A. Passos, D. Cournapeau, M. Brucher, M. Perrot, and E. Duchesnay. Scikit-learn: Machine learning in Python. Journal of Machine Learning Research, 12:2825--2830, 2011.

Digital Library

Google Scholar

[5]

N. Pržulj, D. G. Corneil, and I. Jurisica. Modeling interactome: scale-free or geometric? Bioinformatics, 20(18):3508--3515, 2004.

Digital Library

Google Scholar

[6]

P. J. Rousseeuw and K. V. Driessen. A fast algorithm for the minimum covariance determinant estimator. Technometrics, 41(3):212--223, 1999.

Crossref

Google Scholar

[7]

R. Tibshirani, G. Walther, and T. Hastie. Estimating the number of clusters in a data set via the gap statistic. Journal of the Royal Statistical Society: Series B (Statistical Methodology), 63(2):411--423, 2001.

Google Scholar

[8]

S. Wernicke and F. Rasche. Fanmod: a tool for fast network motif detection. Bioinformatics, 22(9):1152--1153, 2006.

Digital Library

Google Scholar

Cited By

View all

Komadina AKovačević IŠtengl BGroš S(2024)Comparative Analysis of Anomaly Detection Approaches in Firewall Logs: Integrating Light-Weight Synthesis of Security Logs and Artificially Generated Attack DetectionSensors10.3390/s2408263624:8(2636)Online publication date: 20-Apr-2024
https://doi.org/10.3390/s24082636
Komadina AMartinić MGroš SMihajlović Ž(2024)Comparing Threshold Selection Methods for Network Anomaly DetectionIEEE Access10.1109/ACCESS.2024.345216812(124943-124973)Online publication date: 2024
https://doi.org/10.1109/ACCESS.2024.3452168
Kim HKo JBu FShin K(2023)Characterization of Simplicial Complexes by Counting Simplets Beyond Four NodesProceedings of the ACM Web Conference 202310.1145/3543507.3583332(317-327)Online publication date: 30-Apr-2023
https://dl.acm.org/doi/10.1145/3543507.3583332
Show More Cited By

Recommendations

Using artificial anomalies to detect unknown and known network intrusions

Intrusion detection systems (IDSs) must be capable of detecting new and unknown attacks, or anomalies. We study the problem of building detection models for both pure anomaly detection and combined misuse and anomaly detection (i.e., detection of both ...
A two-level hybrid approach for intrusion detection

To exploit the strengths of misuse detection and anomaly detection, an intensive focus on intrusion detection combines the two. From a novel perspective, in this paper, we proposed a hybrid approach toward achieving a high detection rate with a low ...
A Novel Outlier Detection Scheme for Network Intrusion Detection Systems
ISA '08: Proceedings of the 2008 International Conference on Information Security and Assurance (isa 2008)

Network intrusion detection system serves as a second line of defense to intrusion prevention. Anomaly detection approach is important in order to detect new attacks. This paper adopted connectivity-based outlier detection scheme from statistical field ...

Comments

Please enable JavaScript to view thecomments powered by Disqus.

Information & Contributors

Information

Published In

CISRC '16: Proceedings of the 11th Annual Cyber and Information Security Research Conference

April 2016

150 pages

ISBN:9781450337526

DOI:10.1145/2897795

General Chairs:
Joseph P. Trien
Oak Ridge National Laboratory
,
Stacy J. Prowell
Oak Ridge National Laboratory
,
John R. Goodall
Oak Ridge National Laboratory
,
Program Chair:
Robert A. Bridges
Oak Ridge National Laboratory

© 2016 Association for Computing Machinery. ACM acknowledges that this contribution was authored or co-authored by an employee, contractor or affiliate of the United States government. As such, the United States Government retains a nonexclusive, royalty-free right to publish or reproduce this article, or to allow others to do so, for Government purposes only.

In-Cooperation

Oak Ridge National Laboratory

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 05 April 2016

Permissions

Request permissions for this article.

Request Permissions

Check for updates

Author Tags

Qualifiers

Short-paper
Research
Refereed limited

Funding Sources

U.S. Department of Homeland Security

Conference

CISRC '16

CISRC '16: 11th Annual Cyber and Information Security Research

April 5 - 7, 2016

TN, Oak Ridge, USA

Acceptance Rates

CISRC '16 Paper Acceptance Rate 11 of 28 submissions, 39%;

Overall Acceptance Rate 69 of 136 submissions, 51%

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

21
Total Citations
View Citations
450
Total Downloads

Downloads (Last 12 months)18
Downloads (Last 6 weeks)0

Reflects downloads up to 27 Dec 2024

Other Metrics

View Author Metrics

Citations

Cited By

View all

Komadina AKovačević IŠtengl BGroš S(2024)Comparative Analysis of Anomaly Detection Approaches in Firewall Logs: Integrating Light-Weight Synthesis of Security Logs and Artificially Generated Attack DetectionSensors10.3390/s2408263624:8(2636)Online publication date: 20-Apr-2024
https://doi.org/10.3390/s24082636
Komadina AMartinić MGroš SMihajlović Ž(2024)Comparing Threshold Selection Methods for Network Anomaly DetectionIEEE Access10.1109/ACCESS.2024.345216812(124943-124973)Online publication date: 2024
https://doi.org/10.1109/ACCESS.2024.3452168
Kim HKo JBu FShin K(2023)Characterization of Simplicial Complexes by Counting Simplets Beyond Four NodesProceedings of the ACM Web Conference 202310.1145/3543507.3583332(317-327)Online publication date: 30-Apr-2023
https://dl.acm.org/doi/10.1145/3543507.3583332
Wang XJiang JWang YLv QWang L(2023)UAG: User Action Graph Based on System Logs for Insider Threat Detection2023 IEEE Symposium on Computers and Communications (ISCC)10.1109/ISCC58397.2023.10218139(1027-1032)Online publication date: 9-Jul-2023
https://doi.org/10.1109/ISCC58397.2023.10218139
Komadina AKovačević IŠtengl BGroš S(2023)Detecting Anomalies in Firewall Logs Using Artificially Generated Attacks2023 17th International Conference on Telecommunications (ConTEL)10.1109/ConTEL58387.2023.10198912(1-8)Online publication date: 11-Jul-2023
https://doi.org/10.1109/ConTEL58387.2023.10198912
Zhao LAkoglu L(2023)On Using Classification Datasets to Evaluate Graph Outlier Detection: Peculiar Observations and New InsightsBig Data10.1089/big.2021.006911:3(151-180)Online publication date: 1-Jun-2023
https://doi.org/10.1089/big.2021.0069
Lesfari HGiroire F(2022)Nadege: When Graph Kernels meet Network Anomaly DetectionIEEE INFOCOM 2022 - IEEE Conference on Computer Communications10.1109/INFOCOM48880.2022.9796978(2008-2017)Online publication date: 2-May-2022
https://doi.org/10.1109/INFOCOM48880.2022.9796978
Ficke EBateman RXu S(2022)Reducing Intrusion Alert Trees to Aid VisualizationNetwork and System Security10.1007/978-3-031-23020-2_8(140-154)Online publication date: 7-Dec-2022
https://doi.org/10.1007/978-3-031-23020-2_8
Gasparovic EGommel MPurvine ESazdanovic RWang BWang YZiegelmeier L(2022)Local Versus Global Distances for Zigzag and Multi-Parameter Persistence ModulesResearch in Computational Topology 210.1007/978-3-030-95519-9_3(63-76)Online publication date: 27-Jan-2022
https://doi.org/10.1007/978-3-030-95519-9_3
Jiang JWang XWang YLv QLiu MWang TWang L(2021)GSketch: A Comprehensive Graph Analytic Approach for Masquerader Detection Based on File Access Graph2021 IEEE Symposium on Computers and Communications (ISCC)10.1109/ISCC53001.2021.9631465(1-6)Online publication date: 5-Sep-2021
https://doi.org/10.1109/ISCC53001.2021.9631465
Show More Cited By

View Options

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Cited By

Recommendations

Using artificial anomalies to detect unknown and known network intrusions

A two-level hybrid approach for intrusion detection

A Novel Outlier Detection Scheme for Network Intrusion Detection Systems