A Likelihood Ratio Detector for Identifying Within-Perimeter Computer Network Attacks

TL;DR

This paper introduces a likelihood ratio detector that models attacker behavior and compares it to normal network activity, improving detection accuracy and reducing false positives in identifying intrusions within enterprise networks.

Contribution

The paper develops a stochastic attacker model and a likelihood ratio detection method, demonstrating its effectiveness over traditional anomaly detectors using real-world network data.

Findings

Likelihood ratio detector reduces false positives compared to simple anomaly detectors.

The detector performs well across various network configurations.

Demonstrated superiority on real-world network topologies.

Abstract

The rapid detection of attackers within firewalls of enterprise computer net- works is of paramount importance. Anomaly detectors address this problem by quantifying deviations from baseline statistical models of normal network behav- ior and signaling an intrusion when the observed data deviates significantly from the baseline model. However, many anomaly detectors do not take into account plausible attacker behavior. As a result, anomaly detectors are prone to a large number of false positives due to unusual but benign activity. This paper first in- troduces a stochastic model of attacker behavior which is motivated by real world attacker traversal. Then, we develop a likelihood ratio detector that compares the probability of observed network behavior under normal conditions against the case when an attacker has possibly compromised a subset of hosts within the network. Since the likelihood ratio detector requires integrating over the time each host be- comes compromised, we illustrate how to use Monte Carlo methods to compute the requisite integral. We then present Receiver Operating Characteristic (ROC) curves for various network parameterizations that show for any rate of true posi- tives, the rate of false positives for the likelihood ratio detector is no higher than that of a simple anomaly detector and is often lower. We conclude by demon- strating the superiority of the proposed likelihood ratio detector when the network topologies and parameterizations are extracted from real-world networks.