Bayesian models applied to cyber security anomaly detection problems. (English) Zbl 07777979
Summary: Cyber security is an important concern for all individuals, organisations and governments globally. Cyber attacks have become more sophisticated, frequent and dangerous than ever, and traditional anomaly detection methods have been proved to be less effective when dealing with these new classes of cyber threats. In order to address this, both classical and Bayesian models offer a valid and innovative alternative to the traditional signature-based methods, motivating the increasing interest in statistical research that it has been observed in recent years. In this review, we provide a description of some typical cyber security challenges, typical types of data and statistical methods, paying special attention to Bayesian approaches for these problems.
{© 2021 International Statistical Institute.}
{© 2021 International Statistical Institute.}
MSC:
| 62Gxx | Nonparametric inference |
| 62Pxx | Applications of statistics |
| 68Mxx | Computer system organization |
Software:
BayesDAReferences:
| [1] | Eds. Adams, N. (ed.) & Heard, N. (ed.)2014. Data Analysis for Network Cyber‐Security Edited byAdams, N. (ed.) & Heard, N. (ed.)Imperial College Press. |
| [2] | Angelino, E., Johnson, M.J. & Adams, R.P.2016. Patterns of Scalable Bayesian Inference. Now Publishers Inc. · Zbl 1364.68318 |
| [3] | Antoniak, C.E.1974. Mixtures of Dirichlet processes with applications to Bayesian nonparametric problems. Ann. Stat., 2(6), 1152-1174. · Zbl 0335.60034 |
| [4] | Berman, D.S., Buczak, A.L., Chavis, J.S. & Corbett, C.L.2019. A survey of deep learning methods for cyber security. Information, 10(4), 122. |
| [5] | Bernardo, J.M.2003. Bayesian statistiscs. In Encyclopaedia of Life Support Systems, Ed. Viertl, R. (ed.), Probability and Statistics: Oxford, UK: UNESCO. |
| [6] | Bishop, M., Crawford, R., Bhumiratana, B., Clark, L. & Levitt, K.2006. Some problems in sanitizing network data. In 15th ieee international workshops on enabling technologies: Infrastructure for collaborative enterprises (wetice’06), pp. 307-312. |
| [7] | Blei, D.M., Kucukelbir, A. & McAuliffe, J.D.2017. Variational inference: a review for statisticians. J. Am. Stat. Assoc., 112(518), 859-877. |
| [8] | Blei, D.M., Ng, A.Y. & Jordan, M.I.2003. Latent Dirichlet allocation. J. Mach. Learn. Res., 3, 993-1022. · Zbl 1112.68379 |
| [9] | Bolton, A. & Heard, N.2018. Malware family discovery using reversible jump MCMC sampling of regimes. J. Am. Stat. Assoc., 113(524), 1490-1502. · Zbl 1409.62168 |
| [10] | Buczak, A.L. & Guven, E.2016. A survey of data mining and machine learning methods for cyber security intrusion detection. IEEE Commun. Surv. Tutor., 18(2), 1153-1176. |
| [11] | Cao, X., Chen, B., Li, H. & Fu, Y.2016. Packet header anomaly detection using Bayesian topic models. IACR Cryptology ePrint Archive, 2016, 40. |
| [12] | Cao, J., Cleveland, W., Lin, D. & Sun, D.2003. Internet traffic tends toward Poisson and independent as the load increases. In Nonlinear Estimation and Classification, Eds. Denison, D.D. (ed.), Hansen, M.H. (ed.), Holmes, C.C. (ed.), Mallick, B. (ed.) & Yu, B. (ed.), Springer New York: New York, NY, pp. 83 -109. · Zbl 1320.62228 |
| [13] | Catlett, C.2008. A scientific research and development approach to cyber security, U.S. Department of Energy. |
| [14] | Chandola, V., Banerjee, A. & Kumar, V.2009. Anomaly Ddetection: a survey. ACM Comput. Surv., 41, 1-72. |
| [15] | Chen, X., Irie, K., Banks, D., Haslinger, R., Thomas, J. & West, M.2018. Scalable Bayesian modeling, monitoring, and analysis of dynamic network flow data. J. Am. Stat. Assoc., 113(522), 519-533. |
| [16] | Chockalingam, S., Pieters, W., Teixeira, A. & vanGelder, P.2017. Bayesian network models in cyber security: a systematic review. In Secure It Systems, Eds. Helger, L. (ed.), Mitrokotsa, A. (ed.) & Matulevičius, R. (ed.), Springer International Publishing, pp. 105 -122. |
| [17] | Clausen, H., Briers, M. & Adams, N.2018. Bayesian activity modelling for network flow data. In Data science for cyber‐security, pp. 55-76. |
| [18] | Cox, D.R.1972. Regression models and life‐tables. J. R. Stat. Soc. Series B Stat. Methodol., 34(2), 187-220. · Zbl 0243.62041 |
| [19] | Cramer, C. & Carin, L.2011. Bayesian topic models for describing computer network behaviors. In 2011 ieee international conference on acoustics, speech and signal processing. |
| [20] | Dantu, R. & Loper, P.2004. Risk management using behavior based attack graphs. In International Conference on Information Technology: Coding and Computing, 2004. Proceedings. ITCC 2004., Vol. 1, pp. 445-449. |
| [21] | Dhillon, I.S.2001. Co‐clustering documents and words using bipartite spectral graph partitioning. In Proceedings of the seventh acm sigkdd international conference on knowledge discovery and data mining, KDD ’01, pp. 269-274. Association for Computing Machinery: New York, NY, USA. |
| [22] | Donoho, D. & Jin, J.2004. Higher criticism for detecting sparse heterogeneous mixtures. Ann. Stat., 32(3), 962-994. · Zbl 1092.62051 |
| [23] | Dunlavy, D., Hendrickson, B. & Kolda, T.2009. Mathematical challenges in cybersecurity, Sandia National Laboratories. |
| [24] | Eleazar, E.2000. Anomaly detection over noisy data using learned probability distributions. In proceedings of the international conference on machine learning, pp. 255-262. Morgan Kaufmann. |
| [25] | Ferguson, T.S.1973. A Bayesian analysis of some nonparametric problems. Ann. Stat., 1(2), 209-230. · Zbl 0255.62037 |
| [26] | Fisher, R.A.1934. Statistical Methods For Research Workers. Olyver and Boyd: Edinburgh. · JFM 60.1162.01 |
| [27] | Frigault, M. & Wang, L.2008. Measuring network security using Bayesian network‐based attack graphs. In 2008 32nd Annual IEEE International Computer Software and Applications Conference, pp. 698-703. |
| [28] | Gelman, A., Carlin, J.B., Stern, H.S., Dunson, D.B., Vehtari, A. & Rubin, D.B.2013. Bayesian Data Analysis, third edition. Taylor & Francis. |
| [29] | Goldstein, M.2013. Observables and models: exchangeability and the inductive argument. In Bayesian Theory and Applications, Eds. Damien, P. (ed.), Dellaportas, P. (ed.), Polson, N.G. (ed.) & Stephens, D.A. (ed.), Oxford University Press, pp. 3 -18. · Zbl 1277.62082 |
| [30] | Gopalan, P., Charlin, L. & Blei, D.M.2014. Content‐based recommendations with Poisson factorization. In Proceedings of the 27th international conference on neural information processing systems ‐ volume 2, NIPS’14, pp. 3176-3184. MIT Press: Cambridge, MA, USA. |
| [31] | Gupta, M., Gao, J., Aggarwal, C.C. & Han, J.2014. Outlier detection for temporal data: a survey. IEEE Trans. Knowl. Data. Eng., 26(9), 2250-2267. |
| [32] | Hagberg, A., Kent, A., Lemons, N. & Neil, J.2014. Credential hopping in authentication graphs. In 2014 international conference on signal‐image technology internet‐based systems. IEEE Computer Society. |
| [33] | Hall, E.2000. Internet Core Protocols: The Definitive Guide: Help for Network Administrators, An owner’s manual for the internet. O’Reilly Media, Incorporated. |
| [34] | Heard, N.A., Palla, K. & Skoularidou, M.2016. Topic modelling of authentication events in an enterprise computer network. In 2016 ieee conference on intelligence and security informatics. |
| [35] | Heard, N.A. & Rubin‐Delanchy, P.2016. Network‐wide anomaly detection via the Dirichlet process. In the proceedings of the ieee workshop on big data analytics for cyber‐security computing. |
| [36] | Heard, N., Rubin‐Delanchy, P. & Lawson, D.J.2014. Filtering automated polling traffic in computer network flow data. In 2014 ieee joint intelligence and security informatics conference, pp. 268-271. |
| [37] | Eds. Hjort, N. (ed.), Holmes, C. (ed.), Müller, P. (ed.) & Walker, S. (ed.)2010. Bayesian nonparametrics Edited byHjort, N. (ed.), Holmes, C. (ed.), Müller, P. (ed.) & Walker, S. (ed.), Cambridge Series in Statistical and Probabilistic Mathematics. Cambridge University Press. · Zbl 1192.62080 |
| [38] | Hu, W., Liao, Y. & Vemuri, R.2003. Robust support vector machines for anomaly detection in computer security. In ICMLA, pp. 168-174. |
| [39] | Jing, X. & Shelton, C.R.2010. Intrusion detection using continuous time Bayesian networks. J. Artif. Intell. Res., 39(1), 745-774. · Zbl 1210.68087 |
| [40] | Kao, Y., Reich, B., Storlie, C. & Anderson, B.2015. Malware detection using nonparametric Bayesian clustering and classification techniques. Technometrics, 57(4), 535-546. |
| [41] | Karagiannis, T., Molle, M., Faloutsos, M. & Broido, A.2004. A nonstationary Poisson view of Internet traffic. In Ieee international conference on computer communications 2004, Vol. 3, pp. 1558-1569. |
| [42] | Kent, A.D.2015a. Comprehensive, multi‐source cyber‐security events. Los Alamos National Laboratory. |
| [43] | Kent, A.D.2015b. Cybersecurity data sources for dynamic network research. In Dynamic networks in cybersecurity. Imperial College Press. |
| [44] | Knoblauch, J., Jewson, J.E. & Damoulas, T.2018. Doubly robust Bayesian inference for non‐stationary streaming data with β‐divergences, pp. 64-75. |
| [45] | Kruegel, C., Mutz, D., Robertson, W. & Valeur, F.2003. Bayesian event classification for intrusion detection. In 19th Annual Computer Security Applications Conference, 2003. Proceedings, pp. 14-23. |
| [46] | Lancaster, H.O.1952. Statistical control of counting experiments. Biometrika, 39(3 ‐ 4), 419-422. |
| [47] | Lau, J.W. & Green, P.J.2007. Bayesian model‐based clustering procedures. J. Comput. Graph. Stat., 16(3), 526-558. |
| [48] | Metelli, S. & Heard, N.2016. Model‐based clustering and new edge modelling in large computer networks. In 2016 ieee conference on intelligence and security informatics. |
| [49] | Metelli, S. & Heard, N.2019. On Bayesian new edge prediction and anomaly detection in computer networks. Ann. Appl. Stat., 13(4), 2586-2610. · Zbl 1437.62234 |
| [50] | Meza, J., Campbell, S. & Bailey, D.2009. Mathematical and statistical opportunities in cyber security. |
| [51] | Muñoz González, L., Sgandurra, D., Paudice, A. & Lupu, E.C.2017. Efficient attack graph analysis through approximate inference. ACM Trans. Priv. Secur., 20(3), 1-30. |
| [52] | Olding, B. & Wolfe, P.2014. Inference for graphs and networks: adapting classical tools to modern data. In Data Analysis for Network Cyber‐Security, Eds. Adams, N. (ed.) & H., N. (ed.), Imperial College Press: London, pp. 1 -31. |
| [53] | Paffenroth, R., Kay, K. & Servi, L.2018. Robust PCA for Anomaly Detection in Cyber Networks. |
| [54] | Pauwels, S. & Calders, T.2018. Extending Dynamic Bayesian Networks for Anomaly Detection in Complex Logs. |
| [55] | Pearl, J.1985. Bayesian networks: a model of self‐activated memory for evidential reasoning. In Proc. of Cognitive Science Society (CSS‐7). |
| [56] | Pearson, K.1933. On a method of determining whether a sample of size n supposed to have been drawn from a parent population having a known probability integral has probably been drawn at random. Biometrika, 25(3 ‐ 4), 379-410. · JFM 59.1174.02 |
| [57] | Perman, M., Pitman, J. & Yor, M.1992. Size‐biased sampling of Poisson point processes and excursions. Probab. Theory Relat. Fields, 92, 21-39. · Zbl 0741.60037 |
| [58] | Pollak, M. & Tartakovsky, A.2009. Optimality properties of the Shiryaev‐Roberts procedure. Stat. Sin., 19(4), 1729-1739. · Zbl 1534.62121 |
| [59] | Polunchenko, A.S. & Tartakovsky, A.G.2011. State‐of‐the‐art in sequential change‐point detection. Methodol. Comput. Appl. Probab., 14(3), 649-684. · Zbl 06124706 |
| [60] | Polunchenko, A.S., Tartakovsky, A. & Mukhopadhyay, N.2012. Nearly optimal change‐point detection with an application to cybersecurity. Seq. Anal., 31, 409-435. · Zbl 1274.62515 |
| [61] | Poolsappasit, N., Dewri, R. & Ray, I.2012. Dynamic security risk management using Bayesian attack graphs. IEEE T. Depend. Secure, 9(1), 61-74. |
| [62] | Price‐Williams, M., Heard, N. & Rubin‐Delanchy, P.2019. Detecting weak dependence in computer network traffic patterns by using higher criticism. J. R. Stat. Soc. Ser. C, 68(3), 641-655. |
| [63] | Price‐Williams, M., Heard, N. & Turcotte, M.2017. Detecting periodic subsequences in cyber security data. In 2017 european intelligence and security informatics conference, pp. 84-90. |
| [64] | Price‐Williams, M., Turcotte, M. & Heard, N.2018. Time of day anomaly detection. In 2018 european intelligence and security informatics conference, pp. 1-6. |
| [65] | Pruteanu‐Malinici, I., Ren, L., Paisley, J., Wang, E. & Carin, L.2010. Hierarchical Bayesian modeling of topics in time‐stamped documents. IEEE PAMI, 32(6), 996-1011. |
| [66] | Roberts, S.1966. A comparison of some control chart procedures. Technometrics, 3, 411-430. |
| [67] | Rubin‐Delanchy, P., Heard, N.A. & Lawson, D.J.2019. Meta‐analysis of mid‐p‐values: some new results based on the convex order. J. Am. Stat. Assoc., 114(527), 1105-1112. · Zbl 1428.62102 |
| [68] | Sanna Passino, F. & Heard, N.A.2019. Modelling dynamic network evolution as a Pitman‐Yor process. Found. Data Sci., 1, 293-306. |
| [69] | Shiryaev, A.N.1963. On optimum methods in quickest detection problems. Theory Probab. Its Appl., 1, 22-46. · Zbl 0213.43804 |
| [70] | Storlie, C., Anderson, B., Vander Wiel, S., Quist, D., Hash, C. & Brown, N.2014. Stochastic identification of malware with dynamic traces. Ann. Appl. Stat., 8(1), 1-18. · Zbl 1429.62713 |
| [71] | Stouffer, S.A.1949. The American Soldier, Studies in social psychology in World War II. Princeton University Press. |
| [72] | Tang, Y., Wu, Y. & Zhou, Q.2010. AASC: anonymizing network addresses based on subnet clustering. In 2010 ieee international conference on wireless communications, networking and information security, pp. 672-676. |
| [73] | Tartakovsky, A.G.2014. Rapid detection of attacks in computer networks by Quickest Changepoint Detection Methods. In Data Analysis for Network Cyber‐Security, Eds. Adams, N. (ed.) & H., N. (ed.), Imperial College Press: London, pp. 33 -70. |
| [74] | Tartakovsky, A.G., Rozovskii, B.L., Blaźek, R.B. & Kim, H.2006a. Detection of intrusions in information systems by sequential change‐point‐methods. Stat. Methodol., 3(3), 252-293. · Zbl 1248.94032 |
| [75] | Tartakovsky, A.G., Rozovskii, B.L., Blaźek, R.B. & Kim, H.2006b. A novel approach to detection of instructions in computer networks via adaptive sequential and batch‐sequential change‐point detection methods. IEEE Trans. Signal Process., 54(9), 3372-3382. · Zbl 1373.68144 |
| [76] | Tippett, L.H.C.1931. The Methods of Statistics. Williams and Norgate: London. · Zbl 0047.37803 |
| [77] | Turcotte, M.J.M., Heard, N.A. & Kent, A.D.2016. Modelling user behaviour in a network using computer event logs. In Dynamic Networks and Cyber‐security, Eds. Adams, N. (ed.) & Heard, N. (ed.), World Scientific, pp. 67 -87. |
| [78] | Turcotte, M.J.M., Kent, A.D. & Hash, C.2018. Unified host and network data set. In Data science for cyber‐security, World Scientific, pp. 1 -22. |
| [79] | Turcotte, M., Moore, J., Heard, N. & McPhall, A.2016. Poisson factorization for peer‐based anomaly detection. In 2016 ieee conference on intelligence and security informatics. |
| [80] | Valdes, A. & Skinner, K.2000. Adaptive, model‐based monitoring for cyber attack detection. In Proceedings of the Third International Workshop on Recent Advances in Intrusion Detection, RAID ’00, pp. 80-92. Springer‐Verlag. |
| [81] | Willinger, W. & Paxson, V.1998. Where mathematics meets the Internet. Not. Am. Math. Soc., 45, 961-970. · Zbl 0973.00523 |
This reference list is based on information provided by the publisher or from digital mathematics libraries. Its items are heuristically matched to zbMATH identifiers and may contain data conversion errors. In some cases that data have been complemented/enhanced by data from zbMATH Open. This attempts to reflect the references listed in the original paper as accurately as possible without claiming completeness or a perfect matching.
