Internal Network Monitoring and Anomaly Detection through Host Clustering

W. J. B. Beukema; T. Attema; H. A. Schotanus

doi:10.5220/0006288606940703

Internal Network Monitoring and Anomaly Detection through Host Clustering

W. J. B. Beukema, T. Attema, H. A. Schotanus

2017

Abstract

Internal network traffic is an undervalued source of information for detecting targeted attacks. Whereas most systems focus on the external border of the network, we observe that targeted attacks campaigns often involve internal network activity. To this end, we have developed techniques capable of detecting anomalous internal network behaviour. As a second contribution we propose an additional step in the model-based anomaly detection involving host clustering. Through host clustering, individual hosts are grouped together on the basis of their internal network behaviour. We argue that a behavioural model for each cluster, compared to a model for each host or a single model for all hosts, performs better in terms of detecting potentially malicious behaviour. We show that by applying this concept to internal network traffic, the detection performance for identifying malicious flows and hosts increases.

Download

Paper Citation

in Harvard Style

Beukema W., Attema T. and Schotanus H. (2017). Internal Network Monitoring and Anomaly Detection through Host Clustering . In Proceedings of the 3rd International Conference on Information Systems Security and Privacy - Volume 1: ForSE, (ICISSP 2017) ISBN 978-989-758-209-7, pages 694-703. DOI: 10.5220/0006288606940703

in Bibtex Style

@conference{forse17,
author={W. J. B. Beukema and T. Attema and H. A. Schotanus},
title={Internal Network Monitoring and Anomaly Detection through Host Clustering},
booktitle={Proceedings of the 3rd International Conference on Information Systems Security and Privacy - Volume 1: ForSE, (ICISSP 2017)},
year={2017},
pages={694-703},
publisher={SciTePress},
organization={INSTICC},
doi={10.5220/0006288606940703},
isbn={978-989-758-209-7},
}

in EndNote Style

TY - CONF
JO - Proceedings of the 3rd International Conference on Information Systems Security and Privacy - Volume 1: ForSE, (ICISSP 2017)
TI - Internal Network Monitoring and Anomaly Detection through Host Clustering
SN - 978-989-758-209-7
AU - Beukema W.
AU - Attema T.
AU - Schotanus H.
PY - 2017
SP - 694
EP - 703
DO - 10.5220/0006288606940703