Abstract
Network anomaly detection solutions are being used as defense against several attacks, especially those related to data exfiltration. Several methods exist in the literature, such as clustering or neural networks. However, these methods often focus on local and global network indicators instead of network structural properties, such as understanding which devices typically communicate with other devices. To address this literature gap, we propose a method that uses exponential random graph modeling to integrate network topology structure statistics in anomaly detection. We demonstrate the effectiveness of our method using real-world examples as a baseline for experiments on domain name system (DNS) data exfiltration scenarios. We highlight how our method provides better insight into how network traffic may alter network graph structure and how this can assist cybersecurity analysts in making better decisions in conjunction with existing intrusion detection systems. Finally, we compare and contrast the accuracy, false positive rate and computational overhead of our method with other methods.
Highlights
Data exfiltration is a common type of cyberattack that an attacker uses to extract data from a network once unauthorized access to private and possibly sensitive data has been gained
We introduce a graph-based statistical inference 113 anomaly detection approach that focuses on detecting data exfiltration on a network
We subsequently describe the experimental setup for our ARMA model, which used the coefficients produced by our Exponential random graph models (ERGMs) model for anomaly detection
Summary
Data exfiltration is a common type of cyberattack that an attacker uses to extract data from a network once unauthorized access to private and possibly sensitive data has been gained. Simple techniques exist for detecting data exfiltration One such technique measures the total data transfer of a network and detects unusual spikes in volume. A recent survey paper on anomaly detection techniques includes several approaches, such as clustering, statistical methods, correlation analysis and neural networks [2]. Proprietary systems such as Darktrace and McAfee Network Threat Behavior Analysis are likely to be using a combination of these approaches. A graph-based view of the network can better describe the state of the overall network and how changes in traffic may alter the structure of the network graph
Sign-in/Register to view highlights & summary Sign-in/Register to access full text options 
Free) 
Talk to us
Join us for a 30 min session where you can share your feedback and ask us any queries you have
Schedule a call
