How do we effectively monitor for slow suspicious activities?

Harsha K. Kalutarage, Siraj A. Shaikh, Qin Zhou, Anne E. James

Research output: Chapter in Book/Report/Conference proceedingConference contribution

1 Citation (Scopus)

Abstract

As computer networks scale up in size and traffic volume, detecting slow suspicious activity, deliberately designed to stay beneath the threshold, becomes ever more difficult. Simply storing all packet captures for analysis is not feasible due to computational constraints. Detecting such activity depends on maintaining traffic history over extended periods of time, and using it to distinguish between suspicious and innocent nodes. The doctoral work presented here aims to adopt a Bayesian approach to address this problem, and to examine the effectiveness of such an approach under different network conditions: multiple attackers, traffic volume, subnet configuration and traffic sampling. We provide a theoretical account of our approach and very early experimental results.

Original languageEnglish
Title of host publicationProceedings of the Doctoral Symposium at the International Symposium on Engineering Secure Software and Systems, ESSoS-DS 2013
PublisherCEUR-WS
Pages36-40
Number of pages5
Volume965
Publication statusPublished - 2013
Externally publishedYes
EventInternational Symposium on Engineering Secure Software and Systems, ESSoS-DS 2013 - Rocquencort, Paris, France
Duration: 27 Feb 201301 Mar 2013

Conference

ConferenceInternational Symposium on Engineering Secure Software and Systems, ESSoS-DS 2013
CountryFrance
CityParis
Period27/02/201301/03/2013

Fingerprint

Computer networks
Sampling

Cite this

Kalutarage, H. K., Shaikh, S. A., Zhou, Q., & James, A. E. (2013). How do we effectively monitor for slow suspicious activities? In Proceedings of the Doctoral Symposium at the International Symposium on Engineering Secure Software and Systems, ESSoS-DS 2013 (Vol. 965, pp. 36-40). CEUR-WS.
Kalutarage, Harsha K. ; Shaikh, Siraj A. ; Zhou, Qin ; James, Anne E. / How do we effectively monitor for slow suspicious activities?. Proceedings of the Doctoral Symposium at the International Symposium on Engineering Secure Software and Systems, ESSoS-DS 2013. Vol. 965 CEUR-WS, 2013. pp. 36-40
@inproceedings{46aa80f5a7c14610a678ee764ee46bba,
title = "How do we effectively monitor for slow suspicious activities?",
abstract = "As computer networks scale up in size and traffic volume, detecting slow suspicious activity, deliberately designed to stay beneath the threshold, becomes ever more difficult. Simply storing all packet captures for analysis is not feasible due to computational constraints. Detecting such activity depends on maintaining traffic history over extended periods of time, and using it to distinguish between suspicious and innocent nodes. The doctoral work presented here aims to adopt a Bayesian approach to address this problem, and to examine the effectiveness of such an approach under different network conditions: multiple attackers, traffic volume, subnet configuration and traffic sampling. We provide a theoretical account of our approach and very early experimental results.",
author = "Kalutarage, {Harsha K.} and Shaikh, {Siraj A.} and Qin Zhou and James, {Anne E.}",
year = "2013",
language = "English",
volume = "965",
pages = "36--40",
booktitle = "Proceedings of the Doctoral Symposium at the International Symposium on Engineering Secure Software and Systems, ESSoS-DS 2013",
publisher = "CEUR-WS",

}

Kalutarage, HK, Shaikh, SA, Zhou, Q & James, AE 2013, How do we effectively monitor for slow suspicious activities? in Proceedings of the Doctoral Symposium at the International Symposium on Engineering Secure Software and Systems, ESSoS-DS 2013. vol. 965, CEUR-WS, pp. 36-40, International Symposium on Engineering Secure Software and Systems, ESSoS-DS 2013, Paris, France, 27/02/2013.

How do we effectively monitor for slow suspicious activities? / Kalutarage, Harsha K.; Shaikh, Siraj A.; Zhou, Qin; James, Anne E.

Proceedings of the Doctoral Symposium at the International Symposium on Engineering Secure Software and Systems, ESSoS-DS 2013. Vol. 965 CEUR-WS, 2013. p. 36-40.

Research output: Chapter in Book/Report/Conference proceedingConference contribution

TY - GEN

T1 - How do we effectively monitor for slow suspicious activities?

AU - Kalutarage, Harsha K.

AU - Shaikh, Siraj A.

AU - Zhou, Qin

AU - James, Anne E.

PY - 2013

Y1 - 2013

N2 - As computer networks scale up in size and traffic volume, detecting slow suspicious activity, deliberately designed to stay beneath the threshold, becomes ever more difficult. Simply storing all packet captures for analysis is not feasible due to computational constraints. Detecting such activity depends on maintaining traffic history over extended periods of time, and using it to distinguish between suspicious and innocent nodes. The doctoral work presented here aims to adopt a Bayesian approach to address this problem, and to examine the effectiveness of such an approach under different network conditions: multiple attackers, traffic volume, subnet configuration and traffic sampling. We provide a theoretical account of our approach and very early experimental results.

AB - As computer networks scale up in size and traffic volume, detecting slow suspicious activity, deliberately designed to stay beneath the threshold, becomes ever more difficult. Simply storing all packet captures for analysis is not feasible due to computational constraints. Detecting such activity depends on maintaining traffic history over extended periods of time, and using it to distinguish between suspicious and innocent nodes. The doctoral work presented here aims to adopt a Bayesian approach to address this problem, and to examine the effectiveness of such an approach under different network conditions: multiple attackers, traffic volume, subnet configuration and traffic sampling. We provide a theoretical account of our approach and very early experimental results.

UR - http://www.scopus.com/inward/record.url?scp=84883358081&partnerID=8YFLogxK

M3 - Conference contribution

AN - SCOPUS:84883358081

VL - 965

SP - 36

EP - 40

BT - Proceedings of the Doctoral Symposium at the International Symposium on Engineering Secure Software and Systems, ESSoS-DS 2013

PB - CEUR-WS

ER -

Kalutarage HK, Shaikh SA, Zhou Q, James AE. How do we effectively monitor for slow suspicious activities? In Proceedings of the Doctoral Symposium at the International Symposium on Engineering Secure Software and Systems, ESSoS-DS 2013. Vol. 965. CEUR-WS. 2013. p. 36-40