How do we effectively monitor for slow suspicious activities?

Harsha K. Kalutarage; Siraj A. Shaikh; Qin Zhou; Anne E. James

How do we effectively monitor for slow suspicious activities?

Harsha K. Kalutarage, Siraj A. Shaikh, Qin Zhou, Anne E. James

Research output: Chapter in Book/Report/Conference proceeding › Conference contribution

Abstract

As computer networks scale up in size and traffic volume, detecting slow suspicious activity, deliberately designed to stay beneath the threshold, becomes ever more difficult. Simply storing all packet captures for analysis is not feasible due to computational constraints. Detecting such activity depends on maintaining traffic history over extended periods of time, and using it to distinguish between suspicious and innocent nodes. The doctoral work presented here aims to adopt a Bayesian approach to address this problem, and to examine the effectiveness of such an approach under different network conditions: multiple attackers, traffic volume, subnet configuration and traffic sampling. We provide a theoretical account of our approach and very early experimental results.

Original language	English
Title of host publication	Proceedings of the Doctoral Symposium at the International Symposium on Engineering Secure Software and Systems, ESSoS-DS 2013
Publisher	CEUR-WS
Pages	36-40
Number of pages	5
Volume	965
Publication status	Published - 2013
Externally published	Yes
Event	International Symposium on Engineering Secure Software and Systems, ESSoS-DS 2013 - Rocquencort, Paris, France Duration: 27 Feb 2013 → 01 Mar 2013

Conference

Conference	International Symposium on Engineering Secure Software and Systems, ESSoS-DS 2013
Country/Territory	France
City	Paris
Period	27/02/2013 → 01/03/2013

ASJC Scopus subject areas

General Computer Science

Cite this

@inproceedings{46aa80f5a7c14610a678ee764ee46bba,

title = "How do we effectively monitor for slow suspicious activities?",

abstract = "As computer networks scale up in size and traffic volume, detecting slow suspicious activity, deliberately designed to stay beneath the threshold, becomes ever more difficult. Simply storing all packet captures for analysis is not feasible due to computational constraints. Detecting such activity depends on maintaining traffic history over extended periods of time, and using it to distinguish between suspicious and innocent nodes. The doctoral work presented here aims to adopt a Bayesian approach to address this problem, and to examine the effectiveness of such an approach under different network conditions: multiple attackers, traffic volume, subnet configuration and traffic sampling. We provide a theoretical account of our approach and very early experimental results.",

author = "Kalutarage, {Harsha K.} and Shaikh, {Siraj A.} and Qin Zhou and James, {Anne E.}",

year = "2013",

language = "English",

volume = "965",

pages = "36--40",

booktitle = "Proceedings of the Doctoral Symposium at the International Symposium on Engineering Secure Software and Systems, ESSoS-DS 2013",

publisher = "CEUR-WS",

note = "International Symposium on Engineering Secure Software and Systems, ESSoS-DS 2013 ; Conference date: 27-02-2013 Through 01-03-2013",

}

Kalutarage, HK, Shaikh, SA, Zhou, Q & James, AE 2013, How do we effectively monitor for slow suspicious activities? in Proceedings of the Doctoral Symposium at the International Symposium on Engineering Secure Software and Systems, ESSoS-DS 2013. vol. 965, CEUR-WS, pp. 36-40, International Symposium on Engineering Secure Software and Systems, ESSoS-DS 2013, Paris, France, 27/02/2013.

How do we effectively monitor for slow suspicious activities? / Kalutarage, Harsha K.; Shaikh, Siraj A.; Zhou, Qin et al.
Proceedings of the Doctoral Symposium at the International Symposium on Engineering Secure Software and Systems, ESSoS-DS 2013. Vol. 965 CEUR-WS, 2013. p. 36-40.

Research output: Chapter in Book/Report/Conference proceeding › Conference contribution