Internal network monitoring and anomaly detection through host clustering
conference paper
Internal network traffic is an undervalued source of information for detecting targeted attacks. Whereas most systems focus on the external border of the network, we observe that targeted attacks campaigns often involve internal network activity. To this end, we have developed techniques capable of detecting anomalous internal network behaviour. As a second contribution we propose an additional step in the model-based anomaly detection involving host clustering. Through host clustering, individual hosts are grouped together on the basis of their internal network behaviour. We argue that a behavioural model for each cluster, compared to a model for each host or a single model for all hosts, performs better in terms of detecting potentially malicious behaviour. We show that by applying this concept to internal network traffic, the detection performance for identifying malicious flows and hosts increases. Copyright © 2017 by SCITEPRESS – Science and Technology Publications, Lda. All rights reserved. Institute for Systems and Technologies of Information, Control and Communication (INSTICC)
Topics
TNO Identifier
820499
ISBN
9789897582097
Source
3rd International Conference on Information Systems Security and Privacy, ICISSP 2017. 19 February 2017 through 21 February 2017, pp. 694-703.
Publisher
SciTePress
Source title
ICISSP 2017 - Proceedings of the 3rd International Conference on Information Systems Security and Privacy
Editor(s)
Mori, P.
Furnell, S.
Camp, O.
Furnell, S.
Camp, O.
Pages
694-703
Files
To receive the publication files, please send an e-mail request to TNO Repository.