Anomaly Detection Frameworkfor Cyber-Security Data
Marina Evangelou
Joint work with Niall AdamsImperial College London
26 September 2017
Marina Evangelou Anomaly Detection Framework for Cyber-Security Data
Anomaly Detection Systems
As the number of cyber attacks, especially zero-day attacks and theemergence of advanced persistent threats (APT) is increasing, newapproaches are required to complement the existing defencesystems, for example signature based methods
Such approaches include anomaly detection systems that seek todetect abnormal deviations from the “normal" behaviour of thenetwork
Marina Evangelou Anomaly Detection Framework for Cyber-Security Data
Anomaly Detection Framework for Individual Devices
The aim of the proposed work is to model “normal" devicebehaviour and construct an anomaly detection framework based onthe behaviour of each individual device
The interest is on individual devices as a commonly observedpattern of a cyber-attack starts with the infection of an individualdevice
Neil et al. (2013). Scan Statistics for the Online Detection of Locally Anomalous Subgraphs.
Technometrics
Marina Evangelou Anomaly Detection Framework for Cyber-Security Data
Anomaly Detection Framework for Individual Devices
Device behaviour is defined as the network traffic involving thedevice of interest observed within a pre-specified time period.
Network traffic data are obtained form NetFlow, a protocoloperating at the router level which collects flow event logs and iswidely used for auditing and monitoring a network
time, duration, IP → IP, protocol, ports, packets, bytes
The data analysed and presented here are part of the anonymised“comprehensive, multi-source cyber-security events" datasetpublished by Los Alamos National Laboratory in 2015
Marina Evangelou Anomaly Detection Framework for Cyber-Security Data
Device Behaviour
5minutes*mebin
300seconds
600seconds
900seconds
1200seconds
2eventsthatstart*mewithinthe*mebin
NetFlow event start - end
Marina Evangelou Anomaly Detection Framework for Cyber-Security Data
NetFlow Device Behaviour for 2 devices of the network
●●●●
●
●
●
●
●
●
●
●
●
●
●
●
●
●●
●
●
●●●●
●●●●
●
●
●
●
●
●
●
●
●
●
●
●
●●
●
●
●●
●
●
●
●
●
●
●●
●
●●
●
●
●
●
●
●
●
●
●
●
●
●
●
●
●●
●
●
●
●●
●
●●
●●
●
●
●●
●
●●
●
●●
●●
●
●
●
●●●
●
●
●
●
●
●●●
●
●●●
●
●
●
●
●
●
●
●
●
●
●
●●
●
●
●
●
●
●
●●
●
●
●
●
●
●
●
●
●
●●
●
●
●
●
●
●
●●●●
●●
●
●
●
●
●
●
●
●
●
●
●●
●
●
●
●
●
●
●●
●
●
●
●
●
●●
●
●
●
●
●
●●●
●
●
●●●
●
●
●
●
●
●●
●
●
●●●
●
●
●
●
●●●
●
●
●●
●
●
●
●
●
●
●
●
●
●●
●
●
●
●
●●
●
●
●
●
●
●
●
●
●
●
●
●
●
●
●
●
●
●●
●
●
●
●
●
●
●
●
●
●
●
●
●
●
●
●
●
●●
●
●
●
●●
●
●
●
●●
●
●
●
●
●●●●
●
●
●
●
●
●
●
●●
●
●
●
●
●
●
●
●
●
●
●●
●
●
●
●
●
●
●
●
●
●
●●
●
●
●
●
●
●
●
●
●
●●
●
●●
●
●
●
●
●
●
●●
●●
●
●
●
●
●
●
●
●●
●
●
●
●
●
●
●
●
●
●
●
●
●
●●
●●●
●
●
●
●
●●
●
●
●
●
●
●
●
●
●●
●
●
●●
●
●
●
●
●
●
●●
●
●●●
●
●
●
●
●
●
●
●
●
●
●●
●
●
●
●
●
●
●●
●
●
●
●
●
●
●
●
●
●
●●
●
●
●●●
●
●
●
●
●
●
●
●
●
●●●
●
●
●
●
●
●●
●
●
●●●
●●
●
●
●
●
●
●
●
●●●
●
●
●
●
●
●●
●
●
●
●
●
●●
●
●
●
●
●
●
●
●
●
●
●●
●
●
●
●
●
●
●
●●●
●●
●
●
●
●●
●
●
●●●
●
●
●
●
●
●●
●
●●
●
●
●●
●●
●
●
●
●
●
●
●
●
●
●
●
●
●
●
●
●●
●
●
●
●●
●
●
●
●
●
●
●
●
●
●
●●
●
●
●
●
●
●●
●
●
●
●
●
●
●
●
●
●
●●
●
●
●
●
●
●
●
●
●
●
●●
●
●
●
●
●
●
●
●
●
●
●●
●
●
●
●
●
●
●
●
●
●
●●
●
●
●
●
●
●
●
●
●●●●
●
●●
●
●
●
●
●
●
●
●
●
●
●
●
●
●
●
●
●
●
●
●
●
●
●
●
●
●
●
●
●●●
●●
●
●
●
●
●
●
●
●
●
●●
●
●
●
●
●
●
●
●
●
●
●
●●
●
●
●
●
●
●●
●
●
●●
●
●
●
●
●
●
●●●●
●
●
●
●●
●
●
●●
●●
●
●
●
●
●
●
●
●
●
●
●
●
●
●
●
●
●
●●
●
●
●
●
●
●
●
●
●●
●
●
●●
●
●
●
●
●
●
●
●
●●
●
●●
●●
●
●
●
●
●
●
●
●●
●
●
●
●
●
●
●
●●●
●
●
●
●
●●●
●
●
●●●
●
●
●●
●
●
●
●
●
●
●
●
●
●
●
●
●
●
●
●
●
●
●
●●
●
●
●
●
●
●
●●
●●●
●
●
●
●
●●●
●●
●●●
●
●
●
●
●●●
●
●
●●●
●
●
●
●●●
●
●
●
●
●●
●
●
●
●●
●●
●
●
●
●●
●
●
●
●
●
●●
●
●
●
●●
●
●
●
●
●
●
●
●
●
●
●●
●
●
●
●
●
●●
●
●
●
●
●●
●
●
●
●
●●
●
●
●
●
●
●
●●
●
●
●●●●
●
●
●
●●
●
●
●
●
●
●
●
●
●
●
●●
●
●●
●
●
●
●
●
●
●●
●
●●
●
●
●
●
●
●
●
●
●
●
●
●●
●
●
●
●
●
●
●
●
●
●
●●
●
●
●
●●
●
●●●●
●
●
●
●
●
●
●
●
●
●
●
●
●●
●
●
●
●
●●
●
●
●
●
●●●●
●
●
●
●
●
●
●
●
●
●
●
●
●
●
●●●
●
●
●
●●●●
●
●
●
●
●
●
●
●
●●
●
●
●
●
●
●
●
●
●
●
●
●
●
●●
●
●
●
●
●
●●
●
●
●
●●●
●
●
●
●
●●
●
●
●
●●●
●
●
●
●
●
●
●
●
●
●
●
●
●
●
●
●
●
●
●
●
●
●
●
●
●
●
●
●
●
●
●
●
●
●●
●
●
●
●
●
●
●
●
●
●
●
●
●
●
●
●
●
●
●
●●
●
●
●●
●●●
●
●
●
●●
●
●
●●
●●
●
●
●
●●●●●
●●●
●●
●
●
●
●●●●●●
●
●
●●
●
●
●●
●
●
●●
●
●
●
●●
●
●
●
●
●
●
●
●
●
●●
●
●
●●
●
●
●
●
●●
●●
●
●
●
●●●●●
●●
●
●
●●
●
●●●
●
●
●
●
●
●
●
●
●
●
●●●●
●
●●
●
●
●
●
●
●
●
●
●
●●
●
●●●
●
●
●
●
●
●
●
●
●
●
●
●
●
●
●
●
●
●
●
●●
●
●
●●
●
●
●
●●
●●
●
●
●
●
●
●
●●●●●
●
●
●
●●
●
●
●●●●●
●
●
●●
●
●
●●●
●●●
●
●
●●●
●
●
●
●
●●
●
●
●
●●●
●
●
●
●
●
●
●
●
●●
●
●●
●
●
●
●
●
●
●
●
●
●
●
●●
●
●
●
●
●
●
●
●
●
●
●●●
●
●
●
●
●
●
●
●
●
●●
●
●
●
●●
●
●●
●
●
●
●
●
●
●●
●
●
●
●●●
●
●
●
●
●●
●
●
●●●
●
●
●
●
●
●
●
●
●
●●●
●
●●●●
●
●
●
●
●
●
●
●●
●
●
●
●
●●
●
●
●
●
●●
●
●
●●
●●
●
●
●●●
●
●
●●
●
●
●●●
●
●
●
●
●
●
●
●●
●●●
●
●
●
●●
●
●
●
●
●●●
●
●
●
●
●●●
●●
●●●
●
●
●
●
●●●
●
●●●
●
●
●
●
●●
●
●
●
●
●●
●
●
●
●
●
●
●
●
●
●
●
●
●
●
●
●
●
●
●●●
●
●
●
●
●
●●●
●
●
●
●●
●
●
●
●●
●
●●
●
●
●
●
●
●
●
●●
●●●
●
●●
●
●
●
●
●●●
●
●
●
●
●
●
●
●
●
●●●
●
●
●
●
●
●
●
●
●
●●●
●
●
●
●
●
●
●
●
●
●●●●
●
●●●
●
●
●
●
●
●
●
●
●
●
●
●
●
●
●
●
●●●●
●
●
●
●
●
●
●
●
●
●
●
●
●
●
●
●
●
●●
●
●
●
●
●
●
●
●
●●
●●●
●
●
●
●
●
●
●
●
●
●●●
●
●
●
●●
●
●
●●
●●●
●
●
●
●
●●
●●
●
●
●
●
●●●
●
●
●●
●
●
●●●
●
●
●
●●
●
●
●
●
●●●
●
●●●●●
●
●
●
●●
●
●
●
●
●
●
●
●
●●
●●●
●
●
●
●
●
●
●
●
●
●
●
●
●
●
●
●●
●
●
●
●
●
●
●
●
●
●
●
●
●
●
●
●
●
●
●
●
●
●
●●
●
●
●
●
●
●
●
●●
●
●
●
●●
●
●
●
●
●
●
●
●
●
●●
●
●
●
●
●
●
●
●
●
●
●
●●●
●
●
●
●
●
●
●
●
●
●●●
●
●
●●
●
●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●0
20
40
60
0 500 1000 1500 2000
Time bin sequence
Nu
mb
er
of eve
nts
in
a tim
e b
in
●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●
●
●
●
●
●●●●●●●●●●●●●●●●●●●●●●●●●●●●
●
●
●
●
●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●
●
●
●
●
●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●
●
●
●
●
●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●
●
●●
●
●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●
●●
●
●
●
●
●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●
●
●
●
●
●
●
●
●
●
●
●
●
●
●
●
●
●
●
●
●
●
●
●
●
●
●
●
●
●●
●
●
●
●
●
●
●
●
●
●
●
●●
●
●
●
●
●
●
●
●
●
●
●
●
●
●
●●
●
●
●
●
●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●0
2
4
6
0 500 1000 1500 2000
Time bin sequence
Nu
mb
er
of eve
nts
in
a tim
e b
in
Marina Evangelou Anomaly Detection Framework for Cyber-Security Data
Predicting Device Behaviour
Regression models were built to model the relationship of theresponse variable Y with a set of constructed features X where:
∗ Y is the number of events assigned to time bin t + 1
∗ X represents the features constructed from the observed dataof time bin t
Marina Evangelou Anomaly Detection Framework for Cyber-Security Data
Feature construction
Time Dura*on SourceDevice
SourcePort
Dest.Device
Dest.Port Protocol Packets Bytes
44369 13 C66 N23785 C585 445 6 14 3390
44370 0 C66 N978 C5721 445 6 8 3062
Event related features:Number of events, Number of events with duration more than 5minutes
Nature related features:Number of events with specific protocol numbers
Summary statistics of Duration, Bytes, Packets
Time related featuresWorking hours indicator, Working days indicator
Marina Evangelou Anomaly Detection Framework for Cyber-Security Data
Quantile Regression
Quantile Regression aims to estimate the conditional quantilesfrom the data
The τ th conditional quantile minimizes the expected loss suchthat:
minβ∑i
ρτ (yi − Xβ)
where:∗ ρτ (·) is the quantile regression function
In quantile regression, we proceed in exactly the same way. To obtain anestimate of the conditional median function, we simply replace the scalar ! in thefirst equation by the parametric function !( xi , ") and set # to 1
2 . Variants of thisidea were proposed in the mid-eighteenth century by Boscovich and subsequentlyinvestigated by Laplace and Edgeworth, among others. To obtain estimates of theother conditional quantile functions, we replace absolute values by $#! and solve
min"!ℜp
! $# !yi % !!xi , """.
The resulting minimization problem, when !( x, ") is formulated as a linearfunction of parameters, can be solved very efficiently by linear programmingmethods.
Quantile Engel Curves
To illustrate the basic ideas, we briefly reconsider a classical empirical appli-cation in economics, Engel’s (1857) analysis of the relationship between householdfood expenditure and household income. In Figure 3, we plot Engel’s data takenfrom 235 European working-class households. Superimposed on the plot are sevenestimated quantile regression lines corresponding to the quantiles {0.05, 0.1, 0.25,0.5, 0.75, 0.9, 0.95}. The median # # 0.5 fit is indicated by the darker solid line; theleast squares estimate of the conditional mean function is plotted as the dashedline.
The plot clearly reveals the tendency of the dispersion of food expenditure toincrease along with its level as household income increases. The spacing of thequantile regression lines also reveals that the conditional distribution of foodexpenditure is skewed to the left: the narrower spacing of the upper quantilesindicating high density and a short upper tail and the wider spacing of the lowerquantiles indicating a lower density and longer lower tail.
Figure 2Quantile Regression " Function
146 Journal of Economic Perspectives
Koenker, R. and Hallock, K.F. (2001). Quantile Regression. Journal of Economic Perspectives
Marina Evangelou Anomaly Detection Framework for Cyber-Security Data
Quantile Regression Forests
Quantile Regression Forests (QRF) proposed by Meinshausen(2006) combine the ideas of Quantile Regression with RandomForests (a collection of regression trees)
QRF in contrast to Random Forests keep the values of allobservations in each node, not just their mean and assess theconditional distribution based on this information
Marina Evangelou Anomaly Detection Framework for Cyber-Security Data
Prediction Intervals
Let Qα(x) be the α-quantile such thatQα(x) = inf{y : F (y |X = x) ≥ α} whereF (y) = P(Y ≤ y |X = x)
A η% prediction interval for the value of Y is given by:
I (x) = {Q(1−η)/2(x),Q(1+η)/2(x)}
such that a 95% prediction interval is {Q0.025(x),Q0.975(x)}
There is a high probability that a new observation of Y givenX = x will lie in the prediction interval
The width of the prediction interval depends on the observedfeature vector
Marina Evangelou Anomaly Detection Framework for Cyber-Security Data
Predictions Intervals: 2.5% and 97.5% Conditional Quantiles
●
●
●
●
●
●●
●
●
●
●
●●
●
●
●
●
●●
●
●
●●
●●
●
●
●●●
●
●
●●
●
●
●●●
●
●
●
●
●
●
●
●●
●●●
●
●
●
●●
●
●
●
●
●●●
●
●
●
●
●●●
●●
●●●
●
●
●
●
●●●
●
●●●
●
●
●
●
●●
●
●
●
●
●●
●
●
●
●
●
●
●
●
●
●
●
●
●
●
●
●
●
●
●●●
●
●
●
●
●
●●●
●
●
●
●●
●
●
●
●●
●
●●
●
●
●
●
●
●
●
●●
●●●
●
●●
●
●
●
●
●●●
●
●
●
●
●
●
●
●
●
●●●
●
●
●
●
●
●
●
●
●
●●●
●
●
●
●
●
●
●
●
●
●●●●
●
●●●
●
●
●
●
●
●
●
●
●
●
●
●
●
●
●
●
●●●●
●
●
●
●
●
●
●
●
●
●
●
●
●
●
●
●
●
●●
●
●
●
●
●
●
●
●
●●
●●●
●
●
●
●
●
●
●
●
●
●●●
●
●
●
●●
●
●
●●
●●●
●
●
●
●
●
●
●●
●
●
●
●
●●●
●
●
●●
●
●
●●●
●
●
●
●●
●
●
●
●
●●●
●
●●
●
●●
●
●
●
●●
●
●
●
●
●
●
●
●
●●
●●●
●
●
●
●
●
●
●
●
●
●
●
●
●
●
●
●●
●
●
●
●
●
●
●
●
●
●
●
●
●
●
●
●
●
●
●
●
●
●
●●
●
●
●
●
●
●
●
●●
●
●
●
●●
●
●
●
●
●
●
●
●
●
●●
●
●
●
●
●
●
●
●
●
●
●
●●●
●
●
●
●
●
●
●
●
●
●●●
●
●
●
●
●
●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●
●
●●●●●
●●
●
●
●
●
●●
●●●●
●●
●
●
●●
●●
●
●
●●●
●
●●●●
●
●●●●●
●
●●●●
●
●
●●●
●
●
●
●●●
●
●
●
●●●●
●
●
●●●
●
●
●●●●
●
●●●●●
●
●●●●●●●
●
●●●
●
●
●●●
●
●●●
●
●
●●
●●
●
●
●
●●●
●
●
●
●●●
●
●
●
●●●●●
●●
●
●●
●
●●
●
●
●
●
●●
●
●
●
●
●
●●●
●
●
●
●●
●●
●
●
●●●●●
●●
●●
●
●
●
●●●
●
●
●●
●●
●
●
●
●●●
●
●
●
●
●●
●
●
●●●●
●
●
●●
●●
●
●
●
●
●●●
●
●
●●●
●
●
●●●●●
●
●
●●●●
●
●
●
●
●
●●●
●
●
●●●●
●
●
●●●●●●●●●●
●
●
●
●
●●
●
●
●●●●
●
●
●
●●●●●●●●●
●
●●
●
●●●●●
●
●
●
●●●
●
●●●●●●●●
●
●
●
●●●●●●●●●
●
●
●
●●●●
●
●●●
●●
●
●
●●●
●
●
●
●●●
●
●●●●
●●
●●●●●
●
●●●●
●●
●
●●●●
●
●
●
●●●
●
●
●●●●
●
●
●
●●●
●
●
●●●●●
●●
●
●
●
●
●●●●●
●●●
●
●
●
●
●●●●●
●
●
●
●
●
●
●
●●●
●
●
●
●
●
●●●
●
●
●
●
●
●●
●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●
0
20
40
60
0 100 200 300 400 500
Time bin sequence
Num
ber
of e
vent
s in
a ti
me
bin
Marina Evangelou Anomaly Detection Framework for Cyber-Security Data
Proposed Anomaly Detector
Observed device behaviour can be characterised as anomalous if itlies outside of the constructed prediction intervals of the QRFmodels, such that
{yobserved > Q(1+η)/2(x)
yobserved < Q(1−η)/2(x)
where yobserved is the recorded device behaviour
Marina Evangelou Anomaly Detection Framework for Cyber-Security Data
Validation of the Proposed Anomaly Detection Framework
The proposed anomaly detection framework was validatedthrough a series of experiments
The anomaly detector is compared to:
Benchmark Anomaly Detector: any observed values outside ofthe 95% (unconditional) quantiles of device behaviour areclassified as abnormal
Pruned Exact Linear Time (PELT): Change-point detectionapproach proposed by Killick et al. (2012)
The Benchmark anomaly detector intervals are the sameacross all time binsBoth the Benchmark anomaly detector and PELT do not relyon the feature vector
Marina Evangelou Anomaly Detection Framework for Cyber-Security Data
Validation of the Proposed Anomaly Detection Framework
The proposed anomaly detection framework was validatedthrough a series of experiments
The anomaly detector is compared to:
Benchmark Anomaly Detector: any observed values outside ofthe 95% (unconditional) quantiles of device behaviour areclassified as abnormal
Pruned Exact Linear Time (PELT): Change-point detectionapproach proposed by Killick et al. (2012)
The Benchmark anomaly detector intervals are the sameacross all time binsBoth the Benchmark anomaly detector and PELT do not relyon the feature vector
Marina Evangelou Anomaly Detection Framework for Cyber-Security Data
Validation of the Proposed Anomaly Detection Framework
The proposed anomaly detection framework was validatedthrough a series of experiments
The anomaly detector is compared to:
Benchmark Anomaly Detector: any observed values outside ofthe 95% (unconditional) quantiles of device behaviour areclassified as abnormal
Pruned Exact Linear Time (PELT): Change-point detectionapproach proposed by Killick et al. (2012)
The Benchmark anomaly detector intervals are the sameacross all time binsBoth the Benchmark anomaly detector and PELT do not relyon the feature vector
Marina Evangelou Anomaly Detection Framework for Cyber-Security Data
Validation Experiment
●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●
●
●
●
●
●●●●●●●●●●●●●●●●●●●●●●●●●●●●
●
●
●
●
●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●
●
●
●
●
●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●
●
●
●
●
●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●
●
●●
●
●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●
●●
●
●
●
●
●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●
●
●
●
●
●
●
●
●
●
●
●
●
●
●
●
●
●
●
●
●
●
●
●
●
●
●
●
●
●●
●
●
●
●
●
●
●
●
●
●
●
●●
●
●
●
●
●
●
●
●
●
●
●
●
●
●
●●
●
●
●
●
●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●
0 500 1000 1500 2000
01
23
45
6
1:2000
D1[
, "re
spon
se"]
Normal Behaviour
Marina Evangelou Anomaly Detection Framework for Cyber-Security Data
Validation Experiment
●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●
●
●
●
●
●●●●●●●●●●●●●●●●●●●●●●●●●●●●
●
●
●
●
●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●
●
●
●
●
●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●
●
●
●
●
●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●
●
●●
●
●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●
●●
●
●
●
●
●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●
●
●
●
●
●
●
●
●
●
●
●
●
●
●
●
●
●
●
●
●
●
●
●
●
●
●
●
●
●●
●
●
●
●
●
●
●
●
●
●
●
●●
●
●
●
●
●
●
●
●
●
●
●
●
●
●
●●
●
●
●
●
●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●
0 500 1000 1500 2000
01
23
45
6
1:2000
D1[
, "re
spon
se"]
Normal Behaviour
●
●●●
●●●●●●
●●●●●
●
●●
●●
●
●●●●●●●
●●●●
●●
●
●
●●●●●
●
●●●●
●●●●●●●
●
●●
●
●
●
●
●●●
●
●
●
●●●●●●●●●●●
●
●●●●
●
●●●●●●●●●●●
●
●
●●●●●●●
●
●●
●●●●●●●●●●
●
●
●●●●
●
●●●●●●●●
●
●●●
●
●●●
●
●
●●
●
●●●●●●●
●●●●
●
●●●●●●
●
●●●●●●●●●●●●●●●
●
●
●●●●
●
●●●●●●●●●●●●●●●●
●
●
●
●●●●●●●●●●●●●●●●●●●●
●
●●
●
●●●●●●●●●●●●●
●
●
●●●●
●
●●●●●●●●●●●●●●●
●
●
●
●●●●●●●●●●●●●●●●
●
●
●
●
●
●
●
●●●●●●●●●●●●
●
●●●
●
●
●●●●●●●
●
●●●●
●●●●
●
●
●
●
●
●●●
●●●●●●●
●
●●●●●●●
●
●●
●
●●●●●●●●●●●●
●
●●●●●
●
●●●
●
●●●●●●●●
●●●●●●●●●●
●
●
●●●●●●●
●
●
●
●●
●●●●●●
●
●●
●
●●●●
●
●●●
●
●●●●●●●●●●●●
●
●
●●●●●
●
●●●●
●●●●
●
●●●●
●
●
●
●
●●●
●
●●●●●●●
●
●●●
●●●●
●
●
●
●●●●●
●●●●●●●●●
●
●●●●
●
●
●●●●●
●
●●●
●
●
●
●●
●
●
●●
●●●●●●●●●●●
●
●●●●●
●
●●
●
●
●
●●●●●●●●●●●●
●●●●●
●
●●
●
●●●●●●●●●
●●
●●●●
●
●●●
●
●
●
●●●●●●
●
●●●
●
●
●
●●●●●●
●
●
●●
●●
●
●
●●●
●
●
●●
●
●●●
●
●
●
●●
●
●
●●●
●
●●●
●
●●
●●●●●●●●
●
●●●
●●●●●●
●
●●●●●
●●●●●●●
●
●●●●
●●●●●●
●
●●●●●
●●
●
●●●●●●●●
●
●●●●
●●
●●
●●●
●
●●
●
●●●●●
●●●●●
●
●●●●●
●
●
●●
●
●●
●
●
●
●
●●
●
●●●●●●●●●
●
●
●
●●●
●●●●●
●
●●●●●●●●●●●
●
●●●●●
●
●
●
●●●●●●
●●●●●●●●
●
●●●
●
●
●
●
●●●●●●●●●
●
●
●●●●●●●
●
●●
●●●●●●●●
●
●
●●
●●
●
●
●
●
●●
●
●●●●
●●
●●●●
●
●●●●●●●●
●
●●●●●●●●●●●
●
●
●●●●●●●
●
●
●●●●
●
●●●●
●●
●
●
●
●●●●●●●●●
●
●●●●●●●
●
●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●
0 200 400 600 800 1000
010
2030
4050
60
1:1000
D2[
1001
:200
0, "r
espo
nse"
]
Contamination
Marina Evangelou Anomaly Detection Framework for Cyber-Security Data
Validation Experiment
●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●
●
●
●
●
●●●●●●●●●●●●●●●●●●●●●●●●●●●●
●
●
●
●
●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●
●
●
●
●
●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●
●
●
●
●
●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●
●
●●
●
●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●
●●
●
●
●
●
●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●
●
●
●
●
●
●
●
●
●
●
●
●
●
●
●
●
●
●
●
●
●
●
●
●
●
●
●
●
●●
●
●
●
●
●
●
●
●
●
●
●
●●
●
●
●
●
●
●
●
●
●
●
●
●
●
●
●●
●
●
●
●
●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●
0 500 1000 1500 20000
12
34
56
1:2000
D1[
, "re
spon
se"]
Normal Behaviour
●
●●●
●●●●●●
●●●●●
●
●●
●●
●
●●●●●●●
●●●●
●●
●
●
●●●●●
●
●●●●
●●●●●●●
●
●●
●
●
●
●
●●●
●
●
●
●●●●●●●●●●●
●
●●●●
●
●●●●●●●●●●●
●
●
●●●●●●●
●
●●
●●●●●●●●●●
●
●
●●●●
●
●●●●●●●●
●
●●●
●
●●●
●
●
●●
●
●●●●●●●
●●●●
●
●●●●●●
●
●●●●●●●●●●●●●●●
●
●
●●●●
●
●●●●●●●●●●●●●●●●
●
●
●
●●●●●●●●●●●●●●●●●●●●
●
●●
●
●●●●●●●●●●●●●
●
●
●●●●
●
●●●●●●●●●●●●●●●
●
●
●
●●●●●●●●●●●●●●●●
●
●
●
●
●
●
●
●●●●●●●●●●●●
●
●●●
●
●
●●●●●●●
●
●●●●
●●●●
●
●
●
●
●
●●●
●●●●●●●
●
●●●●●●●
●
●●
●
●●●●●●●●●●●●
●
●●●●●
●
●●●
●
●●●●●●●●
●●●●●●●●●●
●
●
●●●●●●●
●
●
●
●●
●●●●●●
●
●●
●
●●●●
●
●●●
●
●●●●●●●●●●●●
●
●
●●●●●
●
●●●●
●●●●
●
●●●●
●
●
●
●
●●●
●
●●●●●●●
●
●●●
●●●●
●
●
●
●●●●●
●●●●●●●●●
●
●●●●
●
●
●●●●●
●
●●●
●
●
●
●●
●
●
●●
●●●●●●●●●●●
●
●●●●●
●
●●
●
●
●
●●●●●●●●●●●●
●●●●●
●
●●
●
●●●●●●●●●
●●
●●●●
●
●●●
●
●
●
●●●●●●
●
●●●
●
●
●
●●●●●●
●
●
●●
●●
●
●
●●●
●
●
●●
●
●●●
●
●
●
●●
●
●
●●●
●
●●●
●
●●
●●●●●●●●
●
●●●
●●●●●●
●
●●●●●
●●●●●●●
●
●●●●
●●●●●●
●
●●●●●
●●
●
●●●●●●●●
●
●●●●
●●
●●
●●●
●
●●
●
●●●●●
●●●●●
●
●●●●●
●
●
●●
●
●●
●
●
●
●
●●
●
●●●●●●●●●
●
●
●
●●●
●●●●●
●
●●●●●●●●●●●
●
●●●●●
●
●
●
●●●●●●
●●●●●●●●
●
●●●
●
●
●
●
●●●●●●●●●
●
●
●●●●●●●
●
●●
●●●●●●●●
●
●
●●
●●
●
●
●
●
●●
●
●●●●
●●
●●●●
●
●●●●●●●●
●
●●●●●●●●●●●
●
●
●●●●●●●
●
●
●●●●
●
●●●●
●●
●
●
●
●●●●●●●●●
●
●●●●●●●
●
●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●
0 200 400 600 800 1000
010
2030
4050
60
1:1000
D2[
1001
:200
0, "r
espo
nse"
]
Contamination
●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●
●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●
●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●
●●●
●●
●
●
●
●
●
●
●●●
●
●●
●●
●
●
●●●●
●
●
●●
●
●
●
●
●
●
●●●●
●
●
●●●
●
●
●
●●●●●
●
●●
●
●
●
●
●
●
●
●
●
●
●
●●
●●
●
●●●●●
●
●●
●
●
●
●●●●●
●●
●●
●
●
●
●
●●
●
●
●●
●●●
●
●
●●●
●
●
●●●
●
●
●
●
●●●
●
●
●●
●●●●
●
●
●●
●
●
●
●
●
●
●
●●
●
●●
●●
●●
●
●
●
●●
●
●●
●
●
●●
●
●●●
●
●
●●
●●
●
●
●●
●
●
●
●
●
●●
●
●
●●
●
●
●●
●
●
●●
●
●
●●●●
●
●
●
●●●
●●●
●
●
●●
●
●●
●
●●●
●
●
●
●
●
●
●
●
●●
●
●●
●●
●●●●
●
●
●
●●
●
●
●
●
●
●
●
●
●●
●
●
●
●
●
●
●●
●
●
●
●●●
●●
●●●●●●
●
●●●●
●
●
●
●
●
●
●
●
●●●
●
●●●●●
●
●
●
●●
●
●
●
●
●
●●●
●●
●
●
●
●
●
●
●
●●
●●
●
●
●
●●
●
●
●●
●
●
●●
●
●
●
●●●●
●
●
●
●
●
●
●●
●●●●
●
●
●●
●
●
●
●
●
●●
●
●●●●●●
●●●●●
●
●●
●
●●
●●●●
●
●
●
●●●●●
●
●
●●
●
●
●
●●
●
●
●
●
●
●●
●
●
●
●
●
●
●●●
●
●
●
●●
●●
●
●
●●●●
●
●
●
●
●
●●
●
●
●
●●
●
●
●
●
●
●●
●
●
●
●●
●
●●●
●●●
●
●
●
●
●
●
●
●●●●●
●
●
●
●
●
●●
●●
●
●
●●●●●●●
●
●●
●
●
●
●
●
●
●
●
●
●
●●
●
●
●
●
●
●
●
●
●●
●●
●
●●
●
●
●
●●●
●
●●●●
●
●
●●
●
●
●
●●
●
●●●
●●●
●●
●
●●
●
●●
●●
●
●
●●
●●
●
●
●
●
●
●●
●●●
●
●
●●●
●
●
●
●
●
●
●
●
●
●
●●●
●
●
●
●●●
●●
●
●
●
●●
●
●●
●
●●●
●
●
●
●
●
●
●
●
●
●
●
●●
●
●
●
●●
●
●
●
●
●
●
●
●
●
●●●●
●
●
●
●●
●
●
●
●
●●
●
●
●
●
●●
●
●
●
●●●●
●●●
●●
●
●
●
●●●●
●
●
●
●
●
●
●
●
●
●
●
●●
●
●●●
●
●
●
●●
●
●
●
●
●
●●●
●
●
●
●
●
●
●
●
●
●●
●
●
●
●●
●
●
●
●
●
●●
●
●●
●
●
●
●
●
●
●
●●●
●
●
●
●
●
●
●
●
●
●
●
●
●●●●
●
●
●
●●●●●
●
●
●
●●
●
●
●
●
●●
●
●
●
●
●
●●●
●
●●
●●
●●●●
●
●●
●
●
●
●
●
●●●●
●
●●●●
●
●
●
●
●
●
●
●
●●
●
●
●
●●●●●●
●
●●
●
●
●
●●●
●
●
●
●
●
●
●
●
●
●
●
●●●●
●
●●●●●
●●
●●●●
●
●●●●
●
●
●●●
●
●
●
●●●●●
●
●●●●●
●
●●
●●
●●
●
●
●
●●●●●●●●●
●
●●●●●●●
●
●●●
●●●●
●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●
0 500 1000 1500 2000
010
2030
4050
60
1:2000
DF[
, "re
spon
se"]
Abnormal Deviations
Marina Evangelou Anomaly Detection Framework for Cyber-Security Data
Validation Experiment
●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●
●
●
●
●
●●●●●●●●●●●●●●●●●●●●●●●●●●●●
●
●
●
●
●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●
●
●
●
●
●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●
●
●
●
●
●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●
●
●●
●
●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●
●●
●
●
●
●
●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●
●
●
●
●
●
●
●
●
●
●
●
●
●
●
●
●
●
●
●
●
●
●
●
●
●
●
●
●
●●
●
●
●
●
●
●
●
●
●
●
●
●●
●
●
●
●
●
●
●
●
●
●
●
●
●
●
●●
●
●
●
●
●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●
0 500 1000 1500 2000
01
23
45
6
1:2000
D1[
, "re
spon
se"]
Normal Behaviour
●
●●●
●●●●●●
●●●●●
●
●●
●●
●
●●●●●●●
●●●●
●●
●
●
●●●●●
●
●●●●
●●●●●●●
●
●●
●
●
●
●
●●●
●
●
●
●●●●●●●●●●●
●
●●●●
●
●●●●●●●●●●●
●
●
●●●●●●●
●
●●
●●●●●●●●●●
●
●
●●●●
●
●●●●●●●●
●
●●●
●
●●●
●
●
●●
●
●●●●●●●
●●●●
●
●●●●●●
●
●●●●●●●●●●●●●●●
●
●
●●●●
●
●●●●●●●●●●●●●●●●
●
●
●
●●●●●●●●●●●●●●●●●●●●
●
●●
●
●●●●●●●●●●●●●
●
●
●●●●
●
●●●●●●●●●●●●●●●
●
●
●
●●●●●●●●●●●●●●●●
●
●
●
●
●
●
●
●●●●●●●●●●●●
●
●●●
●
●
●●●●●●●
●
●●●●
●●●●
●
●
●
●
●
●●●
●●●●●●●
●
●●●●●●●
●
●●
●
●●●●●●●●●●●●
●
●●●●●
●
●●●
●
●●●●●●●●
●●●●●●●●●●
●
●
●●●●●●●
●
●
●
●●
●●●●●●
●
●●
●
●●●●
●
●●●
●
●●●●●●●●●●●●
●
●
●●●●●
●
●●●●
●●●●
●
●●●●
●
●
●
●
●●●
●
●●●●●●●
●
●●●
●●●●
●
●
●
●●●●●
●●●●●●●●●
●
●●●●
●
●
●●●●●
●
●●●
●
●
●
●●
●
●
●●
●●●●●●●●●●●
●
●●●●●
●
●●
●
●
●
●●●●●●●●●●●●
●●●●●
●
●●
●
●●●●●●●●●
●●
●●●●
●
●●●
●
●
●
●●●●●●
●
●●●
●
●
●
●●●●●●
●
●
●●
●●
●
●
●●●
●
●
●●
●
●●●
●
●
●
●●
●
●
●●●
●
●●●
●
●●
●●●●●●●●
●
●●●
●●●●●●
●
●●●●●
●●●●●●●
●
●●●●
●●●●●●
●
●●●●●
●●
●
●●●●●●●●
●
●●●●
●●
●●
●●●
●
●●
●
●●●●●
●●●●●
●
●●●●●
●
●
●●
●
●●
●
●
●
●
●●
●
●●●●●●●●●
●
●
●
●●●
●●●●●
●
●●●●●●●●●●●
●
●●●●●
●
●
●
●●●●●●
●●●●●●●●
●
●●●
●
●
●
●
●●●●●●●●●
●
●
●●●●●●●
●
●●
●●●●●●●●
●
●
●●
●●
●
●
●
●
●●
●
●●●●
●●
●●●●
●
●●●●●●●●
●
●●●●●●●●●●●
●
●
●●●●●●●
●
●
●●●●
●
●●●●
●●
●
●
●
●●●●●●●●●
●
●●●●●●●
●
●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●
0 200 400 600 800 1000
010
2030
4050
60
1:1000
D2[
1001
:200
0, "r
espo
nse"
]
Contamination
●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●
●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●
●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●
●●●
●●
●
●
●
●
●
●
●●●
●
●●
●●
●
●
●●●●
●
●
●●
●
●
●
●
●
●
●●●●
●
●
●●●
●
●
●
●●●●●
●
●●
●
●
●
●
●
●
●
●
●
●
●
●●
●●
●
●●●●●
●
●●
●
●
●
●●●●●
●●
●●
●
●
●
●
●●
●
●
●●
●●●
●
●
●●●
●
●
●●●
●
●
●
●
●●●
●
●
●●
●●●●
●
●
●●
●
●
●
●
●
●
●
●●
●
●●
●●
●●
●
●
●
●●
●
●●
●
●
●●
●
●●●
●
●
●●
●●
●
●
●●
●
●
●
●
●
●●
●
●
●●
●
●
●●
●
●
●●
●
●
●●●●
●
●
●
●●●
●●●
●
●
●●
●
●●
●
●●●
●
●
●
●
●
●
●
●
●●
●
●●
●●
●●●●
●
●
●
●●
●
●
●
●
●
●
●
●
●●
●
●
●
●
●
●
●●
●
●
●
●●●
●●
●●●●●●
●
●●●●
●
●
●
●
●
●
●
●
●●●
●
●●●●●
●
●
●
●●
●
●
●
●
●
●●●
●●
●
●
●
●
●
●
●
●●
●●
●
●
●
●●
●
●
●●
●
●
●●
●
●
●
●●●●
●
●
●
●
●
●
●●
●●●●
●
●
●●
●
●
●
●
●
●●
●
●●●●●●
●●●●●
●
●●
●
●●
●●●●
●
●
●
●●●●●
●
●
●●
●
●
●
●●
●
●
●
●
●
●●
●
●
●
●
●
●
●●●
●
●
●
●●
●●
●
●
●●●●
●
●
●
●
●
●●
●
●
●
●●
●
●
●
●
●
●●
●
●
●
●●
●
●●●
●●●
●
●
●
●
●
●
●
●●●●●
●
●
●
●
●
●●
●●
●
●
●●●●●●●
●
●●
●
●
●
●
●
●
●
●
●
●
●●
●
●
●
●
●
●
●
●
●●
●●
●
●●
●
●
●
●●●
●
●●●●
●
●
●●
●
●
●
●●
●
●●●
●●●
●●
●
●●
●
●●
●●
●
●
●●
●●
●
●
●
●
●
●●
●●●
●
●
●●●
●
●
●
●
●
●
●
●
●
●
●●●
●
●
●
●●●
●●
●
●
●
●●
●
●●
●
●●●
●
●
●
●
●
●
●
●
●
●
●
●●
●
●
●
●●
●
●
●
●
●
●
●
●
●
●●●●
●
●
●
●●
●
●
●
●
●●
●
●
●
●
●●
●
●
●
●●●●
●●●
●●
●
●
●
●●●●
●
●
●
●
●
●
●
●
●
●
●
●●
●
●●●
●
●
●
●●
●
●
●
●
●
●●●
●
●
●
●
●
●
●
●
●
●●
●
●
●
●●
●
●
●
●
●
●●
●
●●
●
●
●
●
●
●
●
●●●
●
●
●
●
●
●
●
●
●
●
●
●
●●●●
●
●
●
●●●●●
●
●
●
●●
●
●
●
●
●●
●
●
●
●
●
●●●
●
●●
●●
●●●●
●
●●
●
●
●
●
●
●●●●
●
●●●●
●
●
●
●
●
●
●
●
●●
●
●
●
●●●●●●
●
●●
●
●
●
●●●
●
●
●
●
●
●
●
●
●
●
●
●●●●
●
●●●●●
●●
●●●●
●
●●●●
●
●
●●●
●
●
●
●●●●●
●
●●●●●
●
●●
●●
●●
●
●
●
●●●●●●●●●
●
●●●●●●●
●
●●●
●●●●
●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●
0 500 1000 1500 2000
010
2030
4050
60
1:2000
DF[
, "re
spon
se"]
Abnormal Deviations
Detector Accuracy SensitivityQRF 0.959 (0.019) 0.934 (0.012)PELT 0.544 (0.227) 0.349 (0.062)
Benchmark 0.930 (0.006) 0.935 (0.012)
Marina Evangelou Anomaly Detection Framework for Cyber-Security Data
NetFlow and Process device behaviour
●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●
●
●
●
●
●●●●●●●●●●●●●●●●●●●●●●●●●●●●
●
●
●
●
●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●
●
●
●
●
●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●
●
●
●
●
●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●
●
●●
●
●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●
●●
●
●
●
●
●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●
●
●
●
●
●
●
●
●
●
●
●
●
●
●
●
●
●
●
●
●
●
●
●
●
●
●
●
●
●●
●
●
●
●
●
●
●
●
●
●
●
●●
●
●
●
●
●
●
●
●
●
●
●
●
●
●
●●
●
●
●
●
●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●0
2
4
6
0 500 1000 1500 2000Time bin sequence
Num
ber o
f eve
nts
in a
tim
e bi
n
●
●
●●●●
●
●●●
●
●
●
●
●
●
●●
●
●●●
●
●
●
●
●●●●
●
●●●
●
●●
●
●●●●●●●●
●
●●
●
●
●
●●●●●●
●
●●
●
●●●●●●●●
●
●●
●
●
●●●●●
●
●
●
●
●
●
●●●●●●●●
●
●●
●
●
●●●●●●●
●
●●
●
●●●●●●●●
●
●
●
●
●
●●●
●
●●●
●
●
●
●
●●●●●●●●
●
●
●
●
●●●●●
●
●
●
●
●●●●●
●
●●
●
●●
●
●
●
●
●
●
●
●
●
●
●●
●
●
●
●
●
●
●●
●
●
●
●
●
●
●
●
●●
●
●●●●●
●
●
●
●
●●●●●
●
●●
●
●●
●
●
●●●●●
●
●
●
●●
●
●
●
●●●●
●
●
●
●●
●
●●●●●
●
●●
●●
●
●
●●●
●
●●●●
●
●●
●
●
●●●●●
●
●
●
●●
●
●●●●●●●●
●
●
●
●
●●●●
●
●
●●
●●
●
●
●
●●●
●
●●●
●
●●
●●
●●●
●
●
●
●
●
●●
●
●
●●●
●
●●●
●
●●
●●
●●●●
●
●●
●
●●
●
●●●●●●●●●
●
●
●
●
●●●●●
●
●●
●
●●
●●●●●●
●
●●
●
●
●
●
●
●
●
●●●●
●
●
●
●
●
●
●
●●
●●
●
●
●
●
●
●
●
●
●
●
●●●●
●
●●
●
●●
●
●
●●●●
●
●
●
●●
●
●●
●
●
●●
●
●
●
●
●
●●
●
●
●
●
●
●
●
●
●
●
●
●
●
●
●
●
●
●
●
●
●
●
●
●●
●
●
●
●
●
●
●●
●
●●●●
●
●●
●
●
●
●●●●●
●
●
●●
●
●
●
●
●●●●
●
●●●
●
●
●
●
●
●
●
●●●●●
●
●
●
●
●●
●
●●●●●
●
●
●
●●
●●●●●●●
●
●
●
●●
●
●●●
●
●●
●
●
●
●
●●●●●●●●
●
●
●
●●●●
●
●●
●
●
●
●
●
●
●
●
●●●
●
●●
●
●
●
●●●●
●
●●●●
●
●
●
●
●
●●●●●●●
●
●
●
●●●●●●●●●
●
●
●
●●●●●●●●●
●
●
●
●
●●●
●
●
●
●●
●
●●
●●●●●●●●●
●
●
●
●
●●●
●
●●●●
●
●
●
●●●●●●
●
●●
●
●
●
●
●
●●
●●
●●
●
●
●
●
●
●●●●●●●●
●
●
●
●
●
●
●
●●●
●
●
●●
●
●●
●
●
●
●
●
●
●
●
●
●
●
●
●
●
●
●
●
●
●
●
●
●
●●
●●
●
●
●●●
●
●
●
●●
●
●●●●●●
●
●
●
●●
●
●●●
●
●●
●
●
●
●●●●●●●●●
●
●●
●●
●
●
●●●●●
●
●
●
●
●●●●●●●
●●
●
●
●
●●●●●●●●
●
●
●
●●●●●●
●
●●
●
●
●
●
●
●●●●●●●
●●
●
●●●●
●
●●●●
●
●
●
●
●●●
●
●●●●
●
●
●
●
●●●
●
●●●●
●
●
●
●
●●●●●●●●
●
●
●
●
●●●●●●●
●
●
●
●
●●●●●●●●●
●
●
●
●●●●●●
●
●●
●
●
●
●●●●●●
●
●●
●
●
●
●
●●●●●●●●
●
●
●
●●●
●
●●●
●
●
●
●
●
●
●●
●
●●
●
●●
●
●
●
●
●
●
●●●●●●
●
●
●
●
●●●●●●●●
●●
●
●●●●●●●●●
●
●
●
●
●●●●
●
●
●●
●
●
●
●●●●
●
●●●●
●
●
●
●●●●
●
●●●●
●
●
●
●
●●●●●●●●
●
●●
●
●
●
●●●●●●
●
●
●
●●●
●●
●●●●
●
●
●
●
●
●●●●●●●
●
●
●
●
●●●●
●
●●●
●
●
●
●
●●●●●
●
●●
●
●
●
●
●●●●●
●
●●
●
●
●
●●●●
●
●●●●
●
●
●
●
●●●●●
●
●●
●
●
●
●●●●
●
●●●●
●
●
●
●
●●●●
●
●●●
●
●
●
●●●●●●●●●
●
●
●
●●●
●
●●●●●
●
●
●
●●●●●●
●
●●
●
●
●
●
●●●●●●●●
●
●
●
●●●●●●
●
●●
●●
●
●●
●
●●●●●●
●
●
●
●
●●●●●●●
●
●
●
●
●●●●●●●●●
●
●
●
●
●●●●
●
●
●●
●
●●
●
●●●●●●●●
●
●
●
●●
●
●
●●
●
●●
●
●
●
●●●●●●●●●
●
●
●
●
●
●
●●●●●●
●
●
●
●
●●●●●●
●
●
●
●
●
●●●●●●●●●
●
●
●
●
●
●
●●
●
●●
●
●
●
●
●
●●●●●●●●
●
●
●
●●●●●●●●●
●
●
●
●
●●●●●
●
●
●
●
●
●
●
●●●●●●●●
●
●
●
●●●●
●
●
●
●●
●
●
●
●●●●
●
●●●●
●
●
●
●
●●●
●
●●●●
●
●
●
●
●●●●●●
●
●
●
●
●
●
●
●
●●●●●●
●
●
●
●
●
●●●●●●●
●
●
●
●●●●●●
●
●
●●
●
●
●●●●●●●●●
●
●●
●
●
●
●●●●●●
●
●
●
●●●●●●
●
●●●
●
●
●
●
●
●●●
●
●
●
●
●
●
●
●
●
●
●●
●
●●
●●
●
●
●
●●
●
●
●●●
●
●
●
●●
●
●●
●
●
●●
●●
●
●●●●
●
●
●
●
●
●
●
●
●
●
●
●
●
●
●●●
●
●
●
●
●●
●
●
●
●
●
●
●
●●
●●●●●●●●●
●
●
●
●
●●
●
●●●●●
●
●
●
●
●
●●
●●●●●
●
●
●
●●
●●●●●●●
●
●
●
●
●
●
●●●●●●
●
●
●
●
●●●●●
●
●●
●
●
●
●●●●●●●
●
●
●
●
●
●●●●
●
●●●●
●
●
●
●●●●
●
●●●●
●
●
●
●
●●●
●
●●●●
●
●●
●
●●●●●●
●
●
●●
●
●
●●●●●●
●
●
●
●
●
●●
●
●
●●●●●
●
●
●●
●●●●●
●
●●
●●
●
●
●●●
●●●●●
●
●
●
●
●
●●●●●
●
●
●
●
●●
●
●
●●●
●
●
●
●
●
●
●
●
●
●
●
●
●●
●
●
●
●
●
●●
●
●
●
●
●
●●●
●
●
●
●●
●
●
●
●
●
●
●
●
●●●
●
●
●●
●
●
●●
●
●
●
●
●
●
●
●
●
●
●
●
●
●
●●●
●●
●
●
●
●●
●
●
●
●
●
●
●●
●
●●
●
●
●
●
●●●●●●●
●
●
●
●
●●●●●●●
●●
●
●
●●●
●●
●●●●
●
●
●
●●●●
●
●●●●
●
●
●
●●●●●●●●●
●
●●
●●●
●
●●
0
5
10
15
20
25
0 500 1000 1500 2000Time bin sequence
Num
ber o
f eve
nts
in a
tim
e bi
n
NetFlow Process
Marina Evangelou Anomaly Detection Framework for Cyber-Security Data
Process data: Feature construction
Time User Device Process Start/End
2 C66@DOM1 C66 N23785 Start
2
C66@DOM1
C66 N978 Start
Event related features:Number of events, Number of events that only started in the timebin
Nature related features:Entropy of processes
Time related featuresWorking hours indicator, Working days indicator
Marina Evangelou Anomaly Detection Framework for Cyber-Security Data
Process data: Predictions Intervals
●●
●●●●
●
●
●
●●
●
●●●●●
●
●●
●
●●●●●●●●●
●
●
●
●●●
●
●
●
●●●
●
●
●●●●●●●●●●
●
●
●
●●
●
●
●●●●●
●
●
●
●
●
●●●●●●
●
●
●
●
●●●
●
●●●●●
●●
●●●●
●
●
●●●●
●●
●●●●●
●
●●●●
●
●
●
●●●●●●●●●
●
●
●
●●●●●
●
●●●
●
●
●
●●●
●
●●●●●
●
●
●●
●
●●●●●
●
●
●●
●●●●●●
●
●●●
●
●
●●●●
●
●
●
●●●
●
●●
●●●●●
●
●●●
●
●
●
●●●●
●
●●
●
●
●
●●
●
●
●●●●●
●●
●●
●●
●
●●●
●
●
●●
●
●
●●
●●●
●
●
●
●
●
●
●
●
●
●●
●
●
●●
●●
●
●
●
●●●
●●
●●●●
●
●
●
●●●●●
●
●●●
●
●
●
●●
●
●
●
●
●●●
●●
●●●●●●●●●●
●
●
●
●
●●●●●●●●
●●
●●●●●●
●
●
●●
●
●
●
●●●●●●●●●
●●
●
●
●●
●
●●●●●
●
●
●●●●
●
●●●●●
●
●
●●●●
●
●●●●●
●
●
●●●●●●●●●
●●
●
●●●●●●●●●●
●
●
●●●●●●
●
●
●●
●
●
●●●●●●
●
●●●
●
●
●
●
●
●●
●
●●●●
●●
●●●●●●●●●●
●
●
●
●
●●●●●●●●
●●
●
●●●●●●
●
●
●
●
●
●
●
●
●
●●●●●●
●
●
●
●●●●●●
●
●
●●
●
●
●●●●●●●●●
●
●
●
●●●
●
●
●
●●●
●
●
●●●●●●●●●●
●
●
●
●
●
●
●●
●
●●
●
●
●
●
●●●●●●●●●
●
●
●●●●●●●●●●
●
●
●
●●●●●
●
●
●
●
●
●
●●●●●●●●●●
●
●
●
●
●
●●●●
●
●●
●
●
●
●●●
●
●
●
●●●
●●
●●●●●
●
●●●●
●
●
●●●●
●
●●●●●
●
●
●
●●●
●
●●●●●
●
●
●●●●
●
●●●●●
●
●
●
●●●●●●●●●
●
●
●●●●●
●
●●●●
●
●
●
●●●●●●●●●
●
●
●
●●●
●
●
●
●●●
●
●
●●●●●●●●●●
●●
●
●●●●●●●●●
●●
●●●●●●
●
●●●●●●●●●●●●
●
●●●●●●●●●●●
●
●●●●●●●●●●●
●
●●●●●●●●●
●
●●●●●●●●●●
●
●
●
●●●●●●●●●●●
●
●
●
●●●●●●●●●
●
●●●●●●●●●●
●
●●●●●●●●●●●
●
●●●●●●●●●●●●
●
●●●●●●●●●●●
●
●●●●●●●●●●
●
●●●●●●●●●●●●●●●●●●●●●●●
●
●
●●●●●●
●
●●●
●●
●●●●
●
●
●
●●●
●
●●
●●●●●
●
●●●
●●
●●●●●
●
●●●●
●
●●
●
●
●●●●●
●
●●●
●●
●
●●●
●
●
●●
●
●
●●
●
●●●
●
●
●
●●
●
●
●
●
●
●
●●
●
●●
●
●
●●●●
●●
●●
●●
●
●●●●●●●●●●●●●
●
●●●●●
●
●●●●●●●●●●●●●●●●●●
●
●●●●●●●●●●●●●●●●●●●●
●
●●●●●●●●●
●
●
●
●●●●●●●●●●●
●●
●●●●●●●●●●●
●
●●●●●●●●●●
●
●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●
●
●●●●●●●●●●
●
●
●
●
●●●●●●●●
●●
●●●●●●●
●
●●
●
●
●
●
●●●●●●●●
●
●
●●●●●●●●●
●●●
●●●●●●●●●●
●●
●●●●
●
●
●
●●●
●
●
●●●●●●●●●●
●
●
●
●●●
●●
●
●●●
●●
●●●●●●●●
●●
●
●●●●●●●●●●●●●
●
●●●●●
●
●
●●●●●●●●●●●●●●
●
●
●
●
●
●●●●
●
●●
●
●
●
●●●●●●●●●
●
●●●●●●
●
●●
●●
●
●
●●●●●●●●●●●
●
●●●●●●●●●●
●●
●●●●●●●●●●●
●
●●●●●●●●●●●
●
●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●
●●
●●●●●●●●●●
●●
●●●●●●●●●
0
5
10
15
0 200 400 600
Time bin sequence
Num
ber
of e
vent
s in
a ti
me
bin
Marina Evangelou Anomaly Detection Framework for Cyber-Security Data
Conclusions
Diverse device behaviours are observed across the network
The QRF approach was found to have the best performanceacross a number of other tested regression models
A data-driven anomaly detection framework is proposed that isbased on prediction intervals of QRF models
Through a number of validation experiments the proposedframework was found to outperform other detectors
The anomaly detection framework can be extended for otherdata sources, e.g. process data
Marina Evangelou Anomaly Detection Framework for Cyber-Security Data
Thank you for listening ! Any Questions?
Data: https://csr.lanl.gov/data/cyber1/
Adams, N., and Heard, N. (2016). Dynamic networks andcyber-security. World Scientific
Evangelou, M. and Adams, N. (2016). On the predictability ofNetFlow data. IEEE Information and Security Informatics
Neil, J. et al. (2013). Scan Statistics for the Online Detectionof Locally Anomalous Subgraphs. Technometrics
Meinshausen, N. (2006). Quantile Regression Forests. Journalof Machine Learning Research
Koenker, R. and Hallock, K.F. (2001). Quantile Regression.Journal of Economic Perspectives
Killick, R., et al. (2012). Optimal detection of changepointswith a linear computational cost. arXiv:1101.1438v3
Marina Evangelou Anomaly Detection Framework for Cyber-Security Data