|
Abstract:
|
Cyber attacks have emerged as a modern era 'epidemic'. Large enterprises must protect their network infrastructures and masses of private customer data while being attacked multiple times on a daily basis. Considering the risks of cyber attacks, enterprises are investing enormous amounts of money to apply tools, typically using signature-based methods, in order to defend their networks. However this is not enough. Cyber-security must strengthen its relationship with Statistics in order to exploit the vast amounts of data sources generated by the field. Statistical analysis of these data sources can lead to the development of statistical anomaly detection frameworks that can complement existing enterprise network defence systems.
NetFlow is one of the available data sources widely used for monitoring an enterprise network. We present an anomaly detection framework based on predicting individual device behaviour. Device behaviour, defined as the number of NetFlow events, is modeled to depend on the observed historic NetFlow events. Through a comprehensive analysis, the best predictive model is chosen and based on its findings an anomaly detection framework is built.
|
