Security of Czech army information and communication systems - On-line monitoring, Visualization and Packet Filtration. Computer Incident Response Capability Development in the Cyber Defence EnvironmentAnomaly Detection Based on Profiles

Behaviour profiles represent a comprehensive information regarding communications of computers and other devices connected to the computer network. Those profiles are created by the way of NetFlow data aggregation at periodical intervals and thus they have the character of the time series. By applying appropriate statistical methods to these time series anomalies or distinctions from the expected behaviour of individual computers and other devices communicating on the network can be detected.

Network traffic anomalies
Figure 1: Anomalies in data networks traffic. The sudden drop in the volume of communication firstly appeared about 16:00; then an extreme increasing of the communication can be seen in the evening. It is marked by thick brown line under time axis in the graph.

In this research, we consider as an anomaly each behaviour profile value (for given IP address), which differs from expected level more than preset deviation anticipates. Of course, there can be a number of legitimate reasons for that anomaly like data backups or replications, computer configuration changes etc. It can also indicate a targeted attack or malware occurrence on the device, the second situation is the main subject of our interest.

Profiles of egress flows of five selected machines in the network
Figure 2: Profiles of the egress flows number of five selected machines in the network. Profiles granularity is one hour; the total length of the displayed period is one week. Stations are marked with the letters 'a' to 'e'.

As part of our research time series with different granularity (one day, one hour, five minutes) were analyzed. The software was written, it uses link to a new windownfdump tool to create a specified behaviour profile and in the form of time series it hands over for subsequent analysis (download below).

The analysis itself is carried out in the link to a new windowR system, where arithmetic averaging and Holt-Winters methods were implemented. In the event of an anomaly software records this fact in the form of events to a file.

The results achieved at this phase we consider as interim. In the further research we will focus on time series processing with a granularity of one hour, and finding a suitable mathematical model.

Tool for anomalies detection in the behaviour of the device profiles on the network