User Popula,ons Forgo=en usernames/ Distributed across networks; - PowerPoint PPT Presentation

User Popula,ons Forgo=en usernames/ Distributed across networks; LOW-RATE passwords the network being monitored DISTRIBUTED sees only a few hits BRUTEFORCERS LEGITIMATE SINGLETON USERS BRUTEFORCERS Have past history of Have a high rate of logins successful logins compared to distributed Characteris,cs overlap between legi,mate users and bruteforcers

2

3

Aggregate Site Analyzer • Site-wide parameter – Global Failure Indicator (GFI) • Site-wide number of failed logins per batch of n logins • GFI well-modeled as Beta–binomial – Binomial with beta- prior on probability of success

Aggregate Site Analyzer • Site-wide parameter – Global Failure Indicator (GFI) • Site-wide number of failed logins per batch of n logins • GFI well-modeled as Beta–binomial – Binomial with beta- prior on probability of success

Aggregate Site Analyzer • Site-wide parameter 0.12 2005 ● 2006 ● – Global Failure Indicator ● ● ● ● 2007 ● ● ● (GFI) 2008 ● ● ● 0.10 ● 2009 ● • Site-wide number of ● ● ● failed logins per batch ● of n logins ● 0.15 ● 0.08 Beta − binomial fit Binomial fit • GFI well-modeled as Test data ● ● ● 0.10 ● PDF ● Beta–binomial 0.06 ● ● 0.05 ● ● – Binomial with beta- ● ● ● 0.04 prior on probability of ● 0.00 ● ● success ● ● ● ● 0.02 ● 0 10 20 30 40 50 ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● 0.00 ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● 0 10 20 30 40 50 Number of failed logins per 100 logins

Aggregate Site Analyzer Monitoring for Change (CUSUM Algorithm) X n − Random!variable!(GFI) C 0 = 0 µ ! 3 !Mean!under!normal!behavior k! 3 !Parameter!based!on!magnitude!of!change! C n = max(0, C n − 1 + X n − µ − k ) !!!!!!!to!be!detected !! 8 6 Test Statistic C n C n > h h 4 2 Scope of the a=ack 0 120 125 130 135 140 145 150 Sample No. (n)

Aggregate Site Analyzer Monitoring for Change (CUSUM Algorithm) X n − Random!variable!(GFI) C 0 = 0 µ ! 3 !Mean!under!normal!behavior k! 3 !Parameter!based!on!magnitude!of!change! C n = max(0, C n − 1 + X n − µ − k ) !!!!!!!to!be!detected !! Modeled CuSum process 8 as Markov chain 6 Test Statistic C n C n > h h 4 2 Scope of the a=ack 0 120 125 130 135 140 145 150 Sample No. (n)

Aggregate Site Analyzer Monitoring for Change (CUSUM Algorithm) X n − Random!variable!(GFI) C 0 = 0 µ ! 3 !Mean!under!normal!behavior k! 3 !Parameter!based!on!magnitude!of!change! C n = max(0, C n − 1 + X n − µ − k ) !!!!!!!to!be!detected !! Modeled CuSum process 8 as Markov chain 6 Test Statistic C n Provides principled C n > h h 4 Time-to-Detection / FPR in terms of in-control / 2 out-of-control Average Scope of the a=ack 0 Run Length (ARL) 120 125 130 135 140 145 150 Sample No. (n)

Evalua,on Aggregate Site Analyzer Total number of a.acks 99 Number of false a=acks 9 Determined by A=ack Par,cipants Classifier A=ack Par,cipants Classifier Number of a.ack hosts 9,306 Number of false a=ack hosts 37 Determined by future successful ac,vity/ Site Incident Database