HMMs for Optimal Detection of Cybernet Attacks

The rapid detection of attackers within firewalls of computer networks is of paramount importance. Anomaly detectors address this problem by quantifying deviations from baseline statistical models of normal network behavior. However anomaly detectors have many false positives, severely limiting their practical utility. To circumvent this problem we need to evaluate both the likelihood of observed network behavior given that no attacker is present (as in anomaly detectors) and the likelihood given that an attacker is present. Any realistic stochastic model for behavior of a compromised network must work in continuous time, with many latent variables. Here we develop such a stochastic model of a compromised network's behavior, and show how to use Monte Carlo methods to integrate over its latent variables. This allows us to evaluate the likelihood of observed behavior in a compromised network. We then present computer experiments showing that a likelihood ratio detector that combines our attacker model with a model of normal network behavior has far better ROC curves than an anomaly detector that only uses the model of normal network behavior.