Invited speakers

Keynote address:
  • Chris Ensor, GCHQ, "Managing the cyber risk"

Abstracts

Patrick Wolfe", "Modelling network data"

Networks are fast becoming a primary object of interest in statistical data analysis, with important applications spanning the social, biological, and information sciences. A common aim across these fields is to test for and explain the presence of structure in network data. In this talk we show how characterizing the structural features of a network corresponds to estimating the parameters of various random network models, allowing us to obtain new results for likelihood-based inference and uncertainty quantification in this context. We discuss asymptotics for stochastic blockmodels with growing numbers of classes, the determination of confidence sets for network structure, and a more general point process modeling for network data taking the form of repeated interactions between senders and receivers, where we show consistency and asymptotic normality of partial-likelihood-based estimators related to the Cox proportional hazards model (arXiv:1201.5871, 1105.6245, 1011.4644, 1011.1703).


Joshua Neil", "Dynamic Graphs for Computer Network and Host-Based Anomaly Detection"

Many modern attacks on computer networks begin with an initial penetration of the perimeter defenses, commonly through a phishing email. Often, the hacker does not stop at this initial penetration, however, but proceeds to traverse the network, moving from one machine to the next. This behavior is motivated by several goals, including the escalation of access privileges, the identification of valuable data to exfiltrate, and the establishment of a broad presence in the network. We introduce a method based on scan statistics for detecting this traversal. Through parallel enumeration of subgraphs of the network graph, we search for sets of communications which have deviated from a stochastic baseline, and which indicate the presence of an attacker. The approach has proven successful in detecting advanced persistent threat attacks on Los Alamos National Laboratory networks, as well as other US government and industry partners. In the talk, I will give a more detailed description of typical network traversal attacks, describe the models and methods used to detect such traversal, and present results from synthetic and real events.


Sofia Olhede"Network Structure and Scaling"

Properties such as spreading on a network are fundamentally governed by its intrinsic properties. It is therefore important to understand what structure a given observed network possesses. A key set of summary statistics of network characteristics is the collection of observed degrees. These reflect the propensity of nodes within a network to form connections with other nodes in the same network. To determine if any one node is unusual or extreme in its number of connections, we need to understand the distributional properties of degrees, and how variability in degrees reflect real anomalies or extremes, or potentially, just sampling variability. We discuss how such understanding scales with the size of a network and the potential for degree distributions to become network-size independent.


Alexander Tartakovsky, "Rapid detection of attacks in computer networks by sequential changepoint methods"

Changepoint problems deal with detecting changes in a process that occur at unknown points in time. The gist of the sequential changepoint problem is to design a detection procedure that minimizes the detection delay of a real change subject to a bound on the false alarm rate. In this talk, we argue that network anomaly detection can be efficiently performed using changepoint detection methods. More specifically, we propose score-based versions of CUSUM and Shiryaev-Roberts detection algorithms that are self-learning, robust, computationally simple, and efficient for the detection of wide variety of network intrusions that lead to relatively abrupt changes in network traffic. The results are illustrated for several real datasets with UDP and TCP SYN flooding attacks on backbone links as well as for detecting spam campaigns.


Céline Lévy-Leduc, "Several approaches for detecting change-points in high-dimensional network traffic data"

In this talk, I will describe novel approaches for detecting change-points in high-dimensional data. This issue is of growing concern to the network security community since network anomalies such as Denial of Service (DoS) attacks lead to changes in Internet traffic. First, I will describe a centralized approach which consists of a data reduction stage based on record filtering, followed by a nonparametric change-point detection test based on U-statistics. Then, I will show how it applies to some real Internet traffic provided by a major French Internet service provider. Finally, I will explain how it can be extended to provide a distributed network anomaly detection method.


Nick Heard, "Bayesian anomaly detection in large dynamic graphs"

Anomalous connectivity levels in a communication graph can be indicative of prohibited or malicious behaviour. Detecting anomalies in large graphs, such as corporate computer networks, requires techniques which are computationally fast and ideally parallelisable, and this puts a limit on the level of sophistication which can be used in modelling the entire graph. Here, methods are presented for detecting locally anomalous substructures based on simple node and edge-based Bayesian models. This can be viewed as an initial screening stage for identify candidate anomalies, and only very basic substructures are considered. Then, methods for quantifying the significance in the level of overlap for these substructures are considered, offering the potential to improve detection power at the second stage by seeking synchronised, co-ordinated anomalous activities which together form a much more sophisticated graph substructure which will better describe an attack pattern.


Sumeet Dua , "Characterizing dynamic group behavior in social networks for cybernetics"

The recent excrescence of social networking (SN) and social media (SM) as a medium of communication cannot be overlooked primarily for its far reaching applications and outreach. Both SN and SM have transcended from a means of casual communication to " virtual glue" that connects individuals and facet over the cyberspace. This constantly evolving and dynamic cyber ecosystem provides a deluge of data and information that can be exploited to enhance the situational awareness (SA) of a cyber-system. Existing techniques of SA are achieved by modeling community structure by employing standard visualization and quantitative tools to measure correlations between communities and sets of self-identified user characteristics. However, SA in SN lacks a clear definition and the challenge of realizing a SN based SA system is still far from realization. The focus of this talk rests on realizing the role of and exploitation of SN for effective SA.
This talk is specifically targeted towards describing the significant role of cybernetics and SN in SA. SA can be described as the effective recognition and realization of a systems performance. The performance of a system is defined as the relationship between the system’s ability to achieve a set of deliverables that it is expected to support. Effective SA relies on the prediction of threats both internal and external to the system. The realization of SA on a cyber-system offers its set of challenges. This includes the challenge to handle the data deluge associated with a system to enable analysts to make effective decisions based on the system state. Data management in a cyber-system is vital as the confidence of predicting events is tied down to the quality of data. These predicted events are succinct to the creation of a system capable of identifying zero day attacks rather than a reactive system. Currently, SA and its associated challenges focus on networks to answer two predominant challenges: the determination of the current state of the system, and to compare the current conditions with normal conditions to identify potential inconsistencies that might indicate a threat.
The talk will highlight techniques that exploit the behavior of individuals over a SN. We will demonstrate a novel graph theoretic approach that exploits user behavior patterns for effective ad hoc community detection. Leveraging the concepts of tag sense disambiguation this approach effectively gauges the behavior of a user in a social tagging SN. The talk will also emphasize on techniques that can capture the behavior of players in a community through shared interests and interactions with other players in the community. The mining of interest patterns can be exploited as indicators of potential threats in the cyber space. In conclusion, we discuss future directions and potential applications of the proposed system.