33 results found
Price-Williams M, Heard N, Nonparametric Self-exciting Models for Computer Network Traffic, Statistics and Computing, ISSN: 0960-3174
Price-Williams M, Heard N, Rubin-Delanchy P, 2019, Detecting weak dependence in computer network traffic patterns by using higher criticism, Journal of the Royal Statistical Society. Series C: Applied Statistics, Vol: 68, Pages: 641-655, ISSN: 0035-9254
© 2018 Royal Statistical Society To perform robust statistical anomaly detection in cybersecurity, we must build realistic models of the traffic patterns within a computer network. It is therefore important to understand the dependences between the large number of routinely interacting communication pathways within such a network. Pairs of interacting nodes in any directed communication network can be modelled as point processes where events in a process indicate information being sent between two nodes. For two processes A and B denoting the interactions between two distinct pairs of computers, called edges, we wish to assess whether events in A trigger events then to occur in B. A test is introduced to detect such dependence when only a subset of the events in A exhibit a triggering effect on process B; this test will enable us to detect even weakly correlated edges within a computer network graph. Since computer network events occur as a high frequency data stream, we consider the asymptotics of this problem as the number of events goes to ∞, while the proportion exhibiting dependence goes to 0, and examine the performance of tests that are provably consistent in this framework. An example of how this method can be used to detect genuine causal dependences is provided by using real world event data from the enterprise computer network of Los Alamos National Laboratory.
Heard N, Rubin-Delanchy P, 2018, Choosing between methods of combining p-values, Biometrika, Vol: 105, Pages: 239-246, ISSN: 0006-3444
Combining p-values from independent statistical tests is a popular approachto meta-analysis, particularly when the data underlying the tests are either nolonger available or are difficult to combine. A diverse range of p-valuecombination methods appear in the literature, each with different statisticalproperties. Yet all too often the final choice used in a meta-analysis canappear arbitrary, as if all effort has been expended building the models thatgave rise to the p-values. Birnbaum (1954) showed that any reasonable p-valuecombiner must be optimal against some alternative hypothesis. Starting fromthis perspective and recasting each method of combining p-values as alikelihood ratio test, we present theoretical results for some of the standardcombiners which provide guidance about how a powerful combiner might be chosenin practice.
Rubin-Delanchy P, Heard NA, Lawson DJ, 2018, Meta-Analysis of Mid-p-Values: Some New Results based on the Convex Order, Journal of the American Statistical Association, ISSN: 0162-1459
© 2018, © 2018 The Authors(s). Published with license by Taylor and Francis. The mid-p-value is a proposed improvement on the ordinary p-value for the case where the test statistic is partially or completely discrete. In this case, the ordinary p-value is conservative, meaning that its null distribution is larger than a uniform distribution on the unit interval, in the usual stochastic order. The mid-p-value is not conservative. However, its null distribution is dominated by the uniform distribution in a different stochastic order, called the convex order. The property leads us to discover some new finite-sample and asymptotic bounds on functions of mid-p-values, which can be used to combine results from different hypothesis tests conservatively, yet more powerfully, using mid-p-values rather than p-values. Our methodology is demonstrated on real data from a cyber-security application.
Bolton AD, Heard NA, 2018, Malware Family Discovery Using Reversible Jump MCMC Sampling of Regimes, JOURNAL OF THE AMERICAN STATISTICAL ASSOCIATION, Vol: 113, Pages: 1490-1502, ISSN: 0162-1459
Price-Williams M, Heard N, Turcotte M, 2017, Detecting periodic subsequences in cyber security data, Pages: 84-90
© 2017 IEEE. Anomaly detection for cyber-security defence hasgarnered much attention in recent years providing an orthogonalapproach to traditional signature-based detection systems.Anomaly detection relies on building probability models ofnormal computer network behaviour and detecting deviationsfrom the model. Most data sets used for cyber-security havea mix of user-driven events and automated network events,which most often appears as polling behaviour. Separating theseautomated events from those caused by human activity is essentialto building good statistical models for anomaly detection. This articlepresents a changepoint detection framework for identifyingautomated network events appearing as periodic subsequences ofevent times. The opening event of each subsequence is interpretedas a human action which then generates an automated, periodicprocess. Difficulties arising from the presence of duplicate andmissing data are addressed. The methodology is demonstrated usingauthentication data from Los Alamos National Laboratory'senterprise computer network.
Heard NA, Turcotte MJM, 2017, Adaptive Sequential Monte Carlo for Multiple Changepoint Analysis, JOURNAL OF COMPUTATIONAL AND GRAPHICAL STATISTICS, Vol: 26, Pages: 414-423, ISSN: 1061-8600
Griffie J, Shannon M, Bromley CL, et al., 2016, A Bayesian cluster analysis method for single-molecule localization microscopy data, NATURE PROTOCOLS, Vol: 11, Pages: 2499-2514, ISSN: 1754-2189
Heard N, Palla K, Skoularidou M, 2016, Topic modelling of authentication events in an enterprise computer network, Pages: 190-192
© 2016 IEEE. The possibility for theft or misuse of legitimate user credentials is a potential cyber-security weakness in any enterprise computer network which is almost impossible to eradicate. However, by monitoring the network traffic patterns, it can be possible to detect misuse of credentials. This article presents an initial investigation into deconvolving the mixture behaviour of several individuals within a network, to see if individual users can be identified. Towards that, a technique used for document classification is deployed, the Latent Dirichlet allocation model. A pilot study is conducted on authentication events taken from real data from the enterprise network of Los Alamos National Laboratory.
Heard N, Rubin-Delanchy P, 2016, Network-wide anomaly detection via the Dirichlet process, Pages: 220-224
© 2016 IEEE. Statistical anomaly detection techniques provide the next layer of cyber-security defences below traditional signature-based approaches. This article presents a scalable, principled, probability-based technique for detecting outlying connectivity behaviour within a directed interaction network such as a computer network. Independent Bayesian statistical models are fit to each message recipient in the network using the Dirichlet process, which provides a tractable, conjugate prior distribution for an unknown discrete probability distribution. The method is shown to successfully detect a red team attack in authentication data obtained from the enterprise network of Los Alamos National Laboratory.
Turcotte M, Moore J, Heard N, et al., 2016, Poisson factorization for peer-based anomaly detection, Pages: 208-210
© 2016 IEEE. Anomaly detection systems are a promising tool to identify compromised user credentials and malicious insiders in enterprise networks. Most existing approaches for modelling user behaviour rely on either independent observations for each user or on pre-defined user peer groups. A method is proposed based on recommender system algorithms to learn overlapping user peer groups and to use this learned structure to detect anomalous activity. Results analysing the authentication and process-running activities of thousands of users show that the proposed method can detect compromised user accounts during a red team exercise.
Metelli S, Heard N, 2016, Model-based clustering and new edge modelling in large computer networks, Pages: 91-96
© 2016 IEEE. Computer networks are complex and the analysis of their structure in search for anomalous behaviour is both a challenging and important task for cyber security. For instance, new edges, i.e. connections from a host or user to a computer that has not been connected to before, provide potentially strong statistical evidence for detecting anomalies. Unusual new edges can sometimes be indicative of both legitimate activity, such as automated update requests permitted by the client, and illegitimate activity, such as denial of service (DoS) attacks to cause service disruption or intruders escalating privileges by traversing through the host network. In both cases, capturing and accumulating evidence of anomalous new edge formation represents an important security application. Computer networks tend to exhibit an underlying cluster structure, where nodes are naturally grouped together based on similar connection patterns. What constitutes anomalous behaviour may strongly differ between clusters, so inferring these peer groups constitutes an important step in modelling the types of new connections a user would make. In this article, we present a two-step Bayesian statistical method aimed at clustering similar users inside the network and simultaneously modelling new edge activity, exploiting both overall-level and cluster-level covariates.
Heard NA, Turcotte MJM, 2016, Convergence of Monte Carlo distribution estimates from rival samplers, STATISTICS AND COMPUTING, Vol: 26, Pages: 1147-1161, ISSN: 0960-3174
Rubin-Delanchy P, Adams NM, Heard NA, 2016, Disassortativity of Computer Networks, 14th IEEE International Conference on Intelligence and Security Informatics - Cybersecurity and Big Data (IEEE ISI), Publisher: IEEE, Pages: 243-247
Rubin-Delanchy P, Burn GL, Griffie J, et al., 2015, Bayesian cluster identification in single-molecule Localization microscopy data, NATURE METHODS, Vol: 12, Pages: 1072-1076, ISSN: 1548-7091
Turcotte M, Heard N, Neil J, 2014, Detecting Localised Anomalous Behaviour in a Computer Network, 13th International Symposium on Intelligent Data Analysis (IDA), Publisher: SPRINGER INT PUBLISHING AG, Pages: 321-332, ISSN: 0302-9743
Rubin-Delanchy P, Lawson DJ, Turcotte MJ, et al., 2014, Three statistical approaches to sessionizing network flow data, IEEE Joint Intelligence and Security Informatics Conference (JISIC 2014), Publisher: IEEE, Pages: 244-247
Lawson DJ, Rubin-Delanchy P, Heard N, et al., 2014, Statistical frameworks for detecting tunnelling in cyber defence using big data, IEEE Joint Intelligence and Security Informatics Conference (JISIC 2014), Publisher: IEEE, Pages: 248-251
Heard N, Rubin-Delanchy P, Lawson D, 2014, Filtering automated polling traffic in computer network flow data, IEEE Joint Intelligence and Security Informatics Conference (JISIC 2014), Publisher: IEEE, Pages: 268-271
Metelli S, Heard N, 2014, Modelling new edge formation in a computer network through bayesian variable selection, Pages: 272-275
© 2014 IEEE. Anomalous connections in a computer network graph can be a signal of malicious behaviours. For instance, a compromised computer node tends to form a large number of new client edges in the network graph, connecting to server IP (Internet Protocol) addresses which have not previously been visited. This behaviour can be caused by malware (malicious software) performing a denial of service (DoS) attack, to cause disruption or further spread malware, alternatively, the rapid formation of new edges by a compromised node can be caused by an intruder seeking to escalate privileges by traversing through the host network. However, study of computer network flow data suggests new edges are also regularly formed by uninfected hosts, and often in bursts. Statistically detecting anomalous formation of new edges requires reliable models of the normal rate of new edges formed by each host. Network traffic data are complex, and so the potential number of variables which might be included in such a statistical model can be large, and without proper treatment this would lead to overfitting of models with poor predictive performance. In this paper, Bayesian variable selection is applied to a logistic regression model for new edge formation for the purpose of selecting the best subset of variables to include.
Bolton A, Heard N, 2014, Application of a linear time method for change point detection to the classification of software, Pages: 292-295
© 2014 IEEE. A computer program's dynamic instruction trace is the sequence of instructions it generates during run-time. This article presents a method for analysing dynamic instruction traces, with an application in malware detection. Instruction traces can be modelled as piecewise homogeneous Markov chains and an exact linear time method is used for detecting change points in the transition probability matrix. The change points divide the instruction trace into segments performing different functions. If segments performing malicious functions can be detected then the software can be classified as malicious. The change point detection method is applied to both a simulated dynamic instruction trace and the dynamic instruction trace generated by a piece of malware.
Fowler A, Menon V, Heard NA, 2013, DYNAMIC BAYESIAN CLUSTERING, JOURNAL OF BIOINFORMATICS AND COMPUTATIONAL BIOLOGY, Vol: 11, ISSN: 0219-7200
Fowler A, Heard NA, 2013, Dynamic Bayesian clustering of gene expression data, Pages: 165-170
Clusters of time series data may change location and memberships over time; in gene expression data, this occurs as groups of genes or samples respond differently to stimuli or experimental conditions at different times. In order to uncover this underlying temporal structure, we consider dynamic clusters which not only change location but also split and merge over time, enabling cluster memberships to change. Dynamic clustering is applied to both cyclic and developmental gene expression data sets and reveals interesting, time-dependent structures which could not be identified using traditional clustering methods.
Fowler A, Heard NA, 2012, On two-way Bayesian agglomerative clustering of gene expression data, Statistical Analysis and Data Mining, Vol: 5, Pages: 463-476, ISSN: 1932-1872
This article introduces an agglomerative Bayesian model-based clustering algorithm which outputs a nested sequence of two-way cluster configurations for an input matrix of data. Each two-way cluster configuration in the output hierarchy is specified by a row configuration and a column configuration whose Cartesian product partitions the data matrix. Variable selection is incorporated into the algorithm by identifying row clusters which form distinct groups defined by the column clusters, through the use of a mixture model. A primitive similarity measure between the two clusters is the multiplicative change in model posterior probability implied by their merger, and the hierarchy is formed by iteratively merging the cluster pair which maximize some fixed monotonic function of this quantity. A naive implementation of the algorithm would be to choose this function to be the identity function. However, when applying this naive algorithm to gene expression data where the number of genes being studied typically far exceeds the number of experimental samples available, this imbalanced dimensionality of the data results in an algorithmic bias toward merging samples. To counteract this bias, alternative functions of the similarity measure are considered which prevent degenerative behavior of the algorithm. The resulting improvements in the output cluster configurations are demonstrated on simulated data and the method is then applied to real gene expression data. © 2012 Wiley Periodicals, Inc.
Heard NA, 2011, Iterative Reclassification in Agglomerative Clustering, JOURNAL OF COMPUTATIONAL AND GRAPHICAL STATISTICS, Vol: 20, Pages: 920-936, ISSN: 1061-8600
Heard NA, Weston DJ, Platanioti K, et al., 2010, BAYESIAN ANOMALY DETECTION METHODS FOR SOCIAL NETWORKS, ANNALS OF APPLIED STATISTICS, Vol: 4, Pages: 645-662, ISSN: 1932-6157
Bushel PR, Heard NA, Gutman R, et al., 2009, Dissecting the fission yeast regulatory network reveals phase-specific control elements of its cell cycle, BMC SYSTEMS BIOLOGY, Vol: 3, ISSN: 1752-0509
Heard NA, Holmes CC, Stephens DA, 2006, A quantitative study of gene regulation involved in the immune response of anopheline mosquitoes: An application of Bayesian hierarchical clustering of curves, JOURNAL OF THE AMERICAN STATISTICAL ASSOCIATION, Vol: 101, Pages: 18-29, ISSN: 0162-1459
Heard NA, Holmes CC, Stephens DA, et al., 2005, Bayesian coclustering of Anopheles gene expression time series: Study of immune defense response to multiple experimental challenges, PROCEEDINGS OF THE NATIONAL ACADEMY OF SCIENCES OF THE UNITED STATES OF AMERICA, Vol: 102, Pages: 16939-16944, ISSN: 0027-8424
Hand DJ, Heard NA, 2005, Finding groups in gene expression data, JOURNAL OF BIOMEDICINE AND BIOTECHNOLOGY, Pages: 215-225, ISSN: 1110-7243
This data is extracted from the Web of Science and reproduced under a licence from Thomson Reuters. You may not copy or re-distribute this data in whole or in part without the written consent of the Science business of Thomson Reuters.