Compression Analytics for Classification and Anomaly Detection Within Network Communication

作     者：Ting, Christina Field, Richard Fisher, Andrew Bauer, Travis 

作者机构：Sandia Natl Labs Albuquerque NM 87123 USA 

出 版 物：《IEEE TRANSACTIONS ON INFORMATION FORENSICS AND SECURITY》 (IEEE信息鉴识与安全汇刊)

年 卷 期：2019年第14卷第5期

页      面：1366-1376页

核心收录：

学科分类：0808[工学-电气工程] 08[工学] 0812[工学-计算机科学与技术（可授工学、理学学位）] 

基　　金：U.S. Department of Energy's National Nuclear Security Administration [DE-NA0003525  SAND2018-12123 J] 

主　　题：Anomaly detection classification algorithms compression algorithms random processes 

摘      要：The flexibility of network communication within Internet protocols is fundamental to network function, yet this same flexibility permits the possibility of malicious use. In particular, malicious behavior can masquerade as benign traffic, thus evading systems designed to catch misuse of network resources. However, perfect imitation of benign traffic is difficult, meaning that small unintentional deviations from normal can occur. Identifying these deviations requires that the defenders know what features reveal malicious behavior. Herein, we present an application of compression-based analytics to network communication that can reduce the need for defenders to know a priori what features they need to examine. Motivating the approach is the idea that compression relies on the ability to discover and make use of predictable elements in information, thereby highlighting any deviations between expected and received content. We introduce a so-called slice compression score to identify malicious or anomalous communication in two ways. First, we apply normalized compression distances to classification problems and discuss methods for reducing the noise by excising application content (as opposed to protocol features) using slice compression. Second, we present a new technique for anomaly detection, referred to as slice compression for anomaly detection. A diverse collection of datasets are analyzed to illustrate the efficacy of the proposed approaches. While our focus is network communication, other types of data are also considered to illustrate the generality of the method.