Network anomaly detection using exponential random graph models and autoregressive moving average

Abstract

Network anomaly detection solutions are being used as defense against several attacks, especially those related to data exfiltration. Several methods exist in the literature, such as clustering or neural networks. However, these methods often focus on local and global network indicators instead of network structural properties, such as understanding which devices typically communicate with other devices. To address this literature gap, we propose a method that uses exponential random graph modeling to integrate network topology structure statistics in anomaly detection. We demonstrate the effectiveness of our method using real-world examples as a baseline for experiments on domain name system (DNS) data exfiltration scenarios. We highlight how our method provides better insight into how network traffic may alter network graph structure and how this can assist cybersecurity analysts in making better decisions in conjunction with existing intrusion detection systems. Finally, we compare and contrast the accuracy, false positive rate and computational overhead of our method with other methods.