Using machine learning for behavior-based access control: Scalable anomaly detection on TCP connections and HTTP requests

Aaron Adler, Michael J. Mayhew, Jeffrey Cleveland, Michael Atighetchi, Rachel Greenstadt

    Research output: Chapter in Book/Report/Conference proceedingConference contribution

    Abstract

    Today's business processes are more connected than ever before, driven by the ability to share the right information with the right partners at the right time. While this interconnectedness and situational awareness is crucial to success, it also opens the possibility for misuse of the same capabilities by sophisticated adversaries to spread attacks and exfiltrate or corrupt critical sensitive information. We have been investigating means to analyze behaviors of actors and assess trustworthiness of information to support real-time cyber security decision making through a concept called Behavior-Based Access Control (BBAC). The work described in this paper focuses on the statistical machine learning techniques used in BBAC to make predictions about the intent of actors establishing TCP connections and issuing HTTP requests. We discuss pragmatic challenges and solutions we encountered in implementing and evaluating BBAC, discussing (a) the general concepts underlying BBAC, (b) challenges we have encountered in identifying suitable datasets, (c) mitigation strategies to cope with shortcomings in available data, (d) the combination of clustering and support vector machines for performing classification at scale, and (e) results from a number of scientific experiments. We also include expert commentary from Air Force stakeholders and describe current plans for transitioning BBAC capabilities into the Department of Defense together with lessons learned for the machine learning community.

    Original languageEnglish (US)
    Title of host publicationProceedings - 2013 IEEE Military Communications Conference, MILCOM 2013
    Pages1880-1887
    Number of pages8
    DOIs
    StatePublished - Dec 1 2013
    Event2013 IEEE Military Communications Conference, MILCOM 2013 - San Diego, CA, United States
    Duration: Nov 18 2013Nov 20 2013

    Publication series

    NameProceedings - IEEE Military Communications Conference MILCOM

    Other

    Other2013 IEEE Military Communications Conference, MILCOM 2013
    CountryUnited States
    CitySan Diego, CA
    Period11/18/1311/20/13

    Fingerprint

    HTTP
    Access control
    Learning systems
    Support vector machines
    Decision making
    Air
    Industry
    Experiments

    ASJC Scopus subject areas

    • Electrical and Electronic Engineering

    Cite this

    Adler, A., Mayhew, M. J., Cleveland, J., Atighetchi, M., & Greenstadt, R. (2013). Using machine learning for behavior-based access control: Scalable anomaly detection on TCP connections and HTTP requests. In Proceedings - 2013 IEEE Military Communications Conference, MILCOM 2013 (pp. 1880-1887). [6735899] (Proceedings - IEEE Military Communications Conference MILCOM). https://doi.org/10.1109/MILCOM.2013.317

    Using machine learning for behavior-based access control : Scalable anomaly detection on TCP connections and HTTP requests. / Adler, Aaron; Mayhew, Michael J.; Cleveland, Jeffrey; Atighetchi, Michael; Greenstadt, Rachel.

    Proceedings - 2013 IEEE Military Communications Conference, MILCOM 2013. 2013. p. 1880-1887 6735899 (Proceedings - IEEE Military Communications Conference MILCOM).

    Research output: Chapter in Book/Report/Conference proceedingConference contribution

    Adler, A, Mayhew, MJ, Cleveland, J, Atighetchi, M & Greenstadt, R 2013, Using machine learning for behavior-based access control: Scalable anomaly detection on TCP connections and HTTP requests. in Proceedings - 2013 IEEE Military Communications Conference, MILCOM 2013., 6735899, Proceedings - IEEE Military Communications Conference MILCOM, pp. 1880-1887, 2013 IEEE Military Communications Conference, MILCOM 2013, San Diego, CA, United States, 11/18/13. https://doi.org/10.1109/MILCOM.2013.317
    Adler A, Mayhew MJ, Cleveland J, Atighetchi M, Greenstadt R. Using machine learning for behavior-based access control: Scalable anomaly detection on TCP connections and HTTP requests. In Proceedings - 2013 IEEE Military Communications Conference, MILCOM 2013. 2013. p. 1880-1887. 6735899. (Proceedings - IEEE Military Communications Conference MILCOM). https://doi.org/10.1109/MILCOM.2013.317
    Adler, Aaron ; Mayhew, Michael J. ; Cleveland, Jeffrey ; Atighetchi, Michael ; Greenstadt, Rachel. / Using machine learning for behavior-based access control : Scalable anomaly detection on TCP connections and HTTP requests. Proceedings - 2013 IEEE Military Communications Conference, MILCOM 2013. 2013. pp. 1880-1887 (Proceedings - IEEE Military Communications Conference MILCOM).
    @inproceedings{054e3ac6dc734a599e607299b4d07c6b,
    title = "Using machine learning for behavior-based access control: Scalable anomaly detection on TCP connections and HTTP requests",
    abstract = "Today's business processes are more connected than ever before, driven by the ability to share the right information with the right partners at the right time. While this interconnectedness and situational awareness is crucial to success, it also opens the possibility for misuse of the same capabilities by sophisticated adversaries to spread attacks and exfiltrate or corrupt critical sensitive information. We have been investigating means to analyze behaviors of actors and assess trustworthiness of information to support real-time cyber security decision making through a concept called Behavior-Based Access Control (BBAC). The work described in this paper focuses on the statistical machine learning techniques used in BBAC to make predictions about the intent of actors establishing TCP connections and issuing HTTP requests. We discuss pragmatic challenges and solutions we encountered in implementing and evaluating BBAC, discussing (a) the general concepts underlying BBAC, (b) challenges we have encountered in identifying suitable datasets, (c) mitigation strategies to cope with shortcomings in available data, (d) the combination of clustering and support vector machines for performing classification at scale, and (e) results from a number of scientific experiments. We also include expert commentary from Air Force stakeholders and describe current plans for transitioning BBAC capabilities into the Department of Defense together with lessons learned for the machine learning community.",
    author = "Aaron Adler and Mayhew, {Michael J.} and Jeffrey Cleveland and Michael Atighetchi and Rachel Greenstadt",
    year = "2013",
    month = "12",
    day = "1",
    doi = "10.1109/MILCOM.2013.317",
    language = "English (US)",
    isbn = "9780769551241",
    series = "Proceedings - IEEE Military Communications Conference MILCOM",
    pages = "1880--1887",
    booktitle = "Proceedings - 2013 IEEE Military Communications Conference, MILCOM 2013",

    }

    TY - GEN

    T1 - Using machine learning for behavior-based access control

    T2 - Scalable anomaly detection on TCP connections and HTTP requests

    AU - Adler, Aaron

    AU - Mayhew, Michael J.

    AU - Cleveland, Jeffrey

    AU - Atighetchi, Michael

    AU - Greenstadt, Rachel

    PY - 2013/12/1

    Y1 - 2013/12/1

    N2 - Today's business processes are more connected than ever before, driven by the ability to share the right information with the right partners at the right time. While this interconnectedness and situational awareness is crucial to success, it also opens the possibility for misuse of the same capabilities by sophisticated adversaries to spread attacks and exfiltrate or corrupt critical sensitive information. We have been investigating means to analyze behaviors of actors and assess trustworthiness of information to support real-time cyber security decision making through a concept called Behavior-Based Access Control (BBAC). The work described in this paper focuses on the statistical machine learning techniques used in BBAC to make predictions about the intent of actors establishing TCP connections and issuing HTTP requests. We discuss pragmatic challenges and solutions we encountered in implementing and evaluating BBAC, discussing (a) the general concepts underlying BBAC, (b) challenges we have encountered in identifying suitable datasets, (c) mitigation strategies to cope with shortcomings in available data, (d) the combination of clustering and support vector machines for performing classification at scale, and (e) results from a number of scientific experiments. We also include expert commentary from Air Force stakeholders and describe current plans for transitioning BBAC capabilities into the Department of Defense together with lessons learned for the machine learning community.

    AB - Today's business processes are more connected than ever before, driven by the ability to share the right information with the right partners at the right time. While this interconnectedness and situational awareness is crucial to success, it also opens the possibility for misuse of the same capabilities by sophisticated adversaries to spread attacks and exfiltrate or corrupt critical sensitive information. We have been investigating means to analyze behaviors of actors and assess trustworthiness of information to support real-time cyber security decision making through a concept called Behavior-Based Access Control (BBAC). The work described in this paper focuses on the statistical machine learning techniques used in BBAC to make predictions about the intent of actors establishing TCP connections and issuing HTTP requests. We discuss pragmatic challenges and solutions we encountered in implementing and evaluating BBAC, discussing (a) the general concepts underlying BBAC, (b) challenges we have encountered in identifying suitable datasets, (c) mitigation strategies to cope with shortcomings in available data, (d) the combination of clustering and support vector machines for performing classification at scale, and (e) results from a number of scientific experiments. We also include expert commentary from Air Force stakeholders and describe current plans for transitioning BBAC capabilities into the Department of Defense together with lessons learned for the machine learning community.

    UR - http://www.scopus.com/inward/record.url?scp=84897723119&partnerID=8YFLogxK

    UR - http://www.scopus.com/inward/citedby.url?scp=84897723119&partnerID=8YFLogxK

    U2 - 10.1109/MILCOM.2013.317

    DO - 10.1109/MILCOM.2013.317

    M3 - Conference contribution

    AN - SCOPUS:84897723119

    SN - 9780769551241

    T3 - Proceedings - IEEE Military Communications Conference MILCOM

    SP - 1880

    EP - 1887

    BT - Proceedings - 2013 IEEE Military Communications Conference, MILCOM 2013

    ER -