부산대학교 도서관

Insider attack detection in an enterprise network environment is a critical problem that currently has no promising solution. It represents a significant challenge since host availability and performance requirements cannot be ignored. A network based approach allows these requirements to be met but is limited by the granularity of data available and the near impossibility of defining exact signatures for known attack types. Anomaly detection approaches suffer from the well known problem of false positives making them hard to apply in enterprise environments where even a moderate false positive rate is not acceptable. Sophisticated attacks and complex network topologies make it hard to apply simplistic approaches to anomaly detection. This paper presents an approach that applies the unsupervised learning techniques of bi-clustering and one-class SVM to so-called weak indicators of network attacks. This approach is well suited for network flow data that is coarse grained and not amenable to simplistic anomaly detection or signature-based techniques. Further, our approach allows a security analyst to determine the cause of the anomaly, a capability that is typically not supportable by simplistic applications of unsupervised learning.