Melissa J. Turcotte

Poisson factorization for peer-based anomaly detection

Anomaly detection systems are a promising tool to identify compromised user credentials and malicious insiders in enterprise networks. Most existing approaches for modelling user behaviour rely on either independent observations for each user or on pre-defined user peer groups. A method is proposed based on recommender system algorithms to learn overlapping user peer groups and to use this learned structure to detect anomalous activity. Results analysing the authentication and process-running activities of thousands of users show that the proposed method can detect compromised user accounts during a red team exercise.

Detecting Localised Anomalous Behaviour in a Computer Network

Temporal monitoring of computer network data for statistical anomalies provides a means for detecting malicious intruders. The high volumes of traffic typically flowing through these networks can make detecting important changes in structure extremely challenging. In this article, agile algorithms which readily scale to large networks are provided, assuming conditionally independent node and edge-based statistical models. As a first stage, changes in the data streams arising from edges (pairs of hosts) in the network are detected. A second stage analysis combines any anomalous edges to identify more general anomalous substructures in the network. The method is demonstrated on the entire internal computer network of Los Alamos National Laboratory, comprising approximately 50,000 hosts, using a data set which contains a real, sophisticated cyber attack. This attack is quickly identified from amongst the huge volume of data being processed.

Adaptive Sequential Monte Carlo for Multiple Changepoint Analysis

ABSTRACT Process monitoring and control requires the detection of structural changes in a data stream in real time. This article introduces an efficient sequential Monte Carlo algorithm designed for learning unknown changepoints in continuous time. The method is intuitively simple: new changepoints for the latest window of data are proposed by conditioning only on data observed since the most recent estimated changepoint, as these observations carry most of the information about the current state of the process. The proposed method shows improved performance over the current state of the art. Another advantage of the proposed algorithm is that it can be made adaptive, varying the number of particles according to the apparent local complexity of the target changepoint probability distribution. This saves valuable computing time when changes in the changepoint distribution are negligible, and enables rebalancing of the importance weights of existing particles when a significant change in the target distribution is encountered. The plain and adaptive versions of the method are illustrated using the canonical continuous time changepoint problem of inferring the intensity of an inhomogeneous Poisson process, although the method is generally applicable to any changepoint problem. Performance is demonstrated using both conjugate and nonconjugate Bayesian models for the intensity. Appendices to the article are available online, illustrating the method on other models and applications.

Convergence of Monte Carlo distribution estimates from rival samplers

It is often necessary to make sampling-based statistical inference about many probability distributions in parallel. Given a finite computational resource, this article addresses how to optimally divide sampling effort between the samplers of the different distributions. Formally approaching this decision problem requires both the specification of an error criterion to assess how well each group of samples represent their underlying distribution, and a loss function to combine the errors into an overall performance score. For the first part, a new Monte Carlo divergence error criterion based on Jensen–Shannon divergence is proposed. Using results from information theory, approximations are derived for estimating this criterion for each target based on a single run, enabling adaptive sample size choices to be made during sampling.