Abstract Data-driven anomaly detection systems unrivalled potential as complementary defence systems to existing signature-based tools as the number of cyber attacks increases. In this manuscript an anomaly detection system is presented that detects any abnormal deviations from the normal behaviour of an individual device. Device behaviour is defined as the number of network traffic events involving the device of interest observed within a pre-specified time period. The behaviour of each device at normal state is modelled to depend on its observed historic behaviour. A number of statistical and machine learning approaches are explored for modelling this relationship and through a comparative study, the Quantile Regression Forests approach is found to have the best predictive power. Based on the prediction intervals of the Quantile Regression Forests an anomaly detection system is proposed that characterises as abnormal, any observed behaviour outside of these intervals. A series of experiments for contaminating normal device behaviour are presented for examining the performance of the anomaly detection system. Through the conducted analysis the proposed anomaly detection system is found to outperform two other detection systems. The presented work has been conducted on two enterprise networks.

中文翻译：

---

网络安全数据异常检测框架

摘要 随着网络攻击数量的增加，数据驱动的异常检测系统作为现有基于签名的工具的补充防御系统具有无与伦比的潜力。在本手稿中，提出了一种异常检测系统，可检测与单个设备正常行为的任何异常偏差。设备行为被定义为在预先指定的时间段内观察到的涉及感兴趣设备的网络流量事件的数量。每个设备在正常状态下的行为被建模为取决于其观察到的历史行为。探索了许多统计和机器学习方法来对这种关系进行建模，并且通过比较研究，发现分位数回归森林方法具有最佳的预测能力。基于分位数回归森林的预测区间，提出了一种异常检测系统，该系统将这些区间之外的任何观察到的行为表征为异常。提出了一系列污染正常设备行为的实验，以检查异常检测系统的性能。通过进行的分析，发现所提出的异常检测系统优于其他两个检测系统。所介绍的工作是在两个企业网络上进行的。通过进行的分析，发现所提出的异常检测系统优于其他两个检测系统。所介绍的工作是在两个企业网络上进行的。通过进行的分析，发现所提出的异常检测系统优于其他两个检测系统。所介绍的工作是在两个企业网络上进行的。