Continuously evolving cyber-attacks against industrial networks reduce the effectiveness of signature-based detection methods. Once malware has infiltrated a network (for example, entering via an unsecured device), it can infect further network nodes and carry out malicious activity. Infected nodes can exhibit unusual behaviour in their use of Address Resolution Protocol (ARP) calls within the network. In order to detect such anomalous nodes, we propose a two-stage method: (i) modelling of ARP call behaviour via hierarchical time series prediction methods, and (ii) exploiting Extreme Value Theory (EVT) to robustly detect whether deviations from expected behaviour are anomalous. EVT is able to handle heavy-tailed distributions which are exhibited by internet traffic. Empirical evaluations on a real-life dataset containing over 10M ARP calls from 362 nodes show that the proposed method results in considerably reduced number of false positives, addressing the problem of alert fatigue commonly reported by security professionals.

翻译：针对工业网络的持续演进型网络攻击降低了基于签名的检测方法的有效性。一旦恶意软件渗透进入网络（例如通过未加密设备入侵），便可能感染更多网络节点并实施恶意活动。受感染节点在调用地址解析协议（ARP）时可能表现出异常行为。为检测此类异常节点，我们提出两阶段方法：（i）通过层次时间序列预测方法对ARP调用行为进行建模，（ii）利用极值理论（EVT）稳健检测偏离预期行为的异常。EVT能够处理互联网流量中呈现的重尾分布。基于包含362个节点超过1000万次ARP调用的真实数据集进行的实证评估表明，所提方法显著降低了误报数量，有效解决了安全专业人员普遍反映的警报疲劳问题。