Many works have studied the efficacy of state machines for detecting anomalies within NetFlows. These works typically learn a model from unlabeled data and compute anomaly scores for arbitrary traces based on their likelihood of occurrence or how well they fit within the model. However, these methods do not dynamically adapt their scores based on the traces seen at test time. This becomes a problem when an adversary produces seemingly common traces in their attack, causing the model to miss the detection by assigning low anomaly scores. We propose SEQUENT, a new approach that uses the state visit frequency to adapt its scoring for anomaly detection dynamically. SEQUENT subsequently uses the scores to generate root causes for anomalies. These allow the grouping of alarms and simplify the analysis of anomalies. Our evaluation of SEQUENT on three NetFlow datasets indicates that our approach outperforms existing methods, demonstrating its effectiveness in detecting anomalies.

翻译：许多研究已经探讨了状态机在NetFlow异常检测中的有效性。这些研究通常从无标签数据中学习模型，并根据任意轨迹的出现概率或与模型的拟合程度计算异常分数。然而，这些方法无法根据测试阶段观察到的轨迹动态调整其评分。当攻击者在其攻击中生成看似常见的轨迹时，模型会因分配较低的异常分数而漏检，这便成为一个严重问题。我们提出SEQUENT这一新方法，该方法利用状态访问频率动态调整异常检测的评分机制。SEQUENT进一步利用这些分数生成异常的根本原因分析，从而实现警报分组并简化异常分析流程。我们在三个NetFlow数据集上对SEQUENT进行评估，结果表明该方法优于现有技术，验证了其在异常检测中的有效性。