Increasing activity and the number of devices online are leading to increasing and more diverse cyber attacks. This continuously evolving attack activity makes signature-based detection methods ineffective. Once malware has infiltrated into a LAN, bypassing an external gateway or entering via an unsecured mobile device, it can potentially infect all nodes in the LAN as well as carry out nefarious activities such as stealing valuable data, leading to financial damage and loss of reputation. Such infiltration could be viewed as an insider attack, increasing the need for LAN monitoring and security. In this paper we aim to detect such inner-LAN activity by studying the variations in Address Resolution Protocol (ARP) calls within the LAN. We find anomalous nodes by modelling inner-LAN traffic using hierarchical forecasting methods. We substantially reduce the false positives ever present in anomaly detection, by using an extreme value theory based method. We use a dataset from a real inner-LAN monitoring project, containing over 10M ARP calls from 362 nodes. Furthermore, the small number of false positives generated using our methods, is a potential solution to the "alert fatigue" commonly reported by security experts.

翻译：日益增长的网络活动与联网设备数量正导致网络攻击日趋频繁且多样化。这种持续演变的攻击活动使得基于签名的检测方法效果不佳。一旦恶意软件绕过外部网关或通过不安全的移动设备侵入局域网，便可能感染局域网内所有节点，并实施窃取有价值数据等恶意行为，造成经济损失和声誉损害。此类入侵可被视为内部攻击，凸显了局域网监控与安全需求的迫切性。本文旨在通过分析局域网内地址解析协议（ARP）调用的变化规律来检测此类内部活动。我们采用层次化预测方法对局域网内部流量进行建模，从而识别异常节点。通过应用基于极值理论的方法，我们大幅降低了异常检测中始终存在的误报率。实验采用来自真实局域网内部监控项目的数据集，包含来自362个节点的超过1000万条ARP调用记录。此外，本方法产生的极低误报数量为解决安全专家常报告的"警报疲劳"问题提供了潜在方案。