Bayesian change point models for regime detection in stochastic processes with applications in cyber security

Abstract

Some important cyber security data can be modelled using stochastic processes that undergo changes in behaviour over time. Consider a piece of malicious software (malware) that performs different functions as it runs. Data obtained from this software switch between different behaviours that correspond to different functions. Coders create new strains of similar malware by making minor changes to existing malware; these new samples cannot be detected by methods that only identify whether an exact executable file has been seen before. Comparing data from new malware and existing malware, in order to detect similar behaviours, is a cyber security challenge. Methods that can detect these similar behaviours are used to identify similar malware samples.

This thesis presents a generalised change point model for stochastic processes that includes regimes, i.e. recurring parameters. For generality the stochastic processes are assumed to be multivariate. A new reversible jump Markov chain Monte Carlo (RJMCMC) sampler is presented for inferring model parameters. The number of change points or regimes need not be specified before inference as the RJMCMC sampler allows these to be inferred. The RJMCMC sampler is applied in different contexts, including estimating malware similarity.

A new sequential Monte Carlo (SMC) sampler is also presented. Like the RJMCMC sampler, the SMC sampler infers change points and regimes, but the SMC inference is computed online. The SMC sampler is also applied to detect regimes in a variety of contexts, including connections made in a computer network.