Abstract: The proliferation of computer devices and their interconnections has changed the way people communicate. Devices that include smart phones, home appliances, televisions, home automation devices, medical devices, and automobiles are now interconnected through home networks and private networks which are also connected to the internet. Terms such as “smart homes” and “smart cities” connote an environment where devices are interconnected with online data sources to provide enhanced products and services. This wide spread use of computing devices and computer networks raises concerns for computer security professionals because each device represents an access point to a computer network and thus, an opportunity for a cyber adversary to gain access and pose a security threat to networked devices, computer systems, and the associated networks. Cyber defense tactics must include methods to keep intruders out of the network as well as methods to detect and defend a computer system once an adversary has gained access. This study addresses the cybersecurity concern by providing a method to continuously monitor the system behavior of network devices. Traditional health and status monitoring techniques collect data from the monitored devices and perform data analysis within the enterprise network. This study proposes using the inherent processing capabilities of the network endpoints to perform security surveillance at the network edge to minimize unauthorized access, prevent the installation of malware, and reduce the risk of using the endpoints as a mechanism to attack the enterprise systems. After a general discussion on security systems engineering, cybersecurity situational awareness and anomaly detection, the study discusses and evaluates three methods for anomaly detection. Principal component analysis (PCA) is introduced as a statistical approach for anomaly detection. Two machine learning methods—support vector machine (SVM) and neural networks (NN)—are also used in this study to evaluate their effectiveness in performing anomaly detection. Although the analysis is limited to two publicly available data sets the results indicate the SVM and NN are effective in detecting phishing websites with a detection accuracy greater than 92%. The PCA detection method exhibited a high rate of false positive detections. Consequently, SVM and NN outperformed PCA for anomaly detection in this study.
Keywords: Anomally detection,Neural networks,Principal component analysis, Support vector machine