Evaluation of Anomaly Detection Method based on Pattern Recognition - - PowerPoint PPT Presentation

CNRS-Wide 02-03/03/2009 1

Evaluation of Anomaly Detection Method based on Pattern Recognition

• Romain Fontugne

The Graduate University for Advanced Studies

• Yosuke Himura

The University of Tokyo

• Kensuke Fukuda

National Institute of Informatics

CNRS-Wide 02-03/03/2009 2

Outline

• Motivation
• Temporal-spatial structure of anomaly
• Pattern-recognition-based method

– Hough transform

• Parameter space
• MAWI database
• Study case
• Conclusion

CNRS-Wide 02-03/03/2009 3

Motivation (1)

• Network traffic anomaly:

– Misconfigurations, failure, network attacks

• Side effects:

– Bandwidth consuming – Weaken network performance – Harmful traffic – Alter the traffic's characteristics

CNRS-Wide 02-03/03/2009 4

Motivation (2)

• Difficulties:

– Huge amount of data – Variety of anomalous traffic – Identification of tiny flows

• Anomaly detection method:

– Usually treated as a statistical problem

• Evaluate the main characteristics of traffic
• Discriminate traffic with singularities

CNRS-Wide 02-03/03/2009 5

Temporal-spatial structure of anomaly (darknet)

• Unwanted

traffic

• Linear

structures

• Unusual

distribution

• f traffic

feature

D e s t i n a t i

• n

a d d r e s s S

• u

r c e p

• r

t Time

CNRS-Wide 02-03/03/2009 6

Temporal-spatial structure of anomaly (MAWI)

• Samplepoint-F:

– 2009/02/21

Destination address Source port D e s t i n a t i

• n

a d d r e s s ssh ssh http

CNRS-Wide 02-03/03/2009 7

Pattern-recognition-based method

• Identification of linear structures in pictures:

– Generate pictures from traffic – Hough transform – Retrieve packet information – Report anomalies

CNRS-Wide 02-03/03/2009 8

Hough transform

• Voting procedure

– Points elects lines – Polar coordinates

ρ = x · cos θ + y · sin θ

– Hough space

• Identify line means extract

max in the Hough space

– Relative threshold

Original picture Hough space

CNRS-Wide 02-03/03/2009 9

Parameter space

• Hough parameter:

– Weight for the voting procedure – Threshold to determine candidate line

• Picture resolution:

– Time bin – Size of pictures

CNRS-Wide 02-03/03/2009 10

Evaluation of parameter space

• Heuristics:

– suspected = false positive + unknown

• Prob. of suspected = suspected / total anomalies

– Lower is better

CNRS-Wide 02-03/03/2009 11

MAWI database

• Samplepoint-B:

– From 2001/01 to 2006/06

CNRS-Wide 02-03/03/2009 12

Study case: sasser infection

• Gamma modeling vs. Pattern recognition (2004/08/01)
• Gamma modeling-based method tuned to detect the same number of anomalies

(Includes many false positives)

CNRS-Wide 02-03/03/2009 13

Hough only Both Gamma only

D e s t i n a t i

• n

i p s

• u

r c e p

• r

t p

• r

t e n t r

• p

y n b . p k t D e s t i n a t i

• n

i p s

• u

r c e p

• r

t p

• r

t e n t r

• p

y n b . p k t

CNRS-Wide 02-03/03/2009 14

Discussion

• Two different backgrounds

– 50% of their results in common

• Detection of anomalies involving a tiny number
• f packets
• Identify easily network/port scans (dispersed

distribution)

• Intensive uses of source port
• Gamma modelling = deeper analysis of the

traffic's characteristics (highlight singular traffic)

CNRS-Wide 02-03/03/2009 15

Conclusion and future work

• No perfect method
• Combination of several methods
• Need of methods with different backgrounds
• Future work

– Auto-tuning of parameters – Sampled data – More graphical representations – Study good combinations

CNRS-Wide 02-03/03/2009 16

Thank you

Any questions? romain@nii.ac.jp

CNRS-Wide 02-03/03/2009 17

Comparison (2)

Gamma

• nly

Hough

• nly

Both

CNRS-Wide 02-03/03/2009 18

Original data

D e s t i n a t i

• n

i p s

• u

r c e p

• r

t p

• r

t e n t r

• p

y v

• l

u m e