learning nonstationary models of normal network traffic
play

Learning Nonstationary Models of Normal Network Traffic for - PDF document

Sep 24, 2023 •17 likes •237 views

Learning Nonstationary Models of Normal Network Traffic for Detecting Novel Attacks Matthew V. Mahoney Philip K. Chan Intrusion Detection Systems. Is data x hostile? Signature - models known hostile behavior: P( x |attack) Good: low

  1. Learning Nonstationary Models of Normal Network Traffic for Detecting Novel Attacks Matthew V. Mahoney Philip K. Chan

  2. Intrusion Detection Systems. Is data x hostile? � Signature - models known hostile behavior: P( x |attack) � Good: low false alarm rate � Bad: Cannot detect new attacks � Anomaly - models normal behavior: P( x |normal) � Good: can detect new attacks � Bad: high false alarm rate Combined system: Odds(attack| x ) = Odds(attack) P( x |attack) / P( x |normal)

  3. IDS Examples � Host Signature: Virus detectors � Host Anomaly: � File System: COPS, Tripwire � System Calls: Forrest et. al. � Network Signature: BRO, SNORT � Network Anomaly (fixed model): most firewalls � Network Anomaly (adaptive model): SPADE, ADAM, NIDES - model user behavior (IP addresses/ports) We add protocol modeling to adaptive network anomaly detection.

  4. The DARPA IDS Evaluation Data Set � 201 attacks on a simulated network (SunOS, Solaris, NT, Linux, Cisco router, Ethernet, Internet gateway) in 2 weeks. � Test data: inside/outside network traffic, BSM system call logs, audit logs, file system dumps. � Training data: 2 weeks attack free for anomaly detection, 1 week of labeled attacks (some held back) for signature detection.

  5. Example Attacks - Probes � System configuration: ipsweep, portsweep, ls, resetscan � Operating system: queso � Known vulnerabilities: satan, mscan, ntinfoscan � Data collection: illegalsniffer

  6. Denial of Service Attacks � Floods: neptune, mailbomb, processtable, smurf, udpstorm � Malformed IP packets: land, teardrop, pod (ping of death) � Malformed client requests: apache2, back, crashiis, dosnuke, syslogd � Network disruption: arppoison, tcpreset � Unauthorized use: warezmaster, warezclient � Malformed user command: selfping

  7. Remote to Local (R2L) attacks � Password guessing: dict (FTP, telnet, POP3), guest, snmpget � Password stealing: sshtrojan, xlock, xsnoop � Trojans: framespoofer, ppmacro � Buffer overflows: imap, named, ncftp, sendmail � Misconfiguration/bugs: ftpwrite, phf � Backdoors: httptunnel, netbus, netcat

  8. User to Root (U2R) and Data Attacks � NT bugs: anypw, casesen, sechole, yaga � UNIX bugs � Buffer overflow: eject, fdformat, ffbconfig, xterm � Other: loadmodule, perl, ps � Restricted shell escape: sqlattack � Data (security policy violation): secret, ntfsdos

  9. Example Attack: apache2 Normal HTTP request GET /welcome.htm HTTP/1.0 Connection: Keep-Alive User-Agent: Mozilla/4.51[en] (WinNT; I) Host: www.eyrie.af.mil Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, image/png, */* Accept-Encoding: gzip Accept-Language: en Accept-Charset: iso-8859-1,*,utf-8 Malicious request x User-Agent: sioux User-Agent: sioux User-Agent: sioux ... (repeated thousands of times)

  10. 1999 DARPA Evaluation Method � Must identify source or destination IP address � Must identify time within 60 seconds � Duplicate detections (but not false alarms) are discarded � Alarm scores: threshold at 100 false alarms (10/day) � May restrict domain of detectable attacks by category, operating system, or data examined � Attacks detected outside of domain do not count

  11. 1999 DARPA Evaluation Results � 8 Participating organizations � 18 systems evaluated Top Systems Detections Expert 1 85/169 (50%) Expert 2 81/173 (47%) Dmine 41/102 (40%) Forensics 15/27 (55%)

  12. Nonstationary Modeling of Network Traffic � Events tend to occur in bursts � Counts (average frequency of events) are irrelevant � Time since last event determines probability Example 00000000000000000000000011111110000000000000 P(next bit is 1) does not depend on average rate.

  13. Two Models � Packet Header Anomaly Detection (PHAD) � Examines network packets in isolation � Models Ethernet, IP, TCP, UDP, ICMP � Application Layer Anomaly Detection (ALAD) � Reassembles incoming server TCP streams � Models application text, source and destination addresses and ports, and TCP open/close flags

  14. PHAD Model after Training Attribute r/n Allowed Values Ethernet Size 508/12814738 42 60-1181 1182... Ether Dest Hi 9/12814738 x0000C0 x00105A... Ether Dest Lo 12/12814738 x000009 x09B949... Ether Src Hi 6/12814738 x0000C0 x00105A... Ether Src Lo 9/12814738 x09B949 x13E981... Ether Protocol 4/12814738 x0136 x0800 x0806... IP Header Len 1/12715589 x45 IP TOS 4/12715589 x00 x08 x10 xC0 IP Length 527/12715589 38-1500 IP Frag ID 4117/12715589 0-65461 65462... IP Frag Ptr 2/12715589 x0000 x4000 IP TTL 10/12715589 2 32 60 62-64... IP Protocol 3/12715589 1 6 17 IP Checksum 1/12715589 xFFFF IP Source Addr 293/12715589 12.2.169.104... IP Dest Addr 287/12715589 0.67.97.110... TCP Source Port 3546/10617293 20-135 139 515... TCP Dest Port 3545/10617293 20-135 139 515... TCP Seq Num 5455/10617293 0-395954185... TCP Ack Num 4235/10617293 0-395954185... TCP Header Len 2/10617293 x50 x60 TCP Flags 9/10617293 x02 x04 x10... TCP Window Size 1016/10617293 0-5374 5406-10028... TCP Checksum 1/10617293 xFFFF TCP URG Ptr 2/10617293 0 1 TCP Options 2/611126 x02040218 x020405B4 UCP Source Port 6052/2091127 53 123 137-138... UDP Dest Port 6050/2091127 53 123 137-138... UDP Length 128/2091127 25 27 29... UDP Checksum 2/2091127 x0000 xFFFF ICMP Type 3/7169 0 3 8 ICMP Code 3/7169 0 1 3 ICMP Checksum 1/7169 xFFFF

  15. ALAD � P(source IP | dest IP) (dest = local server) � P(source IP | dest IP, dest port) � P(dest IP, dest port) � P(TCP open/close flags | dest port) � P(keyword | dest port) Attribute r/n Allowed Values 80 (HTTP) 13/83650 Accept-Charset: Accept-Encoding: Accept-Language: Accept: Cache-Control: Connection: GET Host: If-Modified-Since: Negotiate: Pragma: Referer: User-Agent: 25 (SMTP) 34/142610 ( 34 values... ) 21 (FTP) 11/16822 ( 11 values... )

  16. PHAD/ALAD Score Score = Sum tn/r, where t = time since last anomaly n = number of training observations r = number of different values in training set n/r = 1/P(anomaly in training)

  17. Results 70 of 180 attacks detected � PHAD detects mostly DOS and Probes � ALAD detects mostly R2L and U2R Many PHAD detections were due to simulation artifacts in the TTL (time to live) field. These were removed manually.

  18. Analysis of Detections Anomaly Det/70 Attacks Detected Learned 24 (34%) PROBE: ipsweep, mscan, 2 ntinfoscan, 3 Signature queso, 2 satan; DOS: crashiis, 4 dosnuke, 4 pod, 3 teardrop; R2L: ncftp, 2 sendmail Induced 5 (7%) DOS: apache2, 3 arppoison, tcpreset Evasion 3 (4%) PROBE: 3 portsweep Attacker 10 (14%) DOS: apache2, 3 mailbomb, 2 udpstorm; Error R2L: 2 dict, phf; U2R: yaga User 38 (54%) PROBE: mscan; DOS: 3 apache2, 5 Behavior crashiis, mailbomb, processtable, smurf, warazclient, warezmaster; R2L: dict, mailbomb, 4 ncftp, 2 netbus, 2 netcat, 2 phf, ppmacro, 2 sendmail, sshtrojan; U2R: 2 casesen, 2 fdformat, ffbconfig, sechole, xterm, yaga

  19. False Alarms � Distribution is similar to true detections � No easy way for user to distinguish Anomaly False alarms TCP source IP address 35 Keyword (7 SMTP, 4 FTP, 3 auth, 2 HTTP) 16 TTL (time to live, simulation artifact) 9 TCP checksum (simulation artifact) 8 Outgoing TCP connection on server port 7 TOS (type of service) 7 Urgent data pointer or URG flags 7 Bad TCP connection (3 no SYN, no FIN, RST) 5 Destination address/port 5 Packet size (Ethernet, IP, UDP) 3 Other (2 IP fragments, 2 TCP options) 4

  20. Attacks in Training Data (PHAD only, includes artifacts) � Attacks in training mask similar attacks in testing � Shorten training period to reduce number of attacks � Result: 50% loss of detections Training set Detections Days 1-7 (no attacks) 72 Day 1 71 Day 2 62 Day 3 60 Day 4 60 Day 5 61 Day 6 76 Day 7 42 Average of days 1-7 62 Previous day (on-line with attacks) 36

  21. Overlap with Existing IDS 1999 DARPA � Best: 85/169 (50%) using signature + anomaly, blind � PHAD/ALAD: 70/180 (39%) using anomaly only (Evaluation methods similar but not identical) Hard to Detect Attacks (< 50% by all DARPA participants) � Original: 15/77 (19%) � PHAD/ALAD: 23/65 (35%, 30% of original)

  22. Conclusions � PHAD/ALAD is the first adaptive network anomaly detector to go beyond user modeling. � Model is nonstationary. The most significant anomalies are the initial novel events (large t) in highly predictable contexts (large n/r). � Conventional user modeling detects about half of attacks. Remainder are: � Attempts to exploit software bugs in target � Symptoms of a successful attack � Attempts to elude the IDS � Bugs in the attacking software � Significant non-overlap with existing systems should allow them to be merged. � Lack of clean training data degrades performance by 1/2.

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Resampling for nonstationary stochastic models Jacek Le skow Anna Dudek ukasz Lenart

Resampling for nonstationary stochastic models Jacek Le skow Anna Dudek ukasz Lenart

Resampling for nonstationary stochastic models Jacek Le skow Anna Dudek ukasz Lenart Rafa Synowiecki Plan of the presentation * Nonstationary stochastic models - PC and APC models, time domain - PC and APC frequency domain - periodic

762 views • 28 slides
Traffic generation for network simulation Tom Kelly NS Tutorial - Microsoft Research Cambridge

Traffic generation for network simulation Tom Kelly NS Tutorial - Microsoft Research Cambridge

Traffic generation for network simulation Tom Kelly NS Tutorial - Microsoft Research Cambridge 9th December 2005 Overview n Why traffic generation is important n Basics of traffic modeling n Open system models n Closed system models n Common

672 views • 19 slides
Causal Discovery and Forecasting in Nonstationary Environments with State - Space Models Biwei

Causal Discovery and Forecasting in Nonstationary Environments with State - Space Models Biwei

Causal Discovery and Forecasting in Nonstationary Environments with State - Space Models Biwei Huang 1 , Kun Zhang 1 , Mingming Gong 1,2 , Clark Glymour 1 1. Department of Philosophy, Carnegie Mellon University 2. Department of Biomedical

322 views • 8 slides
Models and Algorithms for Robust Network Design with Several Traffic Scenarios Eduardo

Models and Algorithms for Robust Network Design with Several Traffic Scenarios Eduardo

Models and Algorithms for Robust Network Design with Several Traffic Scenarios Eduardo Alvarez-Miranda 1 , Valentina Cacchiani 1 , Tim Dorneth 2 , unger 2 , Frauke Liers 3 , Andrea Lodi 1 , Michael J Tiziano Parriani 1 , and Daniel R.

899 views • 12 slides
Robust Network Design with Several Traffic Scenarios Models and Algorithms Eduardo

Robust Network Design with Several Traffic Scenarios Models and Algorithms Eduardo

Model Heuristic Polyhedral Structure B&amp;C Robust Network Design with Several Traffic Scenarios Models and Algorithms Eduardo Alvarez-Miranda 1 Valentina Cacchiani 1 Tim Dorneth 2 unger 2 Frauke Liers 2 Andrea Lodi 1 Tiziano Parriani 1

598 views • 55 slides
Cellular Network Traffic Scheduling using Deep Reinforcement Learning Sandeep Chinchali, et. al.

Cellular Network Traffic Scheduling using Deep Reinforcement Learning Sandeep Chinchali, et. al.

Cellular Network Traffic Scheduling using Deep Reinforcement Learning Sandeep Chinchali, et. al. Marco Pavone, Sachin Katti Stanford University AAAI 2018 arn to optimally manage cellular networks? Can we le lear Delay Tolerant (DT) Traffic

332 views • 22 slides
Combining Machine and Automata Learning for Network Traffic Classification Zeynab Sabahi, Fatemeh

Combining Machine and Automata Learning for Network Traffic Classification Zeynab Sabahi, Fatemeh

Combining Machine and Automata Learning for Network Traffic Classification Zeynab Sabahi, Fatemeh Ghassemi, and Zahra Alimadadi TTCS 2020,Tehran, Iran 1 Network Traffic Classification, What &amp; Why?

655 views • 44 slides
Pentest Accountability By Analyzing Network Traffic &amp; Network Traffic Metadata RP1

Pentest Accountability By Analyzing Network Traffic &amp; Network Traffic Metadata RP1

Pentest Accountability By Analyzing Network Traffic &amp; Network Traffic Metadata RP1 Presentation By Henk van Doorn &amp; Marko Spithoff Relevance Security Audits Company Detects (Attempted) Breach Accountability Of Actions 2

337 views • 22 slides
Data-driven Learning to Predict Wide Area Network Traffic Nandini Krishnaswamy Lawrence Berkeley

Data-driven Learning to Predict Wide Area Network Traffic Nandini Krishnaswamy Lawrence Berkeley

Data-driven Learning to Predict Wide Area Network Traffic Nandini Krishnaswamy Lawrence Berkeley National Lab SNTA 2020 1 62% Year- on-Year Growth Log scale 103 PB Mar 19 Network Traffic Growth This diagram illustrates the

903 views • 14 slides
Traffic Flow Models CIVL 4162/6162 (Traffic Engineering) Lesson Objective Demonstrate

Traffic Flow Models CIVL 4162/6162 (Traffic Engineering) Lesson Objective Demonstrate

Traffic Flow Models CIVL 4162/6162 (Traffic Engineering) Lesson Objective Demonstrate traffic flow characteristics using observed data Describe traffic flow models Single regime Multiple regime Develop and calibrate traffic

343 views • 30 slides
Evaluation of Deep Learning Evaluation of Deep Learning Models for Network Models for Network

Evaluation of Deep Learning Evaluation of Deep Learning Models for Network Models for Network

Evaluation of Deep Learning Evaluation of Deep Learning Models for Network Models for Network Performance Prediction for Performance Prediction for Scientific Facilities Scientific Facilities Makiya Nakashima: Texas A&amp;M

438 views • 16 slides
Machine learning theory for time series Exponential inequalities for nonstationary Markov chains

Machine learning theory for time series Exponential inequalities for nonstationary Markov chains

Short introduction to machine learning theory Machine learning and time series Machine learning theory for time series Exponential inequalities for nonstationary Markov chains Pierre Alquier CIMFAV seminar January 16, 2019 Pierre Alquier

1.03k views • 91 slides
Neural Network Meets DCN: Traffic-driven Topology Adaptation with Deep Learning Moewi Wang, Yong

Neural Network Meets DCN: Traffic-driven Topology Adaptation with Deep Learning Moewi Wang, Yong

Neural Network Meets DCN: Traffic-driven Topology Adaptation with Deep Learning Moewi Wang, Yong Cui, Shihan Xiao, Xin wang, Dan Yang, Kai Chen, Jun Zhu Introduction Conventional wired data centers generally adopt a static network topology

338 views • 14 slides
Linear Programming Models for Traffic Engineering Under Combined IS-IS and MPLS-TE Protocols D.

Linear Programming Models for Traffic Engineering Under Combined IS-IS and MPLS-TE Protocols D.

Linear Programming Models for Traffic Engineering Under Combined IS-IS and MPLS-TE Protocols D. Cherubini 1 A. Fanni 2 A. Frangioni 3 C. Murgia 4 a 3 P. Zuddas 5 A. Mereu 2 M.G. Scutell` 1 Tiscali International Network 2 DIEE - University of

696 views • 53 slides
Learning Rules for Anomaly Detection (LERAD) of Hostile Network Traffic Matt Mahoney Overview

Learning Rules for Anomaly Detection (LERAD) of Hostile Network Traffic Matt Mahoney Overview

Learning Rules for Anomaly Detection (LERAD) of Hostile Network Traffic Matt Mahoney Overview Prior Work in Network Anomaly Detection The 1999 DARPA Intrusion Detection Evaluation Packet Header Anomaly Detection (PHAD) Application

575 views • 18 slides
Clean Air Parents Network Webinar 21 st July 2020 Low Traffic Neighbourhoods WHY LOW TRAFFIC

Clean Air Parents Network Webinar 21 st July 2020 Low Traffic Neighbourhoods WHY LOW TRAFFIC

Clean Air Parents Network Webinar 21 st July 2020 Low Traffic Neighbourhoods WHY LOW TRAFFIC NEIGHBOURHOODS? Part of the response to the damage motor traffic causes road casualties, air quality, community, public health and active

257 views • 13 slides
MongoDB for a High Volume Logistics Application Santa Clara, California | April 23th 25th,

MongoDB for a High Volume Logistics Application Santa Clara, California | April 23th 25th,

MongoDB for a High Volume Logistics Application Santa Clara, California | April 23th 25th, 2018 about me ... Eric Potvin Software Engineer in the performance team at Shipwire , an Ingram Micro company, in Sunnyvale, California A little

492 views • 46 slides
OS X Imaging, Software and Policy Deployment with Linux Services Doug Brown Redlands College

OS X Imaging, Software and Policy Deployment with Linux Services Doug Brown Redlands College

OS X Imaging, Software and Policy Deployment with Linux Services Doug Brown Redlands College XW11 Overview This workshop will be interactive and hands-on These slides should be used as reference materials For each topic, we will

431 views • 15 slides
CLAS12 Software Demonstration Part 1 of 2 Nathan Harrison CLAS Collaboration Meeting November

CLAS12 Software Demonstration Part 1 of 2 Nathan Harrison CLAS Collaboration Meeting November

CLAS12 Software Demonstration Part 1 of 2 Nathan Harrison CLAS Collaboration Meeting November 1, 2016 Jefferson Lab, Newport News, VA Preliminary setup: Simulations will be run on the farm, everything else will be done locally on your laptop.

607 views • 9 slides
Traffic Classification based on Visualization

Traffic Classification based on Visualization

Traffic Classification based on Visualization

529 views • 17 slides
Todays topics Computer Applications Computer Security Upcoming Operating Systems ( Great

Todays topics Computer Applications Computer Security Upcoming Operating Systems ( Great

Todays topics Computer Applications Computer Security Upcoming Operating Systems ( Great Ideas, Chapter 10) Reading Great Ideas, Chapter 11 32.1 CompSci 001 Computer Security: Problem The Problem: Billions in Losses Outright theft

280 views • 11 slides
3 UkkVaT XCE best . k as rank approximation of Xc 0k Rpxk ) orthogonal prnxk

3 UkkVaT XCE best . k as rank approximation of Xc 0k Rpxk ) orthogonal prnxk

Random Projection dimensionality &amp; High Lecture 4 . . - Sep -11,2017 Recall pxn Xn ] X=[ data xi , ... , - nt11T . 1=f!]RP data Xc= H=I centered XH , 3 UkkVaT XCE best . k as rank approximation of Xc 0k Rpxk )

261 views • 5 slides
User Security Chapter 30 Computer Security: Art and Science , 2 nd Edition Version 1.0 Slide

User Security Chapter 30 Computer Security: Art and Science , 2 nd Edition Version 1.0 Slide

User Security Chapter 30 Computer Security: Art and Science , 2 nd Edition Version 1.0 Slide 30-1 Outline Policy Access Files, devices Processes Electronic communications Computer Security: Art and Science , 2 nd Edition

945 views • 62 slides
CPSC410/611: Security Security Security Attacks Security Threats Crypto

CPSC410/611: Security Security Security Attacks Security Threats Crypto

CPSC 410 / 611 : Operating Systems CPSC410/611: Security Security Security Attacks Security Threats Crypto Authentication Examples SSL Security Threats Breach of confidentiality unauthorized access to

458 views • 18 slides

More recommend