learning rules for anomaly detection lerad of hostile
play

Learning Rules for Anomaly Detection (LERAD) of Hostile Network - PDF document

Aug 19, 2022 •375 likes •575 views

Learning Rules for Anomaly Detection (LERAD) of Hostile Network Traffic Matt Mahoney Overview Prior Work in Network Anomaly Detection The 1999 DARPA Intrusion Detection Evaluation Packet Header Anomaly Detection (PHAD) Application

  1. Learning Rules for Anomaly Detection (LERAD) of Hostile Network Traffic Matt Mahoney

  2. Overview � Prior Work in Network Anomaly Detection � The 1999 DARPA Intrusion Detection Evaluation � Packet Header Anomaly Detection (PHAD) � Application Layer Anomaly Detection (ALAD) � Learning Rules for Anomaly Detection (LERAD)

  3. An anomaly detector models “normal” behavior. Deviations may be an attack. Host-Based: models sequences of system calls made by a server or operating system program. � N-grams (Forrest, 1996) � State machine, neural networks (RST, Ghosh 1999) Network Based: usually models IP addresses and ports. � User-programmed rules: firewalls, SNORT, Bro � Learned rules: ADAM, NIDES, SPADE

  4. The 1999 DARPA Evaluation Data Set SunOS Solaris Sniffer Internet Cisco Router Linux Ethernet Attacks Windows NT Attacks � Weeks 1 and 3: training: no attacks � Week 2: training: 138 labeled instances of 32 attacks � Weeks 4 and 5: test: 201 unlabeled instances (190 actual) of 53 attacks No data for 12 attacks (week 4, day 2) � One mislabeled attack (apache2) �

  5. 1999 DARPA IDS Attacks Abuse of Legitimate Bug Exploit Configuration Error Service Exploit Probe : illegalsniffer, Probe : queso Probe : mscan, ntinfoscan, ipsweep, ls, ntfsdos, satan portsweep DOS : apache2, back, dosnuke, land, pod, R2L : dict, ftpwrite, guest, DOS : arppoison, selfping, syslogd, teardrop snmpget, xsnoop mailbomb, neptune, processtable, resetscan, R2L : framespoofer, imap, smurf, tcpreset, udpstorm, named, ncftp, phf, warezclient, warezmaster sendmail R2L : httptunnel, netbus, U2R : anypw, casesen, netcat, ppmacro, sshtrojan, eject, fdformat, ffbconfig, xlock loadmodule, perl, ps, sechole, sqlattack, xterm, U2R/Data : secret yaga

  6. 1999 Evaluation Results - Best 4 of 18 Systems (Lippmann, 2000) � IDS must identify IP address of attacker or target and time within 60 seconds. � Evaluated at 100 false alarms (10 per day) threshold. System Detections Expert 1 85/169 (50%) Expert 2 81/173 (47%) Dmine 41/102 (40%) Forensics 15/27 (55%) � Blind (developers had no access to test data) � Evaluated by DARPA � May use both signature and anomaly detection � May use both host and network based methods � May restrict attacks by category, data type, or target

  7. Packet Header Anomaly Detection (PHAD) � Examines Ethernet, IP, TCP, UDP, ICMP protocols � 34 learned rules (trained on week 3) TOS = 0, 8, 16, or 192 � IP source = 12.2.169.104-12.20.180.101, ... � TCP flags = x2, x4, x10, ... � � Score = tn/r summed over packet � t = time since last anomaly (values never seen in training) � n = number of training packets � r = number of allowed values � Detects 72/189 attacks (54 without TTL)

  8. Application Layer Anomaly Detection (ALAD) � Models incoming server TCP connections � Conditional rules (5 forms, selected ad-hoc) If dest. port = 80 then keyword = GET, Host, Accept... � If TCP flags = S/AF/A then dest. port = 23, 25, 80 � If source IP = x.x.x.x then dest. IP = y.y.y.y, ... � If source IP = x.x.x.x then dest. IP/port = y.y.y.y:p, ... � Dest. IP/port = x.x.x.x:p, x.x.x.x:p, ... � � Score = tn/r � Detects 59/189 attacks (70 with PHAD w/o TTL)

  9. Learning Rules for Anomaly Detection (LERAD) � Like ALAD, but rule forms are derived from a sample of training data. � If A 1 = V 1 and A 2 = V 2 and ... then A m = V 1 , V 2, ... or V r � 23 attributes (A i ). Date, time � Source, destination IP address (4 bytes), and ports � TCP flags (first, next to last, last) � Duration in seconds � Length in bytes � First 8 words of application data � � Score = tn/r � Detects 112-118/190 attacks (average 114.8, or 60%) � No improvement when merged with PHAD or ALAD.

  10. Rule Learning Algorithm 1. Select random sample of 20-100 tuples (TCP connections) of training data. 2. Generate 1000-5000 rules satisfying randomly selected pairs of tuples. 3. Sort rules by decreasing n/r on sample. 4. Coverage test: remove rules that predict no additional values in sample (leaving 80-120 rules). 5. Train on full input (35,455 tuples in week 3). 6. Remove rules that generate anomalies in last 10% of training (leaving 55-85 rules).

  11. Rule Generation 1. Pick random pair of tuples (from sample or full input). 2. Select up to 4 matching attributes in random order. 3. First match is the consequent. 4. Subsequent matches are conditions in the antecedent. A B C D E 1 2 3 4 5 1 2 3 4 6 C = 3 If A = 1 then C = 3 If D = 4 and A = 1 then C = 3 If B = 2 and D = 4 and A = 1 then C = 3

  12. Coverage Test 1. For each rule by decreasing n/r on the sample 2. Mark each unmarked sample value predicted. 3. If no values can be marked, remove the rule. A B C 1 (R1) 2 4 (R3) 1 (R1) 2 5 (R3) 1 (R1) 3 5 R1. A = 1 (n/r = 3/1) R2. If B = 2 then A = 1 (n/r = 2/1) removed R3. If B = 2 then C = 4 or 5 (n/r = 2/2)

  13. LERAD Sample Input Date Time DA1 DA0 DP SA3 SA2 SA1 SA0 SP DUR F1 F2 F3 Len W1 W2 03/15/1999 08:00:57 112 050 25 196 037 037 158 1111 0 .S .AP .AF 857 .^@EHLO .ju 03/15/1999 08:00:57 113 050 25 196 037 037 158 1113 0 .S .AP .AF 880 .^@EHLO .ju 03/15/1999 08:01:13 114 050 80 172 016 016 100 2971 4489 .S .AP .AP 872 .^@GET . 03/15/1999 08:01:13 114 050 80 172 016 016 100 2972 5693 .S .AP .AF 595 .^@GET . 03/15/1999 08:01:13 114 050 80 172 016 016 100 2973 12 .S .AP .AF 318 .^@GET ./w 03/15/1999 08:01:13 114 050 80 172 016 016 100 2974 118 .S .AP .AP 610 .^@GET ./

  14. Sample Rules (sorted by n/r) 1 28882/2 if F2=.AP then F1 = .S .AS 2 14236/1 if DA0=100 then DA1 = 112 3 12854/1 if W3=.HTTP/1.0^M^ then W1 = .^@GET 4 12854/1 if W3=.HTTP/1.0^M^ then DP = 80 5 35455/3 if then DA1 = 113 112 114 6 34602/3 if F3=.AF then F1 = .S .AF .AS 7 10857/1 if SA3=172 then SA2 = 016 8 10857/1 if SA2=016 then SA1 = 016 9 10857/1 if SA2=016 then SA3 = 172 10 10642/1 if F1=.S F2=.AP W1=.^@EHLO then DP = 25 11 9914/1 if W3=.HELO then W7 = .RCPT 12 9914/1 if W5=.MAIL then W3 = .HELO 13 9914/1 if W3=.HELO then W1 = .^@EHLO 14 28882/3 if F2=.AP then F3 = .AP .AF .R 15 35455/4 if then F1 = .S .AF .AS .R 16 34602/4 if F3=.AF then F2 = .S .AP . .AS 17 7656/1 if W7=. then W8 = . 18 7645/1 if W5=. then W6 = . 19 7645/1 if W4=. then W7 = . 20 7596/1 if W3=. then W4 = . 21 7566/1 if DA1=114 W3=.HTTP/1.0^M^ then DA0 = 050 22 29549/4 if F1=.S then F2 = .S .AP . .A 23 35455/5 if then F2 = .S .AP . .AS .A 24 35455/5 if then F3 = .S .AP .AF .AS .R 25 12867/2 if W1=.^@GET then W3 = .HTTP/1.0^M^ .align= 26 12854/2 if W3=.HTTP/1.0^M^ then DA0 = 050 100 27 10105/2 if W7=.RCPT then W5 = .MAIL .RCPT 28 35455/8 if then SA3 = 196 172 197 194 195 135 192 152 29 12838/3 if DP=25 then W1 = .^@EHLO . .^@HELO 30 3992/1 if W3=.HTTP/1.0^M^ W7=.text/htm then W8 = .text/pla 31 7647/2 if W6=. then W5 = . .QUIT^M^ 32 7279/2 if SA0=050 then SA1 = 016 073 33 3521/1 if DA1=112 W3=.HTTP/1.0^M^ W6=.User-Age then W7 = .Mozilla/ 34 6824/2 if W6=.User-Age then W4 = .Connection: .Referer: 35 6823/2 if F2=.AP W6=.User-Age then W8 = .[en] .(X11; 36 18807/6 if DA1=112 then DA0 = 050 100 194 207 149 020 37 2998/1 if SA1=037 then SA0 = 158 38 29549/10 if F1=.S then DP = 113 25 23 80 135 21 79 22 515 139 39 35455/12 if then DA0 = 105 050 204 084 168 148 169 100 194 207 149 020 40 34602/12 if F3=.AF then DP = 113 25 23 80 21 20 79 22 1022 515 1023 139 41 35455/13 if then SA2 = 037 016 182 168 169 115 027 008 227 073 007 218 013 42 35455/13 if then DP = 113 25 23 80 135 21 20 79 22 1022 515 1023 139 43 35455/13 if then SA1 = 037 016 182 168 169 115 027 008 227 073 007 218 013 44 2695/1 if SA1=007 then SA2 = 007 45 2695/1 if SA3=194 SA2=007 then SA0 = 153 46 5223/2 if SA3=194 then SA0 = 021 153 47 7656/3 if W7=. then W3 = . .PASS .6667^M^ 48 6852/3 if W4=.Referer: then W5 = .http://w .http://m .http://h 49 2083/1 if SA1=013 then SA0 = 191 50 1888/1 if SA1=227 F1=.S then SA0 = 189 51 12885/7 if DP=80 then W4 = .HTTP/1.0^M^ .Connection: .Referer: . .Host: 52 53 35455/24 if then SA0 = 105 158 050 204 084 182 233 168 148 169 100 194 108 54 12854/10 if W3=.HTTP/1.0^M^ then W8 = .User-Age .[en] .text/pla .(X11; .I; 55 7109/6 if DA1=112 SA2=016 F3=.AF then DA0 = 050 100 194 207 149 020 56 12867/13 if W1=.^@GET then W6 = .User-Age .[en] .Connecti .Accept: .(X11; 57 10857/12 if SA2=016 then DA0 = 105 050 204 084 168 148 169 100 194 207 149 58 1805/2 if F1=.S W6=." then W2 = .^C .^@^@^@ 59 1798/2 if DP=23 F3=.AF then W4 = .^_ .# 60 5827/9 if DP=20 W5=. then DUR = 0 1 4 6 7 2 3 5 36 61 7656/13 if W8=. then W2 = . ., .anonhmous^M^ .anonymMus^M^ .anonyxous^M^ 62 7647/32 if W6=. then DUR = 0 23 1 12 108 4 30 6 9 21 24 7 14 22 2 3 11 15 27

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Anomaly Detection Jia-Bin Huang Virginia Tech Spring 2019 ECE-5424G / CS-5824 Administrative

Anomaly Detection Jia-Bin Huang Virginia Tech Spring 2019 ECE-5424G / CS-5824 Administrative

Anomaly Detection Jia-Bin Huang Virginia Tech Spring 2019 ECE-5424G / CS-5824 Administrative Anomaly Detection Motivation Developing an anomaly detection system Anomaly detection vs. supervised learning Choosing what features

514 views • 34 slides
Anomaly Detection of Trajectories Junier B. Oliva Anomaly Detection An anomaly (or outlier)

Anomaly Detection of Trajectories Junier B. Oliva Anomaly Detection An anomaly (or outlier)

Anomaly Detection of Trajectories Junier B. Oliva Anomaly Detection An anomaly (or outlier) in a dataset is an instance that is abnormal or unlikely based on the rest of the dataset If the instances in the dataset are labeled as

760 views • 19 slides
What is an anomaly? Alastair Rushworth Data Scientist DataCamp Anomaly Detection in R Defining

What is an anomaly? Alastair Rushworth Data Scientist DataCamp Anomaly Detection in R Defining

DataCamp Anomaly Detection in R ANOMALY DETECTION IN R What is an anomaly? Alastair Rushworth Data Scientist DataCamp Anomaly Detection in R Defining the term anomaly Anomaly: a data point or collection of data points that do not follow the

870 views • 21 slides
Data Mining II Anomaly Detection Heiko Paulheim Anomaly Detection Also known as Outlier

Data Mining II Anomaly Detection Heiko Paulheim Anomaly Detection Also known as Outlier

Data Mining II Anomaly Detection Heiko Paulheim Anomaly Detection Also known as Outlier Detection Automatically identify data points that are somehow different from the rest Working assumption: There are considerably

905 views • 74 slides
Data Mining II Anomaly Detection Heiko Paulheim Anomaly Detection Also known as Outlier

Data Mining II Anomaly Detection Heiko Paulheim Anomaly Detection Also known as Outlier

Data Mining II Anomaly Detection Heiko Paulheim Anomaly Detection Also known as Outlier Detection Automatically identify data points that are somehow different from the rest Working assumption: There are considerably

984 views • 72 slides
ACCT 420: Topic modeling and anomaly detection Session 8 Dr. Richard M. Crowley 1 Front matter

ACCT 420: Topic modeling and anomaly detection Session 8 Dr. Richard M. Crowley 1 Front matter

ACCT 420: Topic modeling and anomaly detection Session 8 Dr. Richard M. Crowley 1 Front matter 2 . 1 Learning objectives Theory: NLP Anomaly detection Application: Understand annual report readability Examine the

1.12k views • 85 slides
Challenges in Vessel Behavior and Anomaly Detection: From Classical Machine Learning to Deep

Challenges in Vessel Behavior and Anomaly Detection: From Classical Machine Learning to Deep

Challenges in Vessel Behavior and Anomaly Detection: From Classical Machine Learning to Deep Learning Lucas May Petry 1 , Amilcar Soares 2 , Vania Bogorny 1 , Bruno Brandoli 2 , Stan Matwin 2 1 Programa de Ps-Graduao em Cincias da

1.26k views • 16 slides
ACCT 420: Topic modeling and anomaly detection Session 9 Dr. Richard M. Crowley 1 Front matter

ACCT 420: Topic modeling and anomaly detection Session 9 Dr. Richard M. Crowley 1 Front matter

ACCT 420: Topic modeling and anomaly detection Session 9 Dr. Richard M. Crowley 1 Front matter 2 . 1 Learning objectives Theory: NLP Anomaly detection Application: Understand the distribution of readability Examine

1.31k views • 82 slides
Deep Representation and Reinforcement Learning Soumalya Sarkar, PhD for Anomaly Detection and

Deep Representation and Reinforcement Learning Soumalya Sarkar, PhD for Anomaly Detection and

Deep Representation and Reinforcement Learning Soumalya Sarkar, PhD for Anomaly Detection and Control Senior Research scientist, UTRC in Multi-modal Aerospace Applications May 9 @ GTC 2017 This document contains no technical data subject to the

1.09k views • 43 slides
<Title> Yiqun Hu, SP Group Agenda Condition monitoring & anomaly detection

<Title> Yiqun Hu, SP Group Agenda Condition monitoring & anomaly detection

Data Council Singapre 2019 Autoencoder Forest for Anomaly Detection from IoT Time Series <Title> Yiqun Hu, SP Group Agenda Condition monitoring & anomaly detection Autoencoder for anomaly detection Autoencoder

540 views • 27 slides
Opprentice: Towards Practical and Automatic Anomaly Detection Through Machine Learning Dapeng Liu

Opprentice: Towards Practical and Automatic Anomaly Detection Through Machine Learning Dapeng Liu

Opprentice: Towards Practical and Automatic Anomaly Detection Through Machine Learning Dapeng Liu , Youjian Zhao, Haowen Xu, Yongqian Sun, Dan Pei, Jiao Luo, Xiaowei Jing, Mei Feng 2015/12/3 Dapeng Liu (liudp10@mails.tsinghua.edu.cn) KPIs and

545 views • 42 slides
In Incorporating Feedback in into Tree-based Anomaly Detection Shubhomoy Das, Weng-Keen Wong,

In Incorporating Feedback in into Tree-based Anomaly Detection Shubhomoy Das, Weng-Keen Wong,

In Incorporating Feedback in into Tree-based Anomaly Detection Shubhomoy Das, Weng-Keen Wong, Alan Fern, Thomas G. Dietterich and Md Amran Siddiqui School of EECS Anomaly Detection Goal: Identify rare or strange objects 2 Anomaly

756 views • 51 slides
Anomaly Detection and Categorization Using Unsupervised Deep Learning S6340 Thursday 7 th April

Anomaly Detection and Categorization Using Unsupervised Deep Learning S6340 Thursday 7 th April

Anomaly Detection and Categorization Using Unsupervised Deep Learning S6340 Thursday 7 th April 2016 GPU Technology Conference A. Stephen McGough , Noura Al Moubayed, Jonathan Cumming, Eduardo Cabrera, Peter Matthews, Toby P . Breckon, Ed

599 views • 29 slides
Using Machine Learning for Intelligent Storage Performance Anomaly Detection Ramakrishna Vadla,

Using Machine Learning for Intelligent Storage Performance Anomaly Detection Ramakrishna Vadla,

Using Machine Learning for Intelligent Storage Performance Anomaly Detection Ramakrishna Vadla, IBM Archana Chinnaiah, IBM Acknowledgement : Sumant Padbidri, Anbazhagan Mani Agenda Market Estimates & Forecasts Applications in

606 views • 12 slides
Dataflow Anomaly Detection Presented By Archana Viswanath Computer Science and Engineering The

Dataflow Anomaly Detection Presented By Archana Viswanath Computer Science and Engineering The

Dataflow Anomaly Detection Presented By Archana Viswanath Computer Science and Engineering The Pennsylvania State University Anomaly Intrusion Detection Systems Anomaly Intrusion Detection Systems Model normal behavior. Attack - Any

417 views • 20 slides
Anomaly Based Network Intrusion Detection with Unsupervised Outlier Detection Jiong Zhang and

Anomaly Based Network Intrusion Detection with Unsupervised Outlier Detection Jiong Zhang and

Anomaly Based Network Intrusion Detection with Unsupervised Outlier Detection Jiong Zhang and Mohammad Zulkernine School of Computing Queens University, Kingston Ontario, Canada K7L 3N6 {zhang, mzulker} @cs.queensu.ca Abstract- Anomaly

284 views • 6 slides
1 Common Response Code Triton Cluster at San Diego Supercomputer Center 200 - OK 256

1 Common Response Code Triton Cluster at San Diego Supercomputer Center 200 - OK 256

Example line of the log file Optional HW2: Data Mining from Web Server Logs 66.249.64.13 - - [18/Sep/2004:11:07:48 +1000] "GET / HTTP/1.0" 200 6433 "-" "Googlebot/2.1" 10.32.1.43 - - [06/Feb/2013:00:07:00]

501 views • 4 slides
HIPSTER BINGO - OR HOW TO USE DOCKER/KUBERNETES/CRI-O TO DEPLOY LIBREOFFICE ONLINE WITH STYLE

HIPSTER BINGO - OR HOW TO USE DOCKER/KUBERNETES/CRI-O TO DEPLOY LIBREOFFICE ONLINE WITH STYLE

HIPSTER BINGO - OR HOW TO USE DOCKER/KUBERNETES/CRI-O TO DEPLOY LIBREOFFICE ONLINE WITH STYLE CIB SOFTWARE GMBH LIBREOFFICE CONFERENCE ROME OCTOBER 11TH, 2017 I HAVE 30 MINUTES TO SETUP LOOL The problem? > multiple server instances

215 views • 17 slides
JavaScript Security & HTML5 ( a n d P r i v a c y ) Mike Shema RVAsec May 31,

JavaScript Security & HTML5 ( a n d P r i v a c y ) Mike Shema RVAsec May 31,

JavaScript Security & HTML5 ( a n d P r i v a c y ) Mike Shema RVAsec May 31, 2013 Weve Been Here Before A Definition Ja va Script | jv skript | invective . 1 A vendor-neutral, cross-platform liability for

583 views • 42 slides
whoami Name: Pepe Vila ( @cgvwzq ) Location: Spain Work: - before: pentester at EY - current:

whoami Name: Pepe Vila ( @cgvwzq ) Location: Spain Work: - before: pentester at EY - current:

A XSSmas carol by pepe vila whoami Name: Pepe Vila ( @cgvwzq ) Location: Spain Work: - before: pentester at EY - current: PhD student at IMDEA Software Interests: - try to understand browsers, XSS challenges , CTFs, computationalism, space

481 views • 36 slides
Optimizing the Entire Business How The Boston Globe moved beyond the landing page Peter Do

Optimizing the Entire Business How The Boston Globe moved beyond the landing page Peter Do

Optimizing the Entire Business How The Boston Globe moved beyond the landing page Peter Do Doucette Pam amela Mark arkey VP Consumer Sales & Marketing Senior Director Marketing The Boston Globe MECLABS Optimizing the Transition from

919 views • 52 slides
Die Hard 1.1024.0: Die Hard 1.1024.0: Backward compatibility of a Backward compatibility of a

Die Hard 1.1024.0: Die Hard 1.1024.0: Backward compatibility of a Backward compatibility of a

4.6.2019 Die Hard 1.1024.0: Backward compatibility of a search engine with persistent IDs Die Hard 1.1024.0: Die Hard 1.1024.0: Backward compatibility of a Backward compatibility of a search engine with persistent search engine with

943 views • 43 slides
Selective Coflow Completion for Time-sensitive Distributed Applications with Poco Shouxi Luo

Selective Coflow Completion for Time-sensitive Distributed Applications with Poco Shouxi Luo

Selective Coflow Completion for Time-sensitive Distributed Applications with Poco Shouxi Luo Joint work with Pingzhi Fan, Huanlai Xing, and Hongfang Yu Outline Coflow patterns in DCN Existing solutions Two trade-offs Poco: key

1.04k views • 40 slides
Linked lists Insert Delete Lookup Doubly-linked lists Lecture 6: Linked Lists Object

Linked lists Insert Delete Lookup Doubly-linked lists Lecture 6: Linked Lists Object

Linked lists Insert Delete Lookup Doubly-linked lists Lecture 6: Linked Lists Object References When you declare a variable of a non-primitive type you are really declaring a reference to that object String foo; Complex c; new

634 views • 19 slides

More recommend