Classification of Log Files with Limited Labeled Data

Transcription

1 Classification of Log Files with Limited Labeled Data Stefan Hommes, Radu State, Thomas Engel University of Luxembourg

2 Motivation Firewall log files store all accepted and dropped connections. Firewall log files can be used to determine the threat level of the network, or for forensic purposes after an incidence has occured. Difficult to inspect by humans due to the large number of records. Automated log file inspection and labelling is required, in order to support the network operator in finding suspicious incidences! 2

3 Firewall Log File Records "2218" "16May2011" "0:02:16" "Log" "50747" "166" "166-Standard" "service_id: http" "VPN-1 Power/UTM" "eths2/s2p2c2" "IP1220-Gare2" "Accept" "http" " broadband.corbina.ru" "zap-prod3" "tcp" "" "" "2219" "16May2011" "0:02:16" "Log" "51078" "166" "166-Standard" "service_id: http" "VPN-1 Power/UTM" "eths2/s2p2c2" "IP1220-Gare2" "Accept" "http" " broadband.corbina.ru" "zap-prod2" "tcp" "" "" "2220" "16May2011" "0:02:16" "Log" "52852" "166" "166-Standard" "service_id: http" "VPN-1 Power/UTM" "eths2/s2p2c2" "IP1220-Gare2" "Accept" "http" " broadband.corbina.ru" "zap-prod1" "tcp" "" "" "2221" "16May2011" "0:02:16" "Log" "58522" "166" "166-Standard" "service_id: http" "VPN-1 Power/UTM" "eths2/s2p2c2" "IP1220-Gare2" "Accept" "http" " broadband.corbina.ru" "zap-prod2" "tcp" "" "" "2222" "16May2011" "0:02:16" "Log" "45075" "166" "166-Standard" "service_id: http" "VPN-1 Power/UTM" "eths2/s2p2c2" "IP1220-Gare2" "Accept" "http" " broadband.corbina.ru" "zap-prod1" "tcp" "" "" "2223" "16May2011" "0:02:16" "Log" "54682" "166" "166-Standard" "service_id: http" "VPN-1 Power/UTM" "eths2/s2p2c2" "IP1220-Gare2" "Accept" "http" " broadband.corbina.ru" "zap-prod2" "tcp" "" "" "2224" "16May2011" "0:02:16" "Log" "41624" "166" "166-Standard" "service_id: http" "VPN-1 Power/UTM" "eths2/s2p2c2" "IP1220-Gare2" "Accept" "http" " broadband.corbina.ru" "zap-prod3" "tcp" "" "" "2225" "16May2011" "0:02:16" "Log" "49110" "166" "166-Standard" "service_id: http" "VPN-1 Power/UTM" "eths2/s2p2c2" "IP1220-Gare2" "Accept" "http" " broadband.corbina.ru" "zap-prod2" "tcp" "" "" "2226" "16May2011" "0:02:16" "Log" "57858" "166" "166-Standard" "service_id: http" "VPN-1 Power/UTM" "eths2/s2p2c2" "IP1220-Gare2" "Accept" "http" " broadband.corbina.ru" "zap-prod3" "tcp" "" "? Labelling of records in normal or abnormal is required! 3

4 Firewall Log File Records Large number of records, but only a limited amount of labelled data. Both dropped and accepted connections can comprise information about network attacks. Typical attacks consist of many similar records. 4

5 Semi-Supervised Learning Machine learning technique Training data: Labelled (Small) Unlabelled Data (Large) Labelled data is used to set the decision boundary in order to classify the unlabelled data. Labelled data is usually abundant, since the costs for the label process is too high. 5

6 Separating in Windows Bundling log file records into windows: data reduction incorporate dependencies from temporally related records (e.g. attack). Comparing windows based on an anomaly score, in order to classify them into normal or attack. Such a score needs to incorporate the different types of attributes (e.g. integer, string). 6

7 Similarity of Windows Kullback-Leibler Divergence - (e.g. attribute interface with 26 unique values) Jaccard Similarity (e.g. attribute source IP with 2657 unique values) Summing of KL-divergence and Jaccard similarity defines the score of a window. 7

8 Transition and Label Matrix We consider the algorithm as described by X. Zhu and Z. Ghahramani [13]. Calculation of the weight: Transition Matrix: Label Matrix: Window C 1 (normal) C 2 (attack) w label 0 1 w unlabeled

9 Concept of Label Propagation Initial Situation Preparation Algorithm Completed! Labelled data (w 1,y 1 ) (w l,y l ) 1. Calculate the transition matrix T: w 1 w 2 w n 1. Propagate Y ßTY 2. Row-normalize Y 3. Clamp the labelled data Labelled data (w 1,y 1 ) (w l,y l ) Unlabelled data (w l+1,y l+1 ) (w l+u,y l+u ) w 1 T 11 T 12 T 1n w 2 T 21 T 22 T 2n w n T n1 T n2 T nn Note: The steps above are repeated until convergence. Labelled data after label propagation (w l+1,y l+1 ) (w l+u,y l+u ) 2. Label and initialize matrix Y: c 1 c 2 w 1 p 1,1 p 1,2 w l p l,1 p l,2 w l+1 p l+1,1 p l+1,2 w l+u p l+u,1 p l+u,2 Labelled with p=0 or p=1 Initialize with p=0.5 9

10 Iterative Labeling Reducing the number of labelled data when confronted with a large dataset. Labelled Labelled Unlabelled Data (Log File) Unlabelled Labelled... Labelled data Unlabelled 1 st Iteration 2 nd Iteration 3 rd Iteration n th Iteration Labelled data after label propagation 10

11 Dataset Description Checkpoint firewall of a local ISP in Luxembourg. Used to protect internet connected servers against network attacks. Dataset description: records 1h 39min 496 windows (if window size = 100) 11

12 Results (1/3) 1. Iteration: 50 windows, 10 labelled, 40 unlabelled, 116 records Investigation: Source IP correlated with well-known list of public HTTP proxies, which are usually used to hide the identity of web users. The incident was more probably a brute-force authentication breaking attack. 12

13 Results (2/3) 2. Iteration: 250 windows, 50 labelled, 200 unlabelled, 327/60 records Investigation: Authentication breaking attack The large number of telnet traffic is a clear sign of attack. 13

14 Results (3/3) 3. Iteration: 496 windows, 250 labelled, 246 unlabelled, 73 records Investigation: Either a badly configured VOIP configuration, or fraudulent use of SIP. In this specific case, many SIP Register requests occurred without success, and the system identified this anomaly correctly. 14

15 Complexity and Convergence Calculation of transition matrix most time consuming, but is required only once. The label propagation algorithm is of complexity O(n 2 ) Convergence of the label propagation during second iteration: 15

16 Conclusion Typical attacks (e.g. DoS) often result in a block of related records, that keep unknown to the network operator. Our approach can support the network administrator in: modifying existing firewall rules to determine the threat level of the network. Distance metrics and algorithm are applicable also in other scenarios. 16

17 Thanks for Listening! Questions? 17