An Empirical Evaluation of Entropybased Traffic Anomaly Detection

Size: px

Start display at page:

Download "An Empirical Evaluation of Entropybased Traffic Anomaly Detection"

Mildred Martina Bruce
5 years ago
Views:

1 An Empirical Evaluation of Entropybased Traffic Anomaly Detection George Nychis, Vyas Sekar, David Andersen, Hyong Kim, Hui Zhang Carnegie Mellon University

2 Entropy-based Anomaly Detection Goal: detect abnormal behavior scan activity, DDoS, bandwidth floods... Traditional: raw traffic volume (insufficient) e.g., total number of packets in an epoch Modern: entropy-based traffic metrics e.g., relative randomness in distribution of packets across ports Example Anomaly Entropy: Detectable Traffic Volume: Undetected 2

3 Motivation Anomaly Detection NetFlow Data Traffic Feature Timeseries Detection Alarm! 3

4 Motivation Anomaly Detection Traffic Feature NetFlow Data sum(packets) Timeseries Detection A(pkts) 3

5 Motivation Anomaly Detection Traffic Feature NetFlow Data H(addresses) Timeseries Detection A(addr) Entropy-based Features: Dist. of packets across addresses 3

6 Motivation Anomaly Detection NetFlow Data Traffic Feature H(ports) Timeseries Detection A(addr) A(port) Entropy-based Features: H(addresses) Distribution of packets across ports 3

7 Motivation NetFlow Data Anomaly Detection Traffic Feature H(flow-size) Timeseries Detection A(addr) A(port) A(FSD) Entropy-based Features: H(addresses) H(ports) Distribution of flow-sizes (in packets) 3

8 Motivation NetFlow Data Anomaly Detection Traffic Feature H(degree) Timeseries Detection A(addr) A(port) A(FSD) A(deg) Entropy-based Features: H(addresses) H(ports) Distribution of host communication H(flow-size) 3

9 Motivation NetFlow Data Anomaly Detection Traffic Feature???????? Timeseries Detection A(addr) A(port) A(FSD) A(deg) Entropy-based Features: H(addresses) H(ports) H(flow-size) H(degree) 3

10 Motivation NetFlow Data Anomaly Detection Traffic Feature???????? Timeseries Detection A(addr) A(port) A(FSD) A(deg) Entropy-based Features: H(addresses) H(ports) H(flow-size) H(degree) Goal: understanding the features 3

11 Motivation NetFlow Data Anomaly Detection Traffic Feature???????? Timeseries Detection A(addr) A(port) A(FSD) A(deg) Entropy-based Features: H(addresses) H(ports) H(flow-size) H(degree) Goal: understanding the features 1. How unique are their detection capabilities? 2. How effective are they? 3

12 Analysis Method NetFlow Data 5 one-month-long traces: CMU-2005, CMU-2008, GATech-2008, GEANT-2005, Internet

13 Analysis Method NetFlow Data 5 one-month-long traces: CMU-2005, CMU-2008, GATech-2008, GEANT-2005, Internet Entropy Timeseries H(addresses) H(ports) H(flow-size) H(degree) 4

14 Analysis Method NetFlow Data 5 one-month-long traces: CMU-2005, CMU-2008, GATech-2008, GEANT-2005, Internet Entropy Timeseries H(addresses) H(ports) H(flow-size) H(degree) Are the distributions structurally similar? Timeseries Correlation 4

15 Analysis Method NetFlow Data 5 one-month-long traces: CMU-2005, CMU-2008, GATech-2008, GEANT-2005, Internet Entropy Timeseries H(addresses) H(ports) H(flow-size) H(degree) Are the distributions structurally similar? Anomaly Detection A(addr) A(port) A(FSD) A(deg) Timeseries Correlation 4

16 Analysis Method NetFlow Data 5 one-month-long traces: CMU-2005, CMU-2008, GATech-2008, GEANT-2005, Internet Entropy Timeseries H(addresses) H(ports) H(flow-size) H(degree) Are the distributions structurally similar? Anomaly Detection A(addr) A(port) A(FSD) A(deg) Timeseries Correlation Anomaly Correlation Goal(1): Uniqueness 4

17 Analysis Method NetFlow Data 5 one-month-long traces: CMU-2005, CMU-2008, GATech-2008, GEANT-2005, Internet Entropy Timeseries H(addresses) H(ports) H(flow-size) H(degree) Are the distributions structurally similar? Anomaly Detection A(addr) A(port) A(FSD) A(deg) Timeseries Correlation Anomaly Correlation Goal(1): Uniqueness 4

18 Entropy Timeseries (February 2005) In-degree Out-degree Flow-size Src. Address Dst. Address Src. Port Dst. Port Raw traffic volume 5

19 Entropy Timeseries (February 2005) In-degree Out-degree Flow-size Src. Address Dst. Address Src. Port Dst. Port Raw traffic volume 5

20 Entropy Timeseries (February 2005) test In-degree Out-degree Flow-size Src. Address Dst. Address Src. Port Dst. Port Raw traffic volume 5

21 Entropy Timeseries (February 2005) test In-degree Out-degree Flow-size Src. Address Dst. Address Src. Port Dst. Port Raw traffic volume 5

22 Entropy Timeseries (February 2005) test In-degree Out-degree Flow-size Src. Address Dst. Address Src. Port Dst. Port Raw traffic volume 5

23 Analysis Method NetFlow Data 5 one-month-long traces: CMU-2005, CMU-2008, GATech-2008, GEANT-2005, Internet Entropy Timeseries H(addresses) H(ports) H(flow-size) H(degree) Are the distributions structurally similar? Anomaly Detection A(addr) A(port) A(FSD) A(deg) Timeseries Correlation Anomaly Correlation Goal(1): Uniqueness 6

24 Correlation in Entropy Timeseries Pairwise correlation-scores for CMU-2005 All 4 other traces exhibit similar behavior! 7

25 Why Entropy is Structurally Correlated 1. Port / Address Correlation Properties of Network Traffic: - contribute X packets to address A - contribute X packets to port B if hosts have few connections, and ports are uniformly random similar distributions 8

26 Why Entropy is Structurally Correlated 1. Port / Address Correlation Properties of Network Traffic 2. Source / Destination Correlation Flow accounting: - Bi-directional: Addr1(23) Addr2(53) Bi-directional Saddr(23) Daddr(53) 8

27 Why Entropy is Structurally Correlated 1. Port / Address Correlation Properties of Network Traffic 2. Source / Destination Correlation Flow accounting: - Uni-directional: Addr1 Addr2 (23) Addr2 Addr1 (53) Bi-directional Saddr(23) Daddr(53) Uni-directional Saddr(23), Daddr(23) Saddr(53), Daddr(53) Uni-directionality destroys 2 unique distributions 8

28 Why Anomalies are Correlated Root-cause analysis approach: no Analyze top-k Remove flows Recompute entropy Anomaly subsides? yes, cause! Our results: Ports & addresses: only detect alpha flows (correlation) FSD: detects scans, Degree: SYN flood FSD & Degree are unique (no correlation) 9

29 Why Anomalies are Correlated Root-cause analysis approach: no Analyze top-k Remove flows Recompute entropy Anomaly subsides? yes, cause! Our results: Traffic volume Ports & addresses: only detect alpha flows (correlation) FSD: detects scans, Degree: SYN flood FSD & Degree are unique (no correlation) 9

30 Summary of Goal(1): Uniqueness Strong correlation in ports and addresses Flow-size and degree: unique Structural correlation: properties of traffic Anomaly correlation: types of anomalies seen 10

31 Understanding Effectiveness NetFlow Data Inject Synthetic Anomalies Entropy Timeseries Anomaly Detection Timeseries Correlation Anomaly Correlation 11

32 Best Distribution for an Anomaly? Anomalies: BW Flood, Scanner, Multiple Scanners, Port Scan, and SYN Flood Other Results: BW Flood: ports & addresses already detectable by traffic volume FSD best detector Scans: difficult to detect FSD and degree 12

33 Implications and Conclusions Look beyond ports and addresses Select complementary traffic distributions Uni-directional accounting introduces biases in traffic distributions Future Work: Can correlations be leveraged? during anomalies found in flow-size & degree, correlation drops between ports & addresses 13

34 Questions? 14

An Empirical Evaluation of Entropy-based Traffic Anomaly Detection

An Empirical Evaluation of Entropy-based Traffic Anomaly Detection George Nychis, Vyas Sekar, David G. Andersen, Hyong Kim, Hui Zhang {gnychis,kim}@ece.cmu.edu, {vyass,dga,hzhang}@cs.cmu.edu Carnegie Mellon