ANOMALY DETECTION USING HOLT-WINTERS FORECAST MODEL

Transcription

1 ANOMALY DETECTION USING HOLT-WINTERS FORECAST MODEL Alex Soares de Moura RNP Rede Nacional de Ensino e Pesquisa Rua Lauro Müller, 116 sala 1103 Rio de Janeiro, Brazil alex@rnp.br Sidney Cunha de Lucena UNIRIO Universidade Federal do Estado do Rio de Janeiro Av. Pasteur, 458 CCET sala 111 Rio de Janeiro, Brazil sidney@uniriotec.br ABSTRACT Attacks against networks and its services are permanent concerns for Internet service providers and datacenters. Several methods for anomaly detection in high-speed links have been researched in the last years. This article evaluates a simple method based on the Holt-Winters forecast model to verify significant changes at the pattern of traffic parameters normally affected in the presence of anomalies. This work also proposes and evaluates the use of filters to increase the effectiveness of the method for the detection of specific types of attacks. Results confirm the usefulness of this proposal to detect malicious traffic related to a TCP SYN flood attack and to the propagation of the Slammer worm, both applied to real traffic samples from the Brazilian NREN. KEYWORDS Anomaly detection, Holt-Winters forecast model, entropy, DoS attacks. 1. INTRODUCTION Hosting and collocation services have been commonly used by clients of different magnitudes. The increase in the popularity of these solutions, where providers host wide spread network services like and web sites in their own clouds, in conjunction with the progressive lower prices of broadband access, promotes a correspondent increase in the providers network traffic. In consequence, more attention to security issues is needed once the probability of an attack increases as the number of clients grows. Because of this growing picture, a reactive way of dealing with security problems may lead to a decrease in services credibility. So, it becomes important for providers to adopt a proactive way to detect anomalous traffic that may be flowing through the network, in order to take the respective countermeasures as soon as possible. Several methods were proposed in the past years concerning anomaly detection, not all of them proper to be used in Internet Service Providers (ISPs). The work in Silveira 2010 provides a taxonomy for event detection methods that can be used for anomaly detection. The methods are structured as: signature-based (used by IDSes), based on control data (inspects DNS messages or BGP feeds, for example), based on application-specific data (to search for security problems of a specific application), based on non-aggregate traffic data (looks for anomalies at the traffic of a specific host) and based on aggregate traffic data (analyzes the traffic on network links). Considering high volume traffic and the need to detect anomalies of different types, detection based on aggregate traffic is more appropriate for ISPs. It is worth noting that an anomaly is not necessarily caused by malicious activity. For example, link failures or abrupt routing changes also cause traffic anomalies. For this reason, it is also necessary to use root cause analysis to distinguish what kind of problem has been detected (Silveira and Diot 2010). Root cause analysis is out of scope of the present work.

2 The work here proposes a simple method for anomaly detection on aggregate data that can be easily coupled to well-known open-source network management tools. This method uses entropy-based traffic metrics and the Holt-Winters forecast model to expose anomalies in the aggregated traffic of a network link. The evaluation of this proposal is achieved using injections of artificially generated TCP SYN flood attack and Slammer worm propagation in real traffic samples from RNP s backbone, the Brazilian NREN. Results also show that the efficiency of the method can be significantly improved for the detection of some specific class of attack by the use of specific filters applied to the monitored flows. The rest of this paper has the following structure: Section II brings related work, Section III describes the proposed method, Section IV explains the evaluation methodology, Section V shows the obtained results and Section VI brings conclusions and future work. 2. RELATED WORK In the past years, several methods were proposed concerning aggregation strategies, traffic metrics and statistical techniques to signalize anomalies in WAN traffic. Packet sampling is the most used aggregation strategy in order to reduce storage space and traffic monitoring overhead for high volume backbone links. In Mai 2006, it is shown that heavy sampling can cause false positives and negatives on volume-based anomaly detectors, which rely on packet or bit rate metrics to expose anomalies. In Brauckhoff 2006, entropy is shown to be a better metric to reduce heavy sampling impact. In Lakhina et al 2005, the authors use the entropy of IP addresses and port numbers as a metric for anomaly detection in a network-wide manner, where data is collected from multiple links and aggregated into origin-destination flows. This work uses a method based on Principle Component Analysis to point anomalies, which is shown in Brauckhoff et al 2009 that it fails to capture temporal correlation and may cause false negatives. In Brutlag 2000, the seasonal Holt-Winters forecast model is applied to packet rate time series for aberrant behavior detection in a single-link approach, which is easier to implement than a network-wide approach. In Silveira et al 2010, it is shown that a singlelink approach using a Kalman filter-based forecast method can identify 91% of the anomalies identified by a correspondent network-wide approach. This anomaly detection method is called ASTUTE, which captures the correlation among individual traffic flows and observes distributions of volume changes to detect anomalies. Despite the relevant results, this method fails to detect anomalies typically caused by DoS attacks or large file transfers. The authors argue that a complementary volume-based EWMA (Exponentially Weighted Moving Average) anomaly detector is enough for a well combined solution (Silveira 2010). 3. PROPOSED METHOD FOR ANOMALY DETECTION 3.1 Entropy Measurements The proposed method is based on entropy measurements of IP and port values of packets flowing through a given network link in a given time interval. This results in four time series of entropies representing the behavior of origin and destination IP addresses and origin and destination port numbers at each time interval. The used metric is a normalized version of Shannon s entropy (Shannon 1948) and is defined as: N E ( p i log ( p i )) / log2 N ns 2, (1) i 1 if N > 1, where N is the number of different values in a time interval and pi is the probability associated to each different value i. If N = 1, then E ns = 0. E ns varies from 0 to 1 and is a measure of the level of dispersion in the distribution of i: 0 corresponds to maximum concentration (only one value for i in the interval) and 1 corresponds to maximum dispersion. The normalization by log 2 N is used to avoid variations in E ns caused by changes in N that do not affect the distribution of i. The intuition behind this is to have a metric less sensitive to some kinds of anomalies that mainly affect traffic volume, like link failures or routing changes.

3 3.2 Seasonal Holt-Winters Forecast Model The seasonal Holt-Winters (HW) forecasting model is usually applied to time series that present seasonal patterns (Brutlag 2000). It divides a time series X t in three parts: one related to its seasonality (c t ), one related to its trend behavior (b t ) and one for the residual part (a t ). For each of them, a simple EWMA is applied to predict a new value. A combination of these expressions is used to estimate X t+1. The following equations represent the HW computation: at X a t b t c m (2) ( X t c t m ) (1 )( a b ) (3) bt ct ( a t a ) (1 ) b (4) ( X t a t ) (1 ) c t m, (5) where m is the period of the seasonality and α, β and γ are the parameters of the respective EWMA expressions of a t, b t and c t, with values between 0 and 1. Equations (2) to (5) suppose an additive seasonality, and it means that the statistical behavior of the seasonal component in (5) is not proportional to the time series trend component in (4). That is the opposite of when using the multiplicative seasonality (Koehler et al 2001). Experiments related to the present work (not shown) demonstrated that the additive seasonality fits better as a forecast model for the time series of measured entropies. 3.3 Decision Criteria for Anomaly Detection Using HW An anomaly is detected when measured entropies present a substantial deviation from its predictions. This verification can be automatically done by the association of proper upper and lower bounds for the HW predictions: any measure that falls out of these bounds is considered abnormal. As in Brutlag 2000, the bounds are obtained by the use of a EWMA for the time series of deviations d t between the measured and the predicted entropies: dt Y t X t ( 1 ) d t m, (6) where γ is the same used in (5). Y t is the measured entropy and X t is the predicted one. The boundaries are given by ( Xt d t m, X t d t m), (7) where δ is an adjusting factor. In Koehler et al 2001, the proposed values for δ fit between 2 and 3. It is worthy to note that the method presented in Brutlag 2000 does not consider entropy measurements. It just uses a Holt-Winters forecast model applied to time series of bit rates. 4. EXPERIMENTAL EVALUATION METHODOLOGY The evaluation of anomaly detection methods using real traffic data from backbone links is notoriously a difficult task. It is very hard to previously know what anomalies are present in what time, and also to guarantee that some sequence of data is really free of anomalies. The approach here uses injection of artificially generated malicious traffic data, corresponding to a TCP SYN flood attack and the Slammer worm propagation, into real traffic traces from RNP. 4.1 Traffic Data from RNP A real traffic data trace was obtained from netflow records (Cisco 2007) of a 2.5 Gbps link from RNP s backbone. The used packet sampling rate was 1 out of 100 at the respective router. The total amount of

4 collected data represents a sequence of ten days between November and December of The mean rate of the traffic, not considering sampling, is 30 Kpps and it represents a period of supposed normal use of this backbone link. By the time of these measurements, no tools were implemented at RNP to automatically detect attacks. 4.2 Artificial Generation of Malicious Traffic A tool called Pcapr was used to generate files describing the behavior of two different well-known attacks: the TCP SYN flood and the Slammer worm. These files are then used as input for a tool called MuDos that generates the corresponding traffic to some previously configured destination network. The generated traffic is then sniffed, sampled and converted to Netflow format. The mean packet rate of the generated traffic was adjusted to stay between 10% and 20% of the mean packet rate of the real traffic. These are typical values where a severe attack cannot be easily identified by visual inspection of packet rate time series of a backbone link. 4.3 Filtering Well-Known Characteristics If a malicious traffic traversing a backbone link has a mean packet rate significantly lower than the mean packet rate of the normal traffic in the link, the level of dispersion captured by the entropy measurements of the combined traffic may vary just a little. In this case, it may be hard to detect this kind of attack using the proposed method. To minimize this problem, the portion of the monitored data representing the normal traffic can be reduced using filters that will consider only packets with some well-known characteristic related to a target class of malicious traffic. For the injected anomalies used here, filters to compute only packets with UDP protocol (case of some worm propagations) or packets with destination port 80 (case of an attack to web sites) were applied. Results presented in Section V show the efficiency of this approach. Figure 1. Entropies and HW forecasts with TCP SYN flood attack inserted.

5 5. RESULTS The measured entropies were computed for every 5 minute interval and recorded using the Round-Robin Database (RRD) format. It is worth noting that a 5 minute time interval is commonly used for network monitoring and widely adopted in several other works (Lakhina et al 2005, Silveira et al 2010). The computation of the proposed method for anomaly detection in entropy time series is done using the RRDtool (Brutlag 2000). The RRDtool is an open-source tool to manipulate and plot data recorded in RRD format. Both the HW forecast model, found in (2)-(5), and also the entropy boundaries, found in (6) and (7), are implemented in RRDtool. The values of the HW s parameters are the same for all four time series of entropies and were empirically chosen based on Brutlag 2000: α = 0.01, β = , γ = 0.01, δ = 2 and m = 288. The value of m indicates a 24 hour seasonal period in amounts of 5 minute intervals. The RRDtool implements (6) using a circular queue whose size was configured to 5 days. All the graphics were generated using RRDtool. The large squares indicate the region of the inserted attack, always starting at 0h of day 27 (Thursday). For a better visualization, only three days of the time series are shown in each graphic, including the inserted attack at the beginning of the second day. The green line indicates the HW s predictions, the dark lines indicate the boundaries for anomaly detection, as found in (7), and the red line indicates the measured entropies. An anomaly is detected every time the red line crosses the boundaries represented by the dark lines. 5.1 TCP SYN Flood The parameters used to describe this Distributed DoS attack, that tries to exhaust victim s resources by the initiation of multiple TCP connections, are the following: random source IPs from a /22 network and one specific destination IP, random source port numbers and one specific destination port number (80/TCP). The duration of the injected attack is 1.5h and the packet rate varies from 4Kpps to 6Kpps, which represents 13.3% to 20% of the mean packet rate of the real traffic trace. Fig. 1 shows the results without any filter (from top: source IP, destination IP, source port and destination port) and Fig. 2 shows the results with a filter that considers only packets with destination port value of 80 (from top: source IP, destination IP and source port). Figure 2. Entropies and HW forecasts with TCP SYN flood attack inserted, filter by destination port 80. As observed in Fig. 1, the disturbances in the measured entropies caused by this injection, although visually perceived, was not sufficient to significantly trigger the detection in any of the time series. However,

6 with the specified filter, as shown in Fig. 2, the disturbances in the measured entropies are enough to trigger the detection in all time series, except for the destination port (not shown), once all packets with same destination port turn the entropy to be always zero. 5.2 Slammer Worm The parameters used to describe this attack, that explores a vulnerability of Microsoft SQL servers, are the following: one specific source IP, random destination IPs, random source port numbers and one specific destination port (1434/UDP). The duration of the injected attack is 2h and the packet rate is fixed at 0.5Kpps, which represents 16.6% of the mean packet rate of the real traffic trace. Fig. 3 shows the results without any filter and Fig. 4 shows the results with a filter that considers only packets using UDP protocol (in both cases, from top: source IP, destination IP, source port and destination port). Figure 3. Entropies and HW forecasts with Slammer worm attack inserted. Comparing Fig. 3 and Fig. 4, it is clear that the adoption of the filters for the UDP protocol increases the disturbance in the measured entropies and makes the anomaly more evident for the detection. But, in this case, results in Fig. 3 show that this attack could also be detected in the source IP and destination port entropies without using the filter. 5.3 Holt-Winters versus EWMA The use of a simple EWMA instead of the Holt-Winters forecast model has good practical implications as there will be only one parameter to choose (α) instead of three. However, the inability of a simple EWMA to capture seasonal patterns makes it less applicable for time series of entropies. Another key point is that the Holt-Winters forecasts are more sensitive to α than to the other two parameters, making it almost as ease to parameterize as the EWMA.

7 Fig. 5 shows a comparison between EWMA and two HW models for the prediction of the measured entropies of origin port numbers. In this case, 5 days are shown and a simple DoS attack was inserted at the beginning of the second day. The parameters are the same used in the previous tests, except for γ that is equal to 0.1 in the second HW model (from top to bottom). The EWMA uses the same α. It is easy to observe that the EWMA fails to predict the entropies due to its seasonal pattern. It can also be observed that an increase by ten times in γ practically did not affect the HW predictions. Previous tests (not shown) verified that an equal increase in α makes the HW fails to predict the entropies. Figure 4. Entropies and HW forecasts with Slammer worm attack inserted, filter by UDP protocol. 6. CONCLUSIONS The results indicate that the HW predictor estimates well the behavior of measured entropies corresponding to a period of normal traffic in a backbone link. In the presence of an anomaly, the measured entropies clearly deviate from its predictions at least in one of the four time series, and this can be used to trigger the detection. The use of filters to capture packets with well-known characteristics of some class of attacks clearly makes them more evident. The adopted criteria for the establishment of boundaries to automatically trigger the detection alone was not efficient in one of the studied cases and can be improved to reduce the dependence on filters. The presented method focuses on simplicity. The use of the RRDtool shows that it can be easily coupled to most adopted open-source network monitoring tools. The establishment of filters for well-known characteristics of some attacks is very practical and widely adopted by network operators that do manual inspection of traffic flows. All the calculations can be easily evaluated for real-time anomaly detection with the traditional delay of five minutes adopted in the majority of network monitoring tools. The proposed method has no intention to be able to detect all kind of anomaly that can be present in a backbone link. As stated in Silveira 2010, complementary methods must be used to cover all possibilities. Results show that the method is appropriate to detect DoS style and worm spread attacks in WAN links that

8 could be hidden in the overall traffic, and that also means that it can be considered a good complementary detector for others proposals, like ASTUTE (Silveira et al 2010). The validation of the method used real traffic samples from RNP s backbone, where both a TCP SYN flood attack and a Slammer worm spread were artificially inserted. Future work will study better upper and lower bounds for the Holt-Winters predictions in order to automatically infer anomalies with less dependence on filters. Figure 5. Comparison between HW with γ = 0,01, HW with γ = 0,1 and EWMA (α = 0,01for all and DoS inserted at 0h of second day). ACKNOWLEDGEMENT The authors thank RNP for giving access to all data used in this work. REFERENCES Silveira, F., Unsupervised Diagnosis of Network Traffic Anomalies. Ph.D thesis, Université Pierre et Marie Curie, Paris. Silveira, F. and Diot, C., URCA: Pulling Anomalies by their Root Causes. Proceedings of IEEE INFOCOM. Mai, J. et al, Is Sampled Data Sufficient for Anomaly Detection?. Proceedings of IMC, pp Brauckhoff, D. et al, Impact of Packet Sampling on Anomaly Detection Metrics. Proceedings of IMC, pp Lakhina, A. et al, Mining Anomalies Using Traffic Feature Distributions. Proceedings. of the ACM SIGCOMM, pp , Philadelphia. Brauckhoff, D. et al, Applying PCA for Traffic Anomaly Detection: Problems and Solutions. Proceedings of IEEE INFOCOM, Rio de Janeiro. Brutlag, J., Aberrant Behavior Detection in Time Series for Network Monitoring. Proceedings of the 14 th Systems Administration Conference (LISA 2000), pp , New Orleans. Silveira, F. et al, ASTUTE: Detecting a Different Class of Traffic Anomalies. Proceedings of the ACM SIGCOMM. Shannon, C., A Mathematical Theory of Communication. Bell System Technical Journal, vol. 27, pp and Koehler, A. et al, Forecasting Models and Prediction Intervals for the Multiplicative Holt-Winters Method. International Journal of Foreacsting, vol. 17, no. 2, pp Cisco Systems Inc., Netflow Services Solution Guide. referenced on May 2011.