Network Anomaly Detection Using Autonomous System Flow Aggregates

Similar documents
Network Anomaly Detection Using Autonomous System Flow Aggregates

Basic Concepts in Intrusion Detection

Distributed Systems. 29. Firewalls. Paul Krzyzanowski. Rutgers University. Fall 2015

Analyzing Flow-based Anomaly Intrusion Detection using Replicator Neural Networks. Carlos García Cordero Sascha Hauke Max Mühlhäuser Mathias Fischer

Improved Detection of Low-Profile Probes and Denial-of-Service Attacks*

CSE 565 Computer Security Fall 2018

Hillstone T-Series Intelligent Next-Generation Firewall Whitepaper: Abnormal Behavior Analysis

Distributed Anomaly Detection with Network Flow Data

On Optimizing Load Balancing of Intrusion Detection and Prevention Systems. Anh Le, Ehab Al-Shaer, and Raouf Boutaba

Intrusion Detection by Combining and Clustering Diverse Monitor Data

Distributed Systems. 27. Firewalls and Virtual Private Networks Paul Krzyzanowski. Rutgers University. Fall 2013

Multivariate Correlation Analysis based detection of DOS with Tracebacking

OSSIM Fast Guide

Fuzzy Intrusion Detection

Means for Intrusion Detection. Intrusion Detection. INFO404 - Lecture 13. Content

Mining Anomalies Using Traffic Feature Distributions

ANOMALY DETECTION IN COMMUNICTION NETWORKS

intelop Stealth IPS false Positive

CS419 Spring Computer Security. Vinod Ganapathy Lecture 13. Chapter 6: Intrusion Detection

Different attack manifestations Network packets OS calls Audit records Application logs Different types of intrusion detection Host vs network IT

ANOMALY detection techniques are the last line of defense

DDoS Defense Mechanisms for IXP Infrastructures

The Subspace Method for Diagnosing Network-Wide Traffic Anomalies. Anukool Lakhina, Mark Crovella, Christophe Diot

Developing the Sensor Capability in Cyber Security

Intrusion Detection. Overview. Intrusion vs. Extrusion Detection. Concepts. Raj Jain. Washington University in St. Louis

Classification of Log Files with Limited Labeled Data

Communication Pattern Anomaly Detection in Process Control Systems

"GET /cgi-bin/purchase?itemid=109agfe111;ypcat%20passwd mail 200

Configuring Anomaly Detection

Enhancing Byte-Level Network Intrusion Detection Signatures with Context

Configuring Anomaly Detection

Intrusion Detection System using AI and Machine Learning Algorithm

Configuring Anomaly Detection

Correlation Based Approach with a Sliding Window Model to Detect and Mitigate Ddos Attacks

Distributed Denial of Service (DDoS)

Multidimensional Aggregation for DNS monitoring

Detecting Botnets Using Cisco NetFlow Protocol

Firewalls, Tunnels, and Network Intrusion Detection

Detecting Anomalies in Network Traffic Using Maximum Entropy Estimation

Spring 2010 CS419. Computer Security. Vinod Ganapathy Lecture 14. Chapters 6 and 9 Intrusion Detection and Prevention

Quadratic Route Factor Estimation Technique for Routing Attack Detection in Wireless Adhoc Networks

Anomaly Detection in Communication Networks

Quadratic Route Factor Estimation Technique for Routing Attack Detection in Wireless Adhoc Networks

A SYSTEM FOR DETECTION AND PRVENTION OF PATH BASED DENIAL OF SERVICE ATTACK

Configuring Event Action Rules

FlowMatrix Tutorial. FlowMatrix modus operandi

Intelligent Application Bypass

Network Security: Network Flooding. Seungwon Shin GSIS, KAIST

Chapter 10: Denial-of-Services

ARAKIS An Early Warning and Attack Identification System

DISTRIBUTED denial-of-service (DDoS) attacks still constitute

Table of Contents. 1 Intrusion Detection Statistics 1-1 Overview 1-1 Displaying Intrusion Detection Statistics 1-1

Detection of DNS Traffic Anomalies in Large Networks

Detecting Malicious Hosts Using Traffic Flows

Jaal: Towards Network Intrusion Detection at ISP Scale

A Software Tool for Network Intrusion Detection

NETWORK INTRUSION. Information Security in Systems & Networks Public Development Program. Sanjay Goel University at Albany, SUNY Fall 2006

Evading Network Anomaly Detection Sytems - Fogla,Lee. Divya Muthukumaran

FPGA based Network Traffic Analysis using Traffic Dispersion Graphs

Multi-phase IRC Botnet & Botnet Behavior Detection Model

Intrusion Detection System For Denial Of Service Flooding Attacks In Sip Communication Networks

Configuring attack detection and prevention 1

A High-Speed PacketScore DDoS Defense System

12 WEEK EXAM NAME: ALPHA: SECTION:

A Novel Approach to Denial-of-Service Attack Detection with Tracebacking

Protection Against Distributed Denial of Service Attacks

A Two-Layered Anomaly Detection Technique based on Multi-modal Flow Behavior Models

TESTING DDOS DEFENSE EFFECTIVENESS AT 300 GBPS SCALE AND BEYOND

DDOS DETECTION SYSTEM USING C4.5 DECISION TREE ALGORITHM

Network Security: Firewall, VPN, IDS/IPS, SIEM

Polygraph: Automatically Generating Signatures for Polymorphic Worms

INTERNATIONAL JOURNAL OF INNOVATIVE TECHNOLOGIES, VOL. 02, ISSUE 01, JAN 2014 ISSN

CYBER SECURITY WHITEPAPER

IDS: Signature Detection

Network Security. Chapter 0. Attacks and Attack Detection

Intruder Alert!: Visual Analysis of Network Intrusion Data. CS 533C Course Project Dustin Lang March 19, 2003

Overview Intrusion Detection Systems and Practices

Computer Security: Principles and Practice

IPv6 Firewall Support for Prevention of Distributed Denial of Service Attacks and Resource Management

1. Intrusion Detection and Prevention Systems

Configuring Event Action Rules

2. INTRUDER DETECTION SYSTEMS

Security Information & Event Management (SIEM)

Connection Logging. Introduction to Connection Logging

Data Communication. Chapter # 5: Networking Threats. By: William Stalling

Intrusion Detection and Malware Analysis

Distributed Denial-of-Service Attack Prevention using Route-Based Distributed Packet Filtering. Heejo Lee

Connection Logging. About Connection Logging

Managing Latency in IPS Networks

Protecting DNS Critical Infrastructure Solution Overview. Radware Attack Mitigation System (AMS) - Whitepaper

Configuring ARP attack protection 1

Configuring attack detection and prevention 1

Anti-DDoS. FAQs. Issue 11 Date HUAWEI TECHNOLOGIES CO., LTD.

DDoS Protection in Backbone Networks Deployed at Trenka Informatik AG (

Intrusion Detection System (IDS) IT443 Network Security Administration Slides courtesy of Bo Sheng

DDoS Attacks Classification using Numeric Attribute-based Gaussian Naive Bayes

Gladiator Incident Alert

Towards Traffic Anomaly Detection via Reinforcement Learning and Data Flow

Flowzilla: A Methodology for Detecting Data Transfer Anomalies in Research Networks. Anna Giannakou, Daniel Gunter, Sean Peisert

ProCurve Network Immunity

Transcription:

Network Anomaly Detection Using Autonomous System Flow Aggregates Thienne Johnson 1,2 and Loukas Lazos 1 1 Department of Electrical and Computer Engineering 2 Department of Computer Science University of Arizona IEEE GLOBECOM 2014 December 8-12, 2014 1

Network Anomalies 2

Characteristics of Network Anomalies Examples Anomaly Characteristics Variations in DDoS (D) DoS against a single victim Number of packets and number of flows Alpha Unusually high rate point to point byte transfer Number of packets and volume Scan Scanning a host for a vulnerable port (port scan) Scanning the network for a target port (network scan) Incoming flows to a host:port Incoming flows to a port number 3

Anomaly detection Deep packet inspection scalability problem in terms of computational and storage capacity Flow aggregation techniques merge multiple flow records with similar properties, and discarding benign flows summarize IP flows to statistical metrics reduce the amount of state and history information that is maintained At IP flow level: computation and storage requirements for an online NIDS can still be prohibitively large 4

Our Goals To reduce communication and storage overheads By exploiting the organization of the IP space to Autonomous Systems (ASes) To detect large-scale network threats that create substantial deviations in network activity compared with benign network conditions 5

AS level anomalies at a monitored network 6

Methodology 2 3 4 1 5 7

1 IP-to-AS Flow Translation Aggregate IP flows to AS flows Each AS flow: - Number of IP flows - Number of IP packets - Volume (Bytes) 8

1b IP-to-AS Flow Translation Aggregate IP flows to AS flows Each AS flow: - Number of IP flows - Number of IP packets - Volume (Bytes) 9 Source IP A :Port Destination IP T :Port Source IP B :Port Destination IP T :Port Source IP C :Port Destination IP T :Port Source IP D :Port Destination IP T :Port Source IP E :Port Destination IP T :Port Source IP F :Port Destination IP T :Port AS X AS T AS Y AS T AS Z AS T

2 Metrics for data aggregation Different anomalies affect different network flow parameters During aggregation period A: 1. Packet count (N): number of packets associated with the AS flow 2. Traffic volume (V): traffic volume associated with the AS flow 3. IP Flow count (IP): number of IP flows associated with the AS flow 4. AS Flow count (F): The number of AS flows that are active.flows from spoofed IP addresses (network/16) are aggregated as a flow from Fake AS nodes.flows from ASes not contacted before could be an anomalous event 10

2b Data aggregation Training Phase: intervals I 1,...,I m. Traffic for each of the m intervals is represented by the same model. Online Phase: traffic model for the online phase is computed over an epoch, which is shorter than an interval. Collect k samples for each metric using the aggregate values over k aggregation periods 11

3 Statistical Analysis For every AS flow, and every metric: 12

3b Statistical Analysis Measure statistical divergence X Real-time data D Jeffrey distance Λ P, Q = 1 2 Training data (KL P, Q + KL Q, P ) pmf where (KL(P,Q) if the Kullback-Liebler divergence KL P, Q = p i log k i=1 p i q i 13

3c Statistical Analysis Distances are normalized to ensure equal distance scales when multiple metrics are combined to one J P i,j M, Q j (M) = Λ P i,j M, Q j (M) Λ P i,j M, Q j (M) 95th Value that fall in the 95 th percentile of historical distance for metric i accumulated over moving window W 14

4 Composite Metrics To capture the multi-dimensional nature of network behaviors, composite metrics combine several basic metrics C i = G i J N, J V, J IP, J F weighting formula among the different metrics Weights could be adjusted to favor a subset of metrics, depending on the nature of the anomaly to be detected. Foreach Epoch Ci > Threshold? Alert abnormal behavior 15

5 - Training data update Moving window mechanism for maintaining the training data D(E,W) < Threshold Update 16

Case study MIT LLS DDOS 1.0 intrusion dataset which simulates several DoS attacks and background traffic. Anomaly in AS A 17

Anomaly in AS B Anomaly in AS C 18

Volumetric analysis no AS distinction 19

Example of use with IMap Anomaly scores per AS Fowler, J; Johnson, T; Simonetto,P; Lazos, P; Kobourov, S.; Schneider, M. and Acedo, C. IMap: 20 Visualizing Network Activity over Internet Maps, Vizsec 2014.

Conclusions & Future work NIDS based on AS flow aggregates. Reduction in storage and computation overhead Basic network anomaly detection metrics are adapted to the AS domain Composite metrics of network activity combine several basic metrics New basic metric that counts the number of AS flows for detecting anomalous events Formal study on composite metrics targeting known anomalies Work supported by Office of Naval Research under Contract N00014-11-D-0033/0002 21

Thank you! http://www.cs.arizona.edu/~thienne NETVUE website: http://netvue.cs.arizona.edu/ IEEE GLOBECOM 2014 December 8-12, 2014 22

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback