Intrusion Detection by Combining and Clustering Diverse Monitor Data

Similar documents
CSE 565 Computer Security Fall 2018

Basic Concepts in Intrusion Detection

Intelligent and Secure Network

Chapter 9. Firewalls

Chair for Network Architectures and Services Department of Informatics TU München Prof. Carle. Network Security. Chapter 8

A Two-Layered Anomaly Detection Technique based on Multi-modal Flow Behavior Models

Data Mining for Improving Intrusion Detection

ACS-3921/ Computer Security And Privacy. Chapter 9 Firewalls and Intrusion Prevention Systems

COMPUTER NETWORK SECURITY

securing your network perimeter with SIEM

Detecting Malicious Hosts Using Traffic Flows

Distributed Anomaly Detection with Network Flow Data

Network Traffic Measurements and Analysis

Intrusion prevention systems are an important part of protecting any organisation from constantly developing threats.

Analyzing Flow-based Anomaly Intrusion Detection using Replicator Neural Networks. Carlos García Cordero Sascha Hauke Max Mühlhäuser Mathias Fischer

Mapping Internet Sensors with Probe Response Attacks

McAfee Network Security Platform Administration Course

Introduction Challenges with using ML Guidelines for using ML Conclusions

Mapping Internet Sensors with Probe Response Attacks

Training for the cyber professionals of tomorrow

Means for Intrusion Detection. Intrusion Detection. INFO404 - Lecture 13. Content

Paloalto Networks PCNSA EXAM

Multi-phase IRC Botnet & Botnet Behavior Detection Model

Computer Security: Principles and Practice

EMERGING THREATS & STRATEGIES FOR DEFENSE. Paul Fletcher Cyber Security

Certified Ethical Hacker (CEH)

Data Sources for Cyber Security Research

Check Point DDoS Protector Introduction

Firewalls, Tunnels, and Network Intrusion Detection

Big Data Analytics for Host Misbehavior Detection

OSSIM Fast Guide

Evidence Gathering for Network Security and Forensics DFRWS EU Dinil Mon Divakaran, Fok Kar Wai, Ido Nevat, Vrizlynn L. L.

Radware Attack Mitigation Solution (AMS) Protect Online Businesses and Data Centers Against Emerging Application & Network Threats - Whitepaper

How to Configure IPS Policies

Virtual CMS Honey pot capturing threats In web applications 1 BADI ALEKHYA, ASSITANT PROFESSOR, DEPT OF CSE, T.J.S ENGINEERING COLLEGE

NetDefend Firewall UTM Services

BIG-IP Access Policy Manager : Secure Web Gateway. Version 13.0

Anomaly Detection in Communication Networks

Security in Mobile Ad-hoc Networks. Wormhole Attacks

Intrusion Detection. Comp Sci 3600 Security. Introduction. Analysis. Host-based. Network-based. Distributed or hybrid. ID data standards.

Ethical Hacking and Prevention

Different attack manifestations Network packets OS calls Audit records Application logs Different types of intrusion detection Host vs network IT

The Future of Threat Prevention

Exam : JK Title : CompTIA E2C Security+ (2008 Edition) Exam. Version : Demo

Fast and Evasive Attacks: Highlighting the Challenges Ahead

Cyber Security & Ethical Hacking Training. Introduction to Cyber Security Introduction to Cyber Security. Linux Operating System and Networking: LINUX

The Protocols that run the Internet

Connection Logging. Introduction to Connection Logging

Intrusion Detection Systems and Network Security

this security is provided by the administrative authority (AA) of a network, on behalf of itself, its customers, and its legal authorities

ICS Security Monitoring

The Evolving Threat of Internet Worms

DoS Cyber Attack on a Government Agency in South America- February 2012 Anonymous Mobile LOIC in Action

A Unified Threat Defense: The Need for Security Convergence

Connection Logging. About Connection Logging

DoS Cyber Attack on a Government Agency in Europe- April 2012 Constantly Changing Attack Vectors

Our Narrow Focus Computer Networking Security Vulnerabilities. Outline Part II

Forescout. Configuration Guide. Version 3.5

PROTECTING INFORMATION ASSETS NETWORK SECURITY

PALANTIR CYBERMESH INTRODUCTION

ARAKIS An Early Warning and Attack Identification System

Anomaly Detection of Network Traffic Based on Analytical Discrete Wavelet Transform. Author : Marius SALAGEAN, Ioana FIROIU 10 JUNE /06/10

Spring 2010 CS419. Computer Security. Vinod Ganapathy Lecture 14. Chapters 6 and 9 Intrusion Detection and Prevention

CounterACT Syslog Plugin

n Learn about the Security+ exam n Learn basic terminology and the basic approaches n Implement security configuration parameters on network

CISNTWK-440. Chapter 4 Network Vulnerabilities and Attacks

* Knowledge of Adaptive Security Appliance (ASA) firewall, Adaptive Security Device Manager (ASDM).

Network Anomaly Detection Using Autonomous System Flow Aggregates

TestBraindump. Latest test braindump, braindump actual test

Intrusion Detection System using AI and Machine Learning Algorithm

IDS: Signature Detection

Double Guard: Detecting intrusions in Multitier web applications with Security

Cisco Service Control Service Security: Outgoing Spam Mitigation Solution Guide, Release 4.1.x

CYBER ANALYTICS. Architecture Overview. Technical Brief. May 2016 novetta.com 2016, Novetta

ASA Access Control. Section 3

ERT Threat Alert New Risks Revealed by Mirai Botnet November 2, 2016

An AI-driven Malfunction Detection Concept

Mining Anomalies Using Traffic Feature Distributions

ISG-600 Cloud Gateway

ISO COMPLIANCE GUIDE. How Rapid7 Can Help You Achieve Compliance with ISO 27002

10x Increase Your Team s Effectiveness by Automating the Boring Stuff

CyberP3i Course Module Series

Network Security. Thierry Sans

Detecting Lateral Movement in APTs ~Analysis Approach on Windows Event Logs~ June 17, 2016 Shingo ABE ICS security Response Group JPCERT/CC

CSC Network Security

How to Configure ATP in the HTTP Proxy

CLUSTERING. CSE 634 Data Mining Prof. Anita Wasilewska TEAM 16

StreamWorks A System for Real-Time Graph Pattern Matching on Network Traffic

McAfee Network Security Platform

Analyzing Dshield Logs Using Fully Automatic Cross-Associations

ANOMALY DETECTION IN COMMUNICTION NETWORKS

Request for Proposal (RFP) for Supply and Implementation of Firewall for Internet Access (RFP Ref )

Check Point DDoS Protector Simple and Easy Mitigation

Sobering statistics. The frequency and sophistication of cybersecurity attacks are getting worse.

Comparison of Firewall, Intrusion Prevention and Antivirus Technologies

IPS with isensor sees, identifies and blocks more malicious traffic than other IPS solutions

Port Mirroring in CounterACT. CounterACT Technical Note

CIS Controls Measures and Metrics for Version 7

Modular Policy Framework. Class Maps SECTION 4. Advanced Configuration

Fuzzy Intrusion Detection

Transcription:

Intrusion Detection by Combining and Clustering Diverse Monitor Data TSS/ACC Seminar April 5, 26 Atul Bohara and Uttam Thakore PI: Bill Sanders

Outline Motivation Overview of the approach Feature extraction and selection Clustering Intrusion detection Results Future directions 2

Motivation Monitoring in enterprise systems is extremely diverse and verbose 3

Motivation Monitoring in enterprise systems is extremely diverse and verbose Image: http://blog.bro.org/22//monster-logs.html Image: http://blog.wildpackets.com/28//28/simplify_analysis_- _packet-based_traffic_netflow_statistics_in_one_ui.html 4

Motivation Monitoring in enterprise systems is extremely diverse and verbose Image: http://blog.bro.org/22//monster-logs.html Problems: High false positive rate and verbosity Limited ability to combine and analyze heterogeneous data together Require significant input from system expert Image: http://blog.wildpackets.com/28//28/simplify_analysis_- _packet-based_traffic_netflow_statistics_in_one_ui.html 5

Our Contributions We fuse data from the host-level and network-level context to perform anomaly detection We use unsupervised clustering to identify usage behavior patterns in the data and detect anomalous behavior We find attacks that are undetectable with individual monitors alone 6

Overview of Approach System Logs Firewall Logs Data Sources Feature Extraction Feature Selection & Fusion Cluster Analysis Intrusion Detection 7

System Logs Firewall Logs Data Sources 8

Dataset Description VAST Challenge 2, Mini Challenge 2 dataset [link] Small enterprise network Types of logs Network-level: Firewall logs Snort IDS logs Host-level Operating system security event logs (system logs) Attacks were injected into the logs Firewall logs OS security event logs Snort IDS 9

Threat Model Network flooding attacks Distributed Denial of Service (DDoS) from Internet Port scan from external host Port scan from workstations Behavior-changing malware Worm installed on workstations

System Logs Firewall Logs Feature Extraction

Feature Extraction Four types of features: Identification IP address and timestamp Network traffic-based source/destination IP addresses and ports, TCP connections Service-based connections to different types of servers, e.g., DNS, database, web Authentication-based significant authentication events from system logs Aggregated into one-minute time intervals 2

Extracted Example System Log IP address Timestamp # failed logon events from this host (4625) # special privileges assignment to new logon (4672) # target domain name = NT AUTHORITY # remote interactive logons (logon type = ) # NTLM authentications/logons # distinct subject logon IDs Example Firewall Log IP address Timestamp # of unique destination IPs # of unique source ports # of connections built # of accesses to DNS server IPs # of accesses to database IPs in orange are identification features. 3

System Logs Firewall Logs Feature Selection & Fusion 4

Feature Selection System log feature distributions Not all features are equal! Some are correlated E.g., number of NTLM authentications and number of authentication attempts with host name starting with WS Some are not useful for clustering E.g., number of successful logon events High dimensionality problem Firewall log feature distributions Techniques for feature selection: Pearson correlation coefficient to remove strongly correlated features Compare normalized average feature value across clusters 5

Extracted System Log Total number of features 36 Number of identification features Number of service-based features Number of authenticationbased features 2 2 32 Firewall Log Total number of features 7 Number of identification features Number of network traffic-based features Number of service-based features 2 6 9 Total number of features after selection 2 Total number of features after selection 2 6

Fusion We fuse the logs using inner join on identification features Firewall feature vector Syslog feature vector Fused feature vector Identification Service-based Network traffic-based Authentication-based 7

System Logs Firewall Logs Cluster Analysis 8

Clustering Techniques Apply k-means and DBSCAN clustering algorithms Algorithm Type Cluster shape Noise handling k-means Centroid based Spherical clusters DBSCAN Density based Arbitrary shaped clusters No Yes Parameter selection WCSD, Silhouettes k-dist graph 9

Cluster Analysis DBSCAN Clustering on Firewall Logs PC3 Outliers : 8 Cluster : 4876 Cluster2 : 825 Cluster3 : 8 Cluster4 : 39 Cluster5 : 2 Cluster6 : 53 Cluster7 : 84.5.5 PC2 PC 2

Cluster Analysis DBSCAN Clustering on Firewall Logs Normalized Average Feature Values Cluster Cluster 2 PC3 Outliers : 8 Cluster : 4876 Cluster2 : 825 Cluster3 : 8 Cluster4 : 39 Cluster5 : 2 Cluster6 : 53 Cluster7 : 84 2 3 4 5 6 7 8 9 Cluster 6 2 3 4 5 6 7 8 9 Cluster 7.5.5 PC2 PC 2 3 4 5 6 7 8 9 2 3 4 5 6 7 8 9

Cluster Analysis DBSCAN Clustering on Firewall + System Logs Outliers : 8 Cluster : 25342 Cluster2 : 54 Cluster3 : 37 Cluster4 : 23 PC3 PC2 -.5 PC.5 22

Cluster Analysis DBSCAN Clustering on Firewall + System Logs Normalized Average Feature Values Cluster Cluster 2 PC3 PC2 -.5 Outliers : 8 Cluster : 25342 Cluster2 : 54 Cluster3 : 37 Cluster4 : 23 PC.5 3 5 7 9 35792232527 Cluster 3 3 5 7 9 35792232527 3 5 7 9 35792232527 Cluster 4 3 5 7 9 35792232527

System Logs Firewall Logs Intrusion Detection 24

Intrusion Detection Approach More than 8% data points are captured with in 3 clusters These clusters contained more than 5% hosts have high probability mass at low values 25

Intrusion Detection Approach More than 8% data points are captured with in 3 clusters These clusters contained more than 5% hosts have high probability mass at low values Our approach: Examine the size and distribution of hosts for each clusters 26

Intrusion Detection Approach (contd.) Clusters 27

Intrusion Detection Approach (contd.) Normal or Anomalous 28

Intrusion Detection Approach (contd.) Normal or Anomalous Feature Distributions Cluster Cluster 2 2 3 4 5 6 7 8 9 2 3 4 5 6 7 8 9 Cluster Cluster 2 6 Cluster 27 2 3 4 5 6 7 8 9 2 3 4 5 6 7 8 9 2 3 4 5 6 7 8 9 Cluster 6 Cluster 26 7 Cluster 7 2 3 4 5 6 7 8 9 2 3 4 5 6 7 8 9 2 3 4 5 6 7 8 9 Cluster 6 Cluster 7 2 3 4 5 6 7 8 9 2 3 4 5 6 7 8 9 29

Intrusion Detection Approach (contd.) Normal or Anomalous Feature Distributions Distances Cluster Cluster 2 2 3 4 5 6 7 8 9 2 3 4 5 6 7 8 9 Cluster Cluster 2 6 Cluster 27 2 3 4 5 6 7 8 9 2 3 4 5 6 7 8 9 2 3 4 5 6 7 8 9 Cluster 6 Cluster 26 7 Cluster 7 2 3 4 5 6 7 8 9 2 3 4 5 6 7 8 9 2 3 4 5 6 7 8 9 Cluster 6 Cluster 7 2 3 4 5 6 7 8 9 2 3 4 5 6 7 8 9 3

Intrusion Detection Approach (contd.) Normal or Anomalous Feature Distributions Distances Normalcy Cluster Cluster 2 2 3 4 5 6 7 8 9 2 3 4 5 6 7 8 9 Cluster Cluster 2 6 Cluster 27 2 3 4 5 6 7 8 9 2 3 4 5 6 7 8 9 2 3 4 5 6 7 8 9 Cluster 6 Cluster 26 7 Cluster 7 2 3 4 5 6 7 8 9 2 3 4 5 6 7 8 9 2 3 4 5 6 7 8 9 Cluster 6 Cluster 7 2 3 4 5 6 7 8 9 2 3 4 5 6 7 8 9 3

Intrusion Detection Results: Firewall Logs PC3 Outliers : 8 Cluster : 4876 Cluster2 : 825 Cluster3 : 8 Cluster4 : 39 Cluster5 : 2 Cluster6 : 53 Cluster7 : 84 Anomalous clusters: Clusters 6,5,3,4,7 Cluster 6: DoS by external hosts Cluster 2 3 4 5 6 7 8 9 Cluster Cluster Cluster 2 6.5.5 PC2 PC value 2 3 4 5 6 7 8 9 Cluster 6 value 2 3 42 53 64 75 86 97 8 9 Cluster 7 32

Intrusion Detection Results: Firewall Logs PC3 Outliers : 8 Cluster : 4876 Cluster2 : 825 Cluster3 : 8 Cluster4 : 39 Cluster5 : 2 Cluster6 : 53 Cluster7 : 84 Anomalous clusters: Clusters 6,5,3,4,7 Cluster 6: DoS by external hosts.5 Cluster 5: Port scan by internal hosts.5 PC2 PC Cluster 3, 4, 7: Anomalous but not malicious 33

Intrusion Detection Results: Firewall + System Logs Outliers : 8 Cluster : 25342 Cluster2 : 54 Cluster3 : 37 Cluster4 : 23 Anomalous clusters: Clusters 2,4,3 Cluster 2: Worm infected host PC3 PC2 -.5 PC.5 ge value Cluster Cluster 3537597 9 35792232527 Cluster Cluster 3 3 ge value ge value Cluster Cluster 2 2 3537597 9 35792232527 Cluster Cluster 4 4 ge value 34

Intrusion Detection Results: Firewall + System Logs Outliers : 8 Cluster : 25342 Cluster2 : 54 Cluster3 : 37 Cluster4 : 23 Anomalous clusters: Clusters 2,4,3 Cluster 2: Worm infected host PC3 Cluster 4: Port scan by internal hosts PC2 -.5 PC.5 Cluster 3: Anomalous but not malicious 35

Intrusion Detection Summary Cluster ID % Data points No. of Unique hosts Represented Attack Firewall data Significant features 6.72 5 DoS # of unique source ports, # of connections built, # of connections torn down 5.65 3 Port scan # of unique destination IPs Firewall + System log data 4.9 2 Port scan # of connections built, # of connections torn down 2 Worm # anonymous target user names, # NTLM authentications, # session keys requested 36

Conclusion Intrusion detection using clustering techniques Without labelling the data Without explicit profile for normal behavior Generic time-aware features to detect malicious behavior Can be used for other attack types, e.g., brute-force attacks and data exfiltration Allow data fusion across monitors Additional visibility into the system behavior Average feature values analysis More holistic view Data reduction 37

Discussion Works well for the attacks that change the system behavior, including zero-days Complementary to rule-based intrusion detection approaches Might not work properly for the attacks that do not change the outward behavior of hosts, such as privilege escalation However, a better choice of features might change this for some attacks 38

Future Directions Attack classes and features Classify security attacks and respective features to detect them Data-driven feature selection Clustering algorithm choice Hierarchical clustering Distribution-based clustering Online classification Online clustering Train classifier using cluster labels 39

Questions? 4

Thank you! 4

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback