Anomaly Detection in Communication Networks

Similar documents
ANOMALY DETECTION IN COMMUNICTION NETWORKS

Intrusion Detection - Snort

Intrusion Detection - Snort

Intrusion Detection System (IDS) IT443 Network Security Administration Slides courtesy of Bo Sheng

Empirical Study of Automatic Dataset Labelling

Intrusion Detection - Snort. Network Security Workshop April 2017 Bali Indonesia

Intrusion Detection. What is Intrusion Detection

FIREWALLS. Firewall: isolates organization s internal net from larger Internet, allowing some packets to pass, blocking others

Basic Concepts in Intrusion Detection

Computer Security: Principles and Practice

CSE 565 Computer Security Fall 2018

Study of Snort Ruleset Privacy Impact

Security Principles SNORT - IDS

CS419 Spring Computer Security. Vinod Ganapathy Lecture 13. Chapter 6: Intrusion Detection

Chair for Network Architectures and Services Department of Informatics TU München Prof. Carle. Network Security. Chapter 8

CS395/495 Computer Security Project #2

IDS / SNORT. Matsuzaki maz Yoshinobu stole slides from Fakrul Alam

Firewalls, Tunnels, and Network Intrusion Detection

Detecting Specific Threats

IDS: Signature Detection

Overview of Firewalls. CSC 474 Network Security. Outline. Firewalls. Intrusion Detection System (IDS)

HSNORT: A Hybrid Intrusion Detection System using Artificial Intelligence with Snort

Network Security. Chapter 0. Attacks and Attack Detection

Intrusion Detection. October 19, 2018

Overview Intrusion Detection Systems and Practices

Outline. Intrusion Detection. Intrusion Detection History. Some Challenges. Network-based Host Compromises. Host-based Network Intrusion Detection

TEL

Internet Traffic Classification using Machine Learning

Modeling Intrusion Detection Systems With Machine Learning And Selected Attributes

UMSSIA INTRUSION DETECTION

Means for Intrusion Detection. Intrusion Detection. INFO404 - Lecture 13. Content

intelop Stealth IPS false Positive

Intrusion Detection Systems

2. INTRUDER DETECTION SYSTEMS

Distributed Denial of Service (DDoS)

OSSIM Fast Guide

Fuzzy Intrusion Detection

Exam Questions v8

A Network Intrusion Detection System Architecture Based on Snort and. Computational Intelligence

Intrusion prevention systems are an important part of protecting any organisation from constantly developing threats.

CSCI 454/554 Computer and Network Security. Topic 8.4 Firewalls and Intrusion Detection Systems (IDS)

Intrusion Detection System

Developing the Sensor Capability in Cyber Security

Intrusion Detection by Combining and Clustering Diverse Monitor Data

Outline. Internet Security Mechanisms. Basic Terms. Example Attacks

AIT 682: Network and Systems Security

Configuring attack detection and prevention 1

A TWO LEVEL ARCHITECTURE USING CONSENSUS METHOD FOR GLOBAL DECISION MAKING AGAINST DDoS ATTACKS

Chair for Network Architectures and Services Department of Informatics TU München Prof. Carle. Network Security. Chapter 9

Intrusion Detection. Comp Sci 3600 Security. Introduction. Analysis. Host-based. Network-based. Distributed or hybrid. ID data standards.

The following topics describe how to configure correlation policies and rules.

Evidence Gathering for Network Security and Forensics DFRWS EU Dinil Mon Divakaran, Fok Kar Wai, Ido Nevat, Vrizlynn L. L.

Router and ACL ACL Filter traffic ACL: The Three Ps One ACL per protocol One ACL per direction One ACL per interface

Snort Rules Classification and Interpretation

CS Review. Prof. Clarkson Spring 2017

Data Mining for Improving Intrusion Detection

Computer Network Vulnerabilities

CLASSIFICATION OF ARTIFICIAL INTELLIGENCE IDS FOR SMURF ATTACK

Snort 初探. Aphyr Lee

Intrusion Detection System with FGA and MLP Algorithm

Lecture 12. Application Layer. Application Layer 1

The Reconnaissance Phase

Intrusion Detection. Overview. Intrusion vs. Extrusion Detection. Concepts. Raj Jain. Washington University in St. Louis

Intrusion Detection Systems Overview

Lab 8: Firewalls & Intrusion Detec6on Systems

Different attack manifestations Network packets OS calls Audit records Application logs Different types of intrusion detection Host vs network IT

Scanning. Course Learning Outcomes for Unit III. Reading Assignment. Unit Lesson UNIT III STUDY GUIDE

Decision Fusion using Dempster-Schaffer Theory

Data Mining Classification: Alternative Techniques. Imbalanced Class Problem

Network Security: Firewall, VPN, IDS/IPS, SIEM

CIS 551 / TCOM 401 Computer and Network Security. Spring 2007 Lecture 12

Raj Jain. Washington University in St. Louis

Improved Detection of Low-Profile Probes and Denial-of-Service Attacks*

Traffic Classification Using Visual Motifs: An Empirical Evaluation

Chapter 5: Vulnerability Analysis

INTRODUCTION TO MACHINE LEARNING. Measuring model performance or error

A Survey And Comparative Analysis Of Data

An Intelligent Clustering Algorithm for High Dimensional and Highly Overlapped Photo-Thermal Infrared Imaging Data

IJSER. Virtualization Intrusion Detection System in Cloud Environment Ku.Rupali D. Wankhade. Department of Computer Science and Technology

Intrusion Detection System using AI and Machine Learning Algorithm

Graph-based Detection of Anomalous Network Traffic

An Anomaly-Based Intrusion Detection System for the Smart Grid Based on CART Decision Tree

Configuring Anomaly Detection

Configuring attack detection and prevention 1

Network Intrusion Detection Systems. Beyond packet filtering

Detecting Anomalies in Network Traffic Using Maximum Entropy Estimation

Deep Learning Approach to Network Intrusion Detection

ACS / Computer Security And Privacy. Fall 2018 Mid-Term Review

Page 1. Review: Firewalls. Goals for Today. Polls. Web Servers. Web Servers. CS (CS 161) Computer Security. Lecture 12

Host Identity Sources

Training for the cyber professionals of tomorrow

1. Intrusion Detection and Prevention Systems

ANALYSIS AND EVALUATION OF DISTRIBUTED DENIAL OF SERVICE ATTACKS IDENTIFICATION METHODS

Intrusion Detection Systems (IDS)

Princess Nora Bint Abdulrahman University College of computer and information sciences Networks department Networks Security (NET 536)

Introduction to IA Class Notes. 2 Copyright 2018 M. E. Kabay. All rights reserved. 4 Copyright 2018 M. E. Kabay. All rights reserved.

Anomaly Based Intrusion Detection for a Biometric Identification System using Neural Networks

IJCSC Volume 4 Number 2 September 2013 pp ISSN

Adding Contextual Information to Intrusion Detection Systems Using Fuzzy Cognitive Maps

ETHICAL HACKING & COMPUTER FORENSIC SECURITY

Transcription:

Anomaly Detection in Communication Networks Prof. D. J. Parish High Speed networks Group Department of Electronic and Electrical Engineering D.J.Parish@lboro.ac.uk Loughborough University

Overview u u u u u u Introduction Background What is an anomaly in the context of a communication network? Network Traffic Characteristics Intrusion Detection Exception Detection Anomaly detection approaches. Rule Based Window Based KS Statistic Others Performance Metrics Examples Summary

Classical Model n Anomaly - unusual event n Conventional mathematical model n Outlier of a distribution n Empirical distribution deviates from the model distribution 3

Anomaly Approach

Common Problems u Collecting the data u Source, location, number u FPs, FNs, u Learning Normal u Identifying a Change u Updating

Generic Approach Collect Measurements Pre-process/ Filter Intelligent Processing Network Performance Data

Types of Anomalies in Communication Network Data u Performance related Data. Delay, Throughput, loss, Faults, Routing Changes u Security related. Intrusions; Misuse(?), DDoS u Content related. Application usage, Data Type/Content

Network Traffic Characteristics u Bandwidth Average, Peak etc. u Delay Absolute and Variance. The end-to-end delay of a packet can be given by: D + W. Where D is a fixed element of delay and W is a variable element of delay. The inter-arrival time of two packets at a receiver can be given by: Delta = u Loss. ( D + W[ 1] ) ( D + W[ 2] )

Anomalies in Network Traffic Measurements u Results used to provide delay and loss measures for BT Operations. u Identifies changes in performancetermed Exceptions.

Example Data Exception- Step Step Changes 80000 70000 60000 50% small 50% large 95% small 95% large 99% small 99% large 50000 40000 30000 20000 10000 0

Example Data Exception- Time of Day Delay Variation 70000 60000 A Change in Time of Day Variation 50% small 50% large 95% small 95% large 99% small 99% large 50000 40000 30000 20000 10000 0

Intrusion Definitions (Computer) An incident of unauthorized access to data or an automated information system To compromise a computer system by breaking the security of such a system or causing it to enter into an insecure state

u A Active Process in which various aspects of a computer and network system are monitored and analysed for evidence of intrusion u Passive elements needed as well for prevention such as checking password strength etc.

IDS Characteristics CHARACTERISTIC DEFINITION CATEGORY Source of Information Learning Approach Detection Systems Cooperation Cooperative Systems Deployment Detection Timing Detection Methodology Defines from where the information used by IDSs is gathered. Defines how IDSs learn the difference between normal and malicious information. Defines the level of cooperation between different IDSs. Defines the way cooperative IDSs share the information. Defines how long takes to implement the intrusions detection. Defines the methodology utilised to implement the intrusions detection. Network-based Host-based Router-based Supervised Unsupervised Autonomous Cooperative Centralised Hieratical Distributed Off-Line On-Line Misuse Anomaly Hybrid

How can Intrusion Occur? u Often Two Phases: 1. Penetration u Trojan via Email u Worm via an Open Port 2. Exploitation u Compromising the Target via an Exploit u Buffer OverFlow Example

Buffer OverFlow Attack M Y D A T A M Y I P Buffer 1 Buffer 2 B A D A T A D B A D I P Oversize Malicious Data B A D I P Buffer 1 Overflow

Identifying Anomalies in Communication Networks u Rule Based (Misuse Detection) u Window Based Algorithms u KS (Kolmogorov Smirnov) Statistic u Data Mining (including Clustering Algorithms)

Detecting Intrusion u Two Fundamental Approaches: Rule Based (E.g. Snort) Free ID software Windows, Linux Anomaly Based: Often uses AI algorithms including Baysian Belief, ANN, GA, Data Mining, Case Based Reasoning

Rule Based IDS u Snort: (from http://www.snort.org/ snort) Snort can perform protocol analysis and content searching/matching. It can be used to detect a variety of attacks and probes, such as buffer overflows, stealth port scans, CGI attacks, SMB probes, OS fingerprinting attempts, and much more. It uses a flexible rules language to describe traffic that it should collect or pass, as well as a detection engine that utilizes a modular plug-in architecture

Example Snort Rules alert tcp $TELNET_SERVERS 23 -> $EXTERNAL_NET any (msg:"telnet Attempted SU from wrong group"; flow: from_server,established; content:"to su root"; nocase; classtype:attempted-admin; sid:715; rev:6;) The variable $TELNET_SERVERS is defined in snort.conf file and shows a list of Telnet servers. Port number 23 is used in the rule, which means that the rule will be applied to TCP traffic going from port 23. The rule checks only response from Telnet servers, not the requests. The variable $EXTERNAL_NET is defined in the snort.conf file and shows all addresses which are outside the private network. The rule will apply to those telnet sessions which originate from outside of the private network. If someone from the internal network starts a Telnet session, the rule will not detect that traffic. The flow keyword is used to apply this rule only to an established connection and traffic flowing from the server. The content keyword shows that an alert will be generated when a packet contains to su root. The nocase keyword allows the rule to ignore case of letters while matching the content. The classtype keyword is used to assign a class to the rule. The attempted-admin class is defined with a default priority in classification.config file. The rule ID is 715. The rev keyword is used to show version of the rule.

Window Based Approaches

The KS Statistic u A non-parametric (i.e. Distribution type does not matter) test of similarity between two distributions.

u The Kolmogorov-Smirnov test statistic is defined as u D=max1 i N(F(Yi) i 1N,iN F(Yi)) u where F is the theoretical cumulative distribution of the distribution being tested which must be a continuous distribution (i.e., no discrete distributions such as the binomial or Poisson), and it must be fully specified (i.e., the location, scale, and shape parameters cannot be estimated from the data).

Using the KS Test Delay Graph with KS Statistic (1) route 4to10 0.18 4 0.16 3.5 0.14 3 Delay (seconds) 0.12 0.1 0.08 0.06 2.5 2 1.5 Delay KS Value 0.04 0.02 0 1.48 10.9 20.3 29.7 39.1 48.5 57.9 67.4 76.8 86.5 96 105 115 124 134 143 153 163 172 181 191 200 210 219 228 238 247 257 267 276 286 295 305 314 324 333 1 0.5 0 Time (hours)

Classifing the Detection Possible Exception Data K-S Test (Kolmogorov- Smirnov) Neural Network Classified Exception

Using a Neural Network

Using a Neural Network Classification Accuracy 120 100 80 Percentage Correct 60 40 Identification Rejection 20 0 Weekend Begin Weekend End Step Up Step Down ToD Up ToD Down Spike Exception Type

Anomaly Approach Using Data Mining

Clustering Algorithm for DoS

DDoS Abnormalities

Anomaly Example Data Rate

Anomaly Example Average Packet Size

Anomaly Example Destination Count

Anomaly Example FIN Count

Anomaly Example Ack Count

Anomaly TTL - 63

Example Detection Metric (IP Subnet Value)

2 nd Example TCP Syn Flags/Sec

Relative Importance of Detection Metrics

Performance Assessment u True Positive (TP)) refers to one attack frame that has been correctly classified as malicious. u True Negative (TN)) refers to one non-attack frame that has been correctly classified as legal frames. u False Positive (FP)) refers to one non-attack frame that has been misclassified as malicious. u False Negative (FN) refers to one attack frame ) refers to one attack frame that has been misclassified as legal frames.

u Detection Rate (DR)) is the proportion of attack frames correctly classified as malicious, among all the attack frames. u DR (%)= TP/FN+TP u False Positive Rate ( FP Rate ) is the proportion of nonattack frames misclassified as malicious, among all the evaluated frames. u FP Rate (%)= FP/TP+FP+TN+FN u False Negative Rate ( FN Rate ) is the proportion of attack frames misclassified as legal, among all the attack frames.

Overall Success Rate (OSR)) or Accuracy is the proportion of the total number of frames correctly classified, among all the evaluated frames. u OSR (%)= TN+TP/TP+FP+TN+FN Precision or Recall is the proportion of attack frames correctly classified as malicious, among all the alarms generated. u Precision (%)= TP/TP+FP F Score or F Measure is a tradeoff between Precision and DR. The

Summary and Conclusions

Review Questions 1. Which AI approach may be best for the following scenarios? u Determining which, of a number of groups, a particular pattern of an attack belongs to. u Combining the outputs of a number of different IDSs into a single result.

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback