Stochastic Protocol Modeling for Anomaly-Based Network Intrusion Detection

Transcription

1 2003 IEEE International Workshop on Information Assurance March 24th, 2003 Darmstadt, Germany Stochastic Protocol Modeling for Anomaly-Based Network Intrusion Detection Juan M. Estévez-Tapiador Pedro García-Teodoro Jesús E. Díaz-Verdejo Signals, Telematics and Communications Group Department of Electronics and Computer Technology University of Granada SPAIN

2 1 Introduction Context of the work: Network Intrusion Detection Anomaly Detection (for intrusion detection) Protocol-Specific Anomaly Detection: Monitor a given protocol Look for deviations from its normal usage Justification: A large amount of network attacks are founded on protocol usages that: 1) fall out of the official protocol description, and 2) are uncommon 2

3 2 Protocol Modeling with Markov Chains Approach: modeling packet arrival as a stochastic process Overview System Architecture

4 3 Application to TCP 3.1 Parameterization & Quantization (I) 4 Idea: to associate one symbol with each TCP segment In TCP, most of the information related to signaling is located in the fields known as flags Simple quantization scheme: To consider the flags configuration of each TCP segment as its signature S p 6 = i= 1 w i b i = S + 2 R + 4 P + 8 R + 16 U + 32 F (64-valued quantization dictionary)

5 3 Application to TCP 3.1 Parameterization & Quantization (II) After this step: each session is represented as a temporal sequence of symbols Of course, others quantization approaches are allowed. For example, considering each segment (packet) as a vector and performing clustering techniques in order to obtain a few prototypes. 5

6 3 Application to TCP 3.2 Data sets Traffic recorded for different services: FTP, SSH, HTTP Each session constitutes a training instance Trace ftp.1 ftp.2 ftp.3 ftp.4 ftp.5 ftp.6 ftp.7 Service FTP No. of sessions Total Size Trace http.1 http.2 http.3 http.4 http.5 http.6 http.7 Service HTTP No. of sessions Total Size Trace ssh.1 ssh.2 ssh.3 ssh.4 ssh.5 ssh.6 ssh.7 Service SSH No. of sessions Total Size

7 3 Application to TCP 3.3 Model Construction Estimation of the model using data sets (training) One TCP-model for each specific service (FTP, HTTP, SSH) 7

8 3 Application to TCP 3.4 Evaluation (I) 8 Evaluation:estimate P[Observation Model] Measure: MAP (Maximum A-posteriori Probability) MAP T 1 ( O, λ ) = π O1 t = 1 Problems with MAP: 1) Converges quickly to zero LogMAP 2) Events with null probability smoothing Detection Principle: anomalies are low probability events low probabilities induce changes of slope in LogMAP a O O t t+ 1

9 3 Application to TCP 3.4 Evaluation (II) Detector = Aproximation of discrete derivative + Threshold D Wm ( t) = 1 LogMAP( t) W m W m i= 1 LogMAP( t i) 9

10 10 3 Application to TCP 3.4 Evaluation (III) More examples: Anomalous behavior Session 2 Session 3 Normal behavior Session 1 Session 4

11 4 Discussion: Global Model 4.1 Approach & Model Construction Use all data sets to train the model, without a previous filtering according to the destination port. The tranining procedure is the same. Model obtained: Mean of the previous ones More general Usage of TCP, regardless of the specific service 11

12 4 Discussion: Global Model 4.2 Evaluation Ranges of the detection signal have changed Less accurate separation between normal and anomalous behaviors 12

13 5. Conclusions and Future Work 13 Consider network traffic as a stochastic process: Markov chains as models (although others are allowed) Evaluation by means of: LogMAP(t), D W (t). Protocol Anomaly Detection: use in conjunction with other anomaly/signature-based methods. Future research objectives: Application to other protocols (good results with HTTP) Study of outcoming traffic as well as correlation

14 14 6. Comments and Questions Thank you very much for your attention Comments Questions Etc...

15 APPENDIX I A Brief Background on Markov Chains a System which evolves through states Γ = {S 1, S 2,..., S N } Discrete time: t = 1, 2,..., n,... q t = state at time t Satisfying Markov hypothesis Markov chain: λ = (A, Π) A = Matrix of transition probabilities Π ={π i } = Vector of initial probabilities: π i =P[q 1 =i] ij Estimation of A (Π is analogous) = [ = j q = i] P q t+ 1 t = [ t = i, qt+ 1 = j] P[ q = i] P q t MAP Evaluation T 1 ( O, λ ) = π O1 t = 1 a O O t t+ 1 15