Detection. Perspective. Network Anomaly. Bhattacharyya. Jugal. A Machine Learning »C) Dhruba Kumar. Kumar KaKta. CRC Press J Taylor & Francis Croup

Transcription

1 Network Anomaly Detection A Machine Learning Perspective Dhruba Kumar Bhattacharyya Jugal Kumar KaKta»C) CRC Press J Taylor & Francis Croup Boca Raton London New York CRC Press is an imprint of the Taylor & Francis Croup, an Informs business A CHAPMAN & HALL BOOK

2 Contents List of Figures xv List of Tables xvii Preface xix Acknowledgments xxi Abstract xxiii Authors xxv 1 Introduction 1 11 The Internet and Modern Networks 3 12 Network Vulnerabilities 4 13 Anomalies and Anomalies in Networks 5 14 Machine Learning 7 15 Prior Work on Network Anomaly Detection 9 16 Contributions of This Book Organization 13 2 Networks and Anomalies Networking Basics Typical View of a Network Communication Media Guided Media Unguided Media Network Software Layered Architecture Connection-Oriented and Connection less Services Service Primitives Services and Protocols 22 vii

3 viii Contents 21A Reference Models The ISO OSI Reference Model TCP/IP Reference Model Protocols Transport Control Protocol User Datagram Protocol Internet Protocol (IP) SMTP SNMP ICMP FTP Telnet Types of Networks Local Area Networks (LAN) Wide Area Networks (WAN) Metropolitan Area Network (MAN) Wireless Networks Internetworks The Internet Scales of Networks Network Topologies Bus Ring Tree Star Hardware Components Network Communication Devices Network Interface Card (NIC) Transceivers Media Converter Network Performance Network Performance Constraints Network Performance Parameter Tun ing Performance Oriented System Design Protocols for Gigabit Networks Faster Processing of TPDU Anomalies in a Network Network Vulnerabilities 46

4 Contents ix Network Configuration Vulnerabilities 2212 Network Hardware Vulnerabilities 2213 Network Perimeter Vulnerabilities 2214 Network Monitoring and Logging Vul nerabilities Communication Vulnerabilities Wireless Connection Vulnerabilities Security-Related Network Anomalies Who Attacks Networks Precursors to an Attack Network Attacks Taxonomy Denial of Service (DoS) User to Root Attacks (U2R) Remote to Local (R2L) Probe Discussion 55 3 An Overview of Machine Learning Methods Introduction Types of Machine Learning Methods Supervised Learning: Some Popular Methods Decision and Regression Trees Classification and Regression Tree Support Vector Machines Unsupervised Learning Cluster Analysis Various Types of Data Proximity Measures Clustering Methods Discussion Outlier Mining Association Rule Learning Basic Concepts Frequent Itemset Mining Algorithms Rule Generation Algorithms Discussion Probabilistic Learning Learning Bayes Nets Simple Probabilistic Learning: Naive Bayes Hidden Markov Models 108

5 X Contents 354 Expectation Maximization Algorithm Soft Computing Artificial Neural Networks Rough Sets Fuzzy Logic Evolutionary Computation Ant Colony Optimization Reinforcement Learning Hybrid Learning Methods Discussion Detecting Anomalies in Network Data Detection of Network Anomalies Host-Based IDS (HIDS) Network-Based IDS (NIDS) Anomaly-Based Network Intrusion Detection Supervised Anomaly Detection Approach Issues Unsupervised Anomaly Detection Approach Issues Hybrid Detection Approach Issues Aspects of Network Anomaly Detection Proximity Measure and Types of Data Relevant Feature Identification Anomaly Score Datasets Public Datasets KDD Cup 1999 Dataset NSL-KDD Dataset Private Datasets: Collection and Preparation TUIDS Intrusion Dataset Network Simulation Discussion Feature Selection Feature Selection vs Feature Extraction Feature Relevance Advantages Applications of Feature Selection 160

6 Contents xi 541 Bioinformatics Network Security Text Categorization Biometrics Content-Based Image Retrieval Prior Surveys on Feature Selection A Comparison with Prior Surveys Problem Formulation Steps in Feature Selection Subset Generation Random Subset Generation Heuristic Subset Generation Complete Subset Generation Feature Subset Evaluation Dependent Criteria Independent Criteria Goodness Criteria Result Validation External Validation Internal Validation Feature Selection Methods: A Taxonomy Existing Methods of Feature Selection Statistical Feature Selection Information Theoretic Feature Selection Soft Computing Methods Clustering and Association Mining Approach Ensemble Approach Subset Evaluation Measures Inconsistency Rate Relevance Symmetric Uncertainty Dependency Fuzzy Entropy Hamming Loss Ranking Loss Systems and Tools for Feature Selection Discussion 189

7 xii Contents 6 Approaches to Network Anomaly Detection Network Anomaly Detection Methods Requirements Types of Network Anomaly Detection Methods Anomaly Detection Using Supervised Learning Parametric Methods Nonparametric Methods Anomaly Detection Using Unsupervised Learning 641 Clustering-Based Anomaly Detection Methods 642 Anomaly Detection Using the Outlier Mining 643 Anomaly Detection Using Association Mining 65 Anomaly Detection Using Probabilistic Learning Methods Using the Hidden Markov Model Methods Using Bayesian Networks Naive Bayes Methods Gaussian Mixture Model Methods Using the EM Algorithm Anomaly Detection Using Soft Computing Genetic Algorithm Approaches Artificial Neural Network Approaches Fuzzy Set Theoretic Approach Rough Set Approaches Ant Colony and AIS Approaches Knowledge in Anomaly Detection Expert System and Rule-Based Approaches Ontology- and Logic-Based Approaches Anomaly Detection Using Combination Learners 681 Ensemble Methods Fusion Methods Hybrid Methods Discussion Evaluation Methods Accuracy Sensitivity and Specificity Misclassification Rate Confusion Matrix Precision, Recall and F-measure Receiver Operating Characteristics Curves Performance 241

8 Contents xiii 73 Completeness Timeliness Stability Interoperability Data Quality, Validity and Reliability Alert Information Unknown Attacks Detection Updating References Discussion Tools and Systems Introduction Attacker's Motivation Steps in Attack Launching Launching and Detecting Attacks Attack Launching Tools and Systems 8132 Attack Detecting Tools and Systems 82 Attack Related Tools Taxonomy Information Gathering Tools Sniffing Tools Network Mapping or Scanning Tools Attack Launching Tools Trojans Denial of Service Attacks Packet Forging Attack Tools Application Layer Attack Tools Fingerprinting Attack Tools User Attack Tools Other Attack Tools Network Monitoring Tools Visualization Tools Attack Detection Systems Discussion Open Issues, Challenges and Concluding Remarks Runtime Limitations for Anomaly Detection Systems Reducing the False Alarm Rate Issues in Dimensionality Reduction Computational Needs of Network Defense Mechanisms 291

9 xiv Contents 95 Designing Generic Anomaly Detection Systems Handling Sophisticated Anomalies Adaptability to Unknown Attacks Detecting and Handling Large-Scale Attacks Infrastructure Attacks High Intensity Attacks More Inventive Attacks Concluding Remarks 293 References 295 Index 337