Stochastic Protocol Modeling for Anomaly Based Network Intrusion Detection



Similar documents
Feature selection for intrusion detection. Slobodan Petrović NISlab, Gjøvik University College

The Development of Web Log Mining Based on Improve-K-Means Clustering Analysis

A Hierarchical Anomaly Network Intrusion Detection System using Neural Network Classification

benefit is 2, paid if the policyholder dies within the year, and probability of death within the year is ).

Can Auto Liability Insurance Purchases Signal Risk Attitude?

Forecasting the Direction and Strength of Stock Market Movement

Recurrence. 1 Definitions and main statements

Forecasting the Demand of Emergency Supplies: Based on the CBR Theory and BP Neural Network

DEFINING %COMPLETE IN MICROSOFT PROJECT

An Alternative Way to Measure Private Equity Performance

Module 2 LOSSLESS IMAGE COMPRESSION SYSTEMS. Version 2 ECE IIT, Kharagpur

What is Candidate Sampling

A Secure Password-Authenticated Key Agreement Using Smart Cards

RequIn, a tool for fast web traffic inference

1. Fundamentals of probability theory 2. Emergence of communication traffic 3. Stochastic & Markovian Processes (SP & MP)

Traffic State Estimation in the Traffic Management Center of Berlin

VRT012 User s guide V0.1. Address: Žirmūnų g. 27, Vilnius LT-09105, Phone: (370-5) , Fax: (370-5) , info@teltonika.

Negative Selection and Niching by an Artificial Immune System for Network Intrusion Detection

Activity Scheduling for Cost-Time Investment Optimization in Project Management

The Application of Fractional Brownian Motion in Option Pricing

A DYNAMIC CRASHING METHOD FOR PROJECT MANAGEMENT USING SIMULATION-BASED OPTIMIZATION. Michael E. Kuhl Radhamés A. Tolentino-Peña

An Evaluation of the Extended Logistic, Simple Logistic, and Gompertz Models for Forecasting Short Lifecycle Products and Services

Single and multiple stage classifiers implementing logistic discrimination

ANALYZING THE RELATIONSHIPS BETWEEN QUALITY, TIME, AND COST IN PROJECT MANAGEMENT DECISION MAKING

How To Understand The Results Of The German Meris Cloud And Water Vapour Product

Efficient Project Portfolio as a tool for Enterprise Risk Management

Frequency Selective IQ Phase and IQ Amplitude Imbalance Adjustments for OFDM Direct Conversion Transmitters

An Interest-Oriented Network Evolution Mechanism for Online Communities

Network traffic analysis optimization for signature-based intrusion detection systems

On-Line Fault Detection in Wind Turbine Transmission System using Adaptive Filter and Robust Statistical Features

BERNSTEIN POLYNOMIALS

Project Networks With Mixed-Time Constraints

Implementation of Deutsch's Algorithm Using Mathcad

SPEE Recommended Evaluation Practice #6 Definition of Decline Curve Parameters Background:

Semantic Link Analysis for Finding Answer Experts *

Risk Model of Long-Term Production Scheduling in Open Pit Gold Mining

How To Detect An Traffc From A Network With A Network Onlne Onlnet

Classification of Network Traffic via Packet-Level Hidden Markov Models

1.1 The University may award Higher Doctorate degrees as specified from time-to-time in UPR AS11 1.

Network Security Situation Evaluation Method for Distributed Denial of Service

Risk-based Fatigue Estimate of Deep Water Risers -- Course Project for EM388F: Fracture Mechanics, Spring 2008

Luby s Alg. for Maximal Independent Sets using Pairwise Independence

Statistical Methods to Develop Rating Models

Vision Mouse. Saurabh Sarkar a* University of Cincinnati, Cincinnati, USA ABSTRACT 1. INTRODUCTION

IWFMS: An Internal Workflow Management System/Optimizer for Hadoop

Canon NTSC Help Desk Documentation

Conferencing protocols and Petri net analysis

Inter-Ing INTERDISCIPLINARITY IN ENGINEERING SCIENTIFIC INTERNATIONAL CONFERENCE, TG. MUREŞ ROMÂNIA, November 2007.

A graph-theoretic framework for isolating botnets in a network

FORMAL ANALYSIS FOR REAL-TIME SCHEDULING

Calculation of Sampling Weights

Effective Network Defense Strategies against Malicious Attacks with Various Defense Mechanisms under Quality of Service Constraints

Gender Classification for Real-Time Audience Analysis System

To manage leave, meeting institutional requirements and treating individual staff members fairly and consistently.

L10: Linear discriminants analysis

Daily Mood Assessment based on Mobile Phone Sensing

Multi-sensor Data Fusion for Cyber Security Situation Awareness

A Parallel Architecture for Stateful Intrusion Detection in High Traffic Networks

Statistical algorithms in Review Manager 5

denote the location of a node, and suppose node X . This transmission causes a successful reception by node X for any other node

PSYCHOLOGICAL RESEARCH (PYC 304-C) Lecture 12

How Sets of Coherent Probabilities May Serve as Models for Degrees of Incoherence

A Statistical Model for Detecting Abnormality in Static-Priority Scheduling Networks with Differentiated Services

Extending Probabilistic Dynamic Epistemic Logic

RESEARCH ON DUAL-SHAKER SINE VIBRATION CONTROL. Yaoqi FENG 1, Hanping QIU 1. China Academy of Space Technology (CAST)

A hybrid global optimization algorithm based on parallel chaos optimization and outlook algorithm

Proactive Secret Sharing Or: How to Cope With Perpetual Leakage

Vembu StoreGrid Windows Client Installation Guide

A FEATURE SELECTION AGENT-BASED IDS

A Performance Analysis of View Maintenance Techniques for Data Warehouses

Methodology to Determine Relationships between Performance Factors in Hadoop Cloud Computing Applications

A Load-Balancing Algorithm for Cluster-based Multi-core Web Servers

Trivial lump sum R5.0

Properties of Indoor Received Signal Strength for WLAN Location Fingerprinting

Design and Development of a Security Evaluation Platform Based on International Standards

Analysis of Energy-Conserving Access Protocols for Wireless Identification Networks

Causal, Explanatory Forecasting. Analysis. Regression Analysis. Simple Linear Regression. Which is Independent? Forecasting

A Passive Network Measurement-based Traffic Control Algorithm in Gateway of. P2P Systems

Automated Network Performance Management and Monitoring via One-class Support Vector Machine

FREQUENCY OF OCCURRENCE OF CERTAIN CHEMICAL CLASSES OF GSR FROM VARIOUS AMMUNITION TYPES

Traffic-light a stress test for life insurance provisions

Fragility Based Rehabilitation Decision Analysis

Institute of Informatics, Faculty of Business and Management, Brno University of Technology,Czech Republic

Damage detection in composite laminates using coin-tap method

PAS: A Packet Accounting System to Limit the Effects of DoS & DDoS. Debish Fesehaye & Klara Naherstedt University of Illinois-Urbana Champaign

Efficient Reinforcement Learning in Factored MDPs

CHOLESTEROL REFERENCE METHOD LABORATORY NETWORK. Sample Stability Protocol

APPLICATION OF PROBE DATA COLLECTED VIA INFRARED BEACONS TO TRAFFIC MANEGEMENT

Data Broadcast on a Multi-System Heterogeneous Overlayed Wireless Network *

Power-of-Two Policies for Single- Warehouse Multi-Retailer Inventory Systems with Order Frequency Discounts

A New Task Scheduling Algorithm Based on Improved Genetic Algorithm

Transcription:

Stochastc Protocol Modelng for Anomaly Based Network Intruson Detecton Juan M. Estevez-Tapador, Pedro Garca-Teodoro, and Jesus E. Daz-Verdejo Department of Electroncs and Computer Technology Unversty of Granada Span E-mal: {tapador, pgteodor, jedv}@ugr.es Abstract 1 A new method for detectng anomales n the usage of protocols n computer networks s presented n ths work. The proposed methodology s appled to TCP and dsposed n two steps. Frst, a quantzaton of the TCP header space s accomplshed, so that a unque symbol s assocated wth each TCP segment. TCP-based network traffc s thus captured, quantzed and represented by a sequence of symbols. The second step n our approach s the modelng of these sequences by means of a Markov chan. The analyss of the model obtaned for dverse TCP sources reveals that t captures adequately the essence of the protocol dynamcs. Once the model s bult t s possble to use t as a representaton of the normal usage of the protocol, so that devatons from the behavor provded by the model can be consdered as a sgn of protocol msusage. 1. Introducton Research n Intruson Detecton Systems (henceforth referred to as IDS) has been an actve feld durng the last twenty years. Nevertheless, current detecton technology stll suffers performance lmtatons referrng to ts hgh false alarm probablty, low detecton accuracy and hgh load of montorng and computng overhead. Tradtonally there have been two man approaches to the problem of ntruson detecton: msuse detecton and anomaly detecton. In msuse detecton, each known attack s modeled through the constructon of a sgnature. Incomng actvtes that match a pattern n the lbrary of attack sgnatures rase an alarm. The percentage of false alarms depends on whether the matchng algorthm 1 Ths work has been partally supported by Spansh MECD under Natonal Program PNFPU (reference AP2001-3805) and Spansh MCYT under project TIC2002-02798 (FEDER funds 70%). allows only exact sgnature matchng or some knd of devaton. In anomaly detecton the man objectve s to model normal profles of the system, so that substantal devatons from ths behavor can be labeled as ntrusve or, at least, as suspcous. Statstcal technques are surely the most used tools for the constructon of normal actvty patterns. Interested readers can fnd good surveys about IDS n [1] and [2]. Regardless of the method used for detectng attacks, an IDS can be alternatvely classfed as host based or network based dependng on ts source of nput data. A host based IDS tres to dentfy ntrusons analyzng actvtes at hosts, manly users and programs. For example, Dennng [3] proposed a scheme n whch patterns related to logn tmes and resources consumed by users and programs were constructed. On the contrary, network based IDS do not focus on actvtes on hosts but on the traffc that s transported over the network [4]. Examples of network based IDS are Snort [5] and Bro [6]. The need to defne the normal state of a montored system s a crucal queston for any anomaly based IDS. Several authors agree and pont out that probably the most mportant challenge for these methods s the choosng of features to be modeled [7], [8]. Such a features must characterze wth precson the servce, system or network usage patterns, n order to obtan an accurate model of the normal behavor of the object. But at the same tme, they must have enough dscrmnant capacty to perform a correct separaton of ntrusve and non-ntrusve actvtes. Measurng system normalty turns thus nto one of the most mportant ponts concernng the performance mprovement n current detecton systems. In the case of host based IDS, several works have shown that the sequences of system calls executed by a program are excellent features for modelng the normal behavor [7], [9]. Once that an applcaton s sampled by means of an ordered set of the system calls that t has executed, t s possble to extract some knd of statstcal propertes wth the am of modelng ts behavor. Markov

chans, rule learnng systems and other approaches have been used for ths purpose (e.g., see [10], [11]). In the context of network based IDS, t has been argued that several features assocated wth traffc modelng, lke volume of traffc n the network or statstcs of the operaton of applcaton protocols, are partcularly suted for detectng general novel attacks [12], [13]. Another proposed approaches defne the normal state of the network by means of a fnte automaton, obtanng thus that each sequence of normal actons can be expressed by allowed transtons between states [8], [14]. Some of these proposals are sgnature based approaches, and state machnes are used as a framework for the constructon of attack patterns. In ths work we present a specal case of anomaly based method for detectng protocol msusages n computer networks. A protocol anomaly detector s desgned to montor a gven protocol lookng for devatons from ts normal usage. Justfcaton for ths approach comes from the fact that a large amount of network attacks are founded on dverse protocol usages that fall out of the offcal protocol descrpton. Buldng such a detector requres an analyss of the specfc protocol mplementaton exstng across the network. The approach taken n our work s nspred n that used n host based IDS. The basc dea s to defne a set of features for a gven protocol n such a way that they can be conceved as the equvalent of the system calls executed by the applcatons (.e., as a sgnature of ts operaton). These features are subsequently used for characterzng network traffc that utlzes the protocol. The normal protocol usage s then modeled by means of a Markov chan, usng these sequences of observatons as nputs. Lkewse, n ths contrbuton we propose the use of a specfc measure, called MAP, for evaluaton purposes The rest of ths paper s organzed as follows. Secton 2 ntroduces a bref background on Markov chans and ther use for sequence recognton. We descrbe n detal our approach to protocol modelng n Secton 3, specfcally ts applcaton to TCP. Secton 4 provdes further dscusson concernng the proposed scheme and the results obtaned. Fnally, Secton 5 summarses the paper by presentng our man conclusons, the benefts of the work developed and future research objectves. 2. A bref background on Markov chans 2.1. Foundatons Let us suppose a system whch evolves through numbered states n accordance wth probablstc laws satsfyng the Markov hypothess (.e., the state at tme t+1 only depends on the state at tme t). Each state of the set of possble states ={S 1, S 2,..., S N } represents a dfferent and specfc stuaton n whch the system can be. Let the varable that represents the current state at tme t be q t. Then, f P[q t =] > 0, defne a j by a j P q t1 P qt, qt 1 j j qt (1) P q and let A be the matrx [a j ]. Then, f P[q t =] > 0, a 0, 1 (2) j a j j Thus the matrx of probabltes of transtons A=[a j ] represents the probablty of beng n the state at some tme t, and reach the state j at tme t+1. Accordng to the prevous defntons any matrx A=[a j ] satsfyng (2) can be used, together wth ntal probabltes ={ }, so that =P[q 1 =], satsfyng 0, 1 (3) to defne a Markov chan wth statonary transton probabltes. The probablty p j (n) of state j at tme n s gven recursvely by p p (1) j ( n) j j p a ( n1) j, t n 1 Good ntroductory texts about Markov chans are [15] and [16], and nterested readers can found there more detaled nformaton. 2.2. Parameter estmaton n Markov chans In ths dscusson we suppose that the knowledge concernng dfferent states reached by the system s acqured through the observaton of the system outcomes. These outcomes are elements from a fnte set ={O }, so that the possble outcomes O are referred to as possble states of the system. Let us suppose that a set of system observatons O 1, O 2,..., O T, s gven. In the theory of Markov chans we consder the smplest generalzaton whch conssts n permttng the outcome of any tral to depend on the outcome of the drectly precedng tral (and only on t) [15]. Thus the matrx of probabltes of transtons can be estmated by: (4)

a j P q t O, q P q j t 1 t 1 O O (5) Both terms of the prevous expresson can be calculated by means of a smple process of countng occurrences nto the sequence of observatons. On the other hand, ntal probabltes vector can be estmated n a smlar way f a set of outcome sequences s avalable. Thus ntal probablty of each symbol can be computed by smply countng the number of tmes the correspondng symbol appears at the begnnng of the sequences. 2.3. Sequence recognton wth Markov chans Let us suppose a gven Markov chan =(A, ), where A = [a j ] s the matrx of probabltes of transtons and = (p ) the vector of ntal probabltes, and let be O = {O 1, O 2,... O T } a sequence of observed symbols. The problem of recognton wth Markov chans s the problem of estmatng P[O ], that s, the probablty of the observed sequence evaluated by the chan. A useful measure for ths purpose s the Maxmum A-posteror Probablty (MAP), defned as: MAP T 1 ( O, ) O1 t 1 a (6) OtOt1 A problem wth ths measure s that t converges quckly to zero. Therefore, sometmes t s more useful to use a representaton n a logarthmc scale, that s: LogMAP T 1 ( O, ) log( O ) log( a 1 OO 1 1 ) (7) The use of accumulated probabltes presents the nconvenent that no one probablty can be zero. Ths s usually solved by means of a prevous smoothng of the model. Although several methods exst for ths purpose, probably the smplest smoothng technque conssts n settng those probabltes lower than a gven threshold to a fxed value. 3. TCP Modelng wth Markov chans 3.1. Parameterzaton and quantzaton Informaton concernng sgnalng and dynamcs n network protocols s located at PDU (Protocol Data Unt) headers. Thus, t mght be expected that useful varables for modelng the normal protocol behavor wll be the Fgure 1. Illustraton of the TCP quantzaton process. Flags are consdered as a bnary number n of 6 bts, so that S n s the symbol assocated wth the TCP segment. values of header felds or some combnaton of them. Our basc approach conssts n obtanng a representaton of the network traffc at a gven layer (.e., the modelng of the correspondng protocol) as a sequence of scalar observatons. Once ths transformaton s acheved, the next step wll be the modelng of such a sequence. For ths purpose t s necessary to carry out a quantzaton stage of the protocol headers. In the case of TCP, most of the nformaton related to the sgnalng s located n the felds known as flags [17]. A smplstc but effectve approach s to consder the flags confguraton of each TCP segment as ts sgnature. Thus, t s possble to assocate a unque symbol S p wth each segment: 6 S p w b syn 2 ack 4 psh 8 rst 1 (8) 16urg 32 fn The dea behnd ths smple quantzaton scheme s llustrated n Fgure 1. Flags are retreved from each segment and dsposed n the order shown n the cted fgure. The symbol assocated wth the segment s obtaned accordng to expresson (8),.e., consderng the flags confguraton as a bnary number. We obtan thus a 64-valued quantzaton dctonary, n whch each element represents a dfferent confguraton of flags. Accordng to the protocol specfcaton [17] not all of these confguratons are vald. For example, a TCP segment wth SYN and RST flags smultaneously set to 1 s not coherent wth the correct protocol usage and, hence, can be consdered as a protocol msuse. Most of these protocol msuses are basc tools for nformaton gatherng processes lke port scannng. Current technques used n NIDS to detect ths knd of attacks are sgnature-based, so

Table 1. Data sets of normal traffc used for the constructon of a TCP model. The sze of each trace ndcates the number of recorded TCP headers. Servce FTP Servce HTTP Servce SSH Trace No. of sessons Total Sze Trace No. of sessons Total Sze Trace No. of sessons Total Sze ftp.1 14 5207 http.1 29 8975 ssh.1 11 3349 ftp.2 9 3762 http.2 41 13862 ssh.2 9 3294 ftp.3 18 6862 http.3 102 28107 ssh.3 12 3766 ftp.4 32 18101 http.4 57 19343 ssh.4 24 7069 ftp.5 69 27753 http.5 98 50462 ssh.5 143 63252 ftp.6 78 51345 http.6 62 21310 ssh.6 218 122355 ftp.7 156 133615 http.7 117 41329 ssh.7 241 151142 that a pattern representng the attack s constructed. Subsequently, some knd of pattern matchng algorthm s used to fnd evdences of any known attack n the ncomng network traffc. Surely the most lmtng characterstc of ths approach s the mpossblty of recognzng those attacks that have not prevously been typfed by means of a sgnature. 3.2. Data sets As a frst approach we have used ncomng TCP traffc fltered by destnaton port (.e., by applcaton or servce) as tranng sequences. Applcatons montored for our experments have been SSH, HTTP, and FTP, so that several connectons have been recorded for each one of them. Table 1 shows some characterstcs of the traffc fles used. Such a traffc has been obtaned montorng normal, ncomng connectons to a sngle host runnng an FTP server, an SSH server, and an HTTP server n our laboratory. The capture, flterng and extracton of the TCP headers can be easly made wth tcpdump [18] or any smlar tool. Each fle contans several nonnterleaved sessons. To be precse, each sesson s a sequence of ordered TCP headers whch wll be transformed nto a sequence of symbols accordng to the quantzaton process. For example, Fgure 2 shows a porton of a SSH fle wth two complete sessons (each sesson always has the symbol S 1 as startng value). Results provded after ths process concern the matrx of transton probabltes and the vector of ntal probabltes. Ths task s acheved separately wth the traces correspondng to each applcaton. The obtaned models are shown n the Fgure 4. For example, the model obtaned wth sequences from FTP traffc presents four states wth non-null probablty of transton: S 1, S 2, S 6, and S 34 (see Fgure 4). State S 1 corresponds to a TCP segment wth SYN flag set to 1, and represents the request for the establshment of a connecton. States S 2 and S 6 are conceptually dentcal and represent the acknowledgment of a receved packet. Nevertheless, whle S 2 only has ACK flag set to 1, state S 6 corresponds to a segment wth ACK and PSH flags set to 1. Ths dfference could be orgnated by dfferent states of network load, so that certan packets are labeled wth PSH flag for ther mmedate delvery. Fnally, state S 34 corresponds to a packet wth FIN and ACK flags set to 1. It represents an acknowledgment of a prevous packet and smultaneously the closng of the connecton. 3.3. Model estmaton Fgure 3 graphcally llustrates the estmaton process for the model. TCP headers collected n the data sets are quantzed so that each sesson s represented as an ordered sequence of symbols lke that shown n Fgure 2. These traces are then used as nputs for the estmaton algorthm brefly descrbed n secton 2.2. Fgure 2. Sequence of symbols correspondng to two short SSH sessons. The frst sesson starts at tme t=1 and fnshes at tme t=75, whle the second one starts at tme t=76 and fnshes at tme t=148.

The analyss of the transtons obtaned for ths model reveals that t has captured the correct dynamcs specfed for the protocol TCP [17]. More specfcally, ths model s a subset of the well known TCP state machne. The prevous dscusson s lkewse applcable to the models obtaned for HTTP and SSH servces. Although they are essentally equvalent, the observed dfferences lke the apparton of states wth flags RST are orgnated by the usage that the partcular applcaton makes of the protocol. Anyway, t s possble to dentfy the same semantcs correspondng to the protocol utlzaton n these models. 3.4. Testng the model After the tranng perod a Markov chan s avalable for the ncomng TCP traffc from each specfc applcaton. These models can be evaluated accordng to expressons (6) and (7), obtanng thus performance measures related to ther dscrmnatve power between correct and wrong TCP usage. The testng procedure s as follows. Incomng traffc s fltered accordng to ts destnaton port (.e., the recever applcaton). Each packet n the flow s then processed by extractng ts TCP header and quantzed accordng to expresson (8). The obtaned sequence of symbols s then passed through the model and evaluated. Fgure 5 shows examples of outputs produced by the correspondng model durng two HTTP sessons. A smoothed model has been used durng the evaluaton perod n order to solve the problem of null probabltes. The mplemented method was that brefly descrbed n Secton 2.3. Those probabltes whch are lower than a gven threshold =10-6 were settng to the value of. The output shown n the upper graph n Fgure 5 corresponds to a normal sesson. The functon LogMAP for ths knd of traffc has always a shape smlar to that shown n the fgure. Whle ncomng symbols correspond well wth those expected by the model, the respectve probabltes of transton between them are adequate and, thus, the accumulated sum gven by the logmap has no Fgure 3. Graphcal llustraton of the Markov chan estmaton process. Fgure 4. Estmated models for dfferent servces over TCP. The values of the transton probabltes between states are also shown. Each transton s defned by the current state S and the next state S +1. Transtons not shown n the table are zero. abrupt changes of slope. On the contrary, the appearance of any pattern of nonexpected symbols produces a burst of consecutve low probabltes. Ths phenomenon can be easly observed by an abrupt change n the slope of the output, lke those shown n the lower graph n Fgure 5. A useful method for detectng these changes and, hence, the presence of anomalous traffc s to control when the dervatve of logmap s hgher than a fxed threshold. We have used for that purpose the famly of functons:

D Wm 1 Wm ( t) LogMAP( t) LogMAP( t ) (9) W m 1 for values of the parameter W m = 1, 2, 3,... Note that the second term n (9) s the mean of the last W m outputs. Fgure 6 shows the effect of ths parameter n the response produced by the detector. An ncrement of ts value nduces an amplfcaton n the output. Note that the smoothng parameter plays an equvalent although nverse role: small values of wll produce more abrupt changes of slope. Data sets of anomalous traffc used durng the test perod have been obtaned usng tools that explot several TCP weakness and ambgutes for dfferent purposes. For example, nmap [19] and other scannng tools utlze certan TCP segments lke the followngs n order to achevng ther objectves: Null scan, n whch no one flag s actvated. Xmas scan, n whch all the flags are set to 1. Stealth FIN, n whch a segment wth the flag FIN actvated, s sent aganst a port wthout a prevous establshed connecton. Fgure 6. Effect of the parameter W m n the response produced by the detector. Hgher values produce an amplfcaton of the output. These and other technques are well known and approprate flters could be wrtten and nstalled on a sgnature based IDS for ther detecton. However, t s Fgure 5. Comparatve output graphs produced by the HTTP chan wth normal and anomalous TCP traffc correspondng to two sessons. In the lower graph, attacks are located at tme t=37, t=85, t=118, t=172, and t=235.

Fgure 7. Output produced by the detector durng the montorng of four consecutve SSH sessons. Sessons 2 and 3 contans several attacks, whle sessons 1 and 4 are correct. It s clearly shown how the detector has adequately captured the protocol msuses. obvous that detecton capabltes wll be gven by the lbrary of attack sgnatures avalable and, hence, new attacks requre new sgnatures. On the contrary, the use of anomaly detectors mples that not only well known msusages wll be detected but too those not exploted yet. Fgure 7 shows the results of montorng four consecutve SSH sessons. Whle sessons 1 and 4 do not contan any malcous traffc, sessons 2 and 3 ncludes several forms of msusages. The graphs llustrate how the detectors correctly capture these anomales. 4. Dscusson Accordng to the methodology that has been exposed n the prevous secton, results obtaned after the tranng procedure are a set of ndvdual models: one for each servce. To be precse each one of these models contans the correct (but specfc) usage that a gven servce makes of the protocol. The deployment of detectors based n ths scheme would be as t was prevously descrbed: each solated model montors ncomng traffc whose target s the correspondng applcaton. Although ths approach presents several benefts, ts man dsadvantage s exactly ths specalzaton property, regardless of performance consderatons. It s thus possble that a gven servce makes use only of a certan subset of the correct protocol usage. The presence of actvtes that fall nto the correct, formal protocol specfcaton but that have not been prevously seen by the model rase the alarm. Ths lmtaton s nherent to the defnton of anomaly based detector: every anomalous event s suspcous. However, t s reasonable to conceve a unque model for the usage of the protocol (TCP n ths case), regardless of the applcaton that utlzes t. In other words, an nterestng objectve to be tackled s obtanng a model for the usage that the entre network system makes of the protocol. Such a model can be easly bult wthn the same prevous procedure, but usng all the tranng data wthout consderaton about the destnaton port. It s obvously expected that the obtaned model wth ths new approach wll be a unfcaton of those ndvdual

chans shown n Fgure 4. Although the set of reachable states for such a model s the effectve unon of states contaned n the solated models, transtons between them can be substantally dfferent. Hence, t s needed to compute them agan wthn the new framework. Lkewse, t s accepted an eventual loss of detecton accuracy due to the smaller specalzaton of the complete protocol model. Fgure 8 shows the global TCP chan obtaned after the tranng process usng all the data sets descrbed n Table 1. As t was expected, the model for the entre TCP usage s composed by all the states present n the ndvdual chans. On the other hand, new transton probabltes between them can be seen as a weghted mxture of the prevous ones. It s possble to llustrate ths fact wth a smple example. Let us consder transton from state S 2 to state S 6. The probablty of ths transton s 0.66 n the case of the FTP chan, 0.26 n the case of the HTTP chan, and 0.05 for the SSH case (see Fgure 4). The correspondng probablty value for ths transton n the global model s 0.11. Smlar comparatves ca be establshed for the rest of transton probabltes. Fgure 9 shows expermental ntruson detecton results for ths new model. In ths case the evaluaton has been made wth an smoothng value =10-9. It s clearly observed how the model detects protocol msuses smlarly t was done by the applcaton-dependant models. However, t s mportant to comment an mportant Fgure 8. TCP chan obtaned wth dfferents sources. Note how the entre model can be seen as an average of the prevous, ndvdual chans. fact. Comparng Fgures 5 and 9 t s clearly shown that the output ranges provded by the sequences evaluaton have changed. The specfc HTTP chan produces values lower than 1.5 for normal traffc and upper than 17 for anomalous traffc. Evaluaton of the same traffc wth the new model provdes an output lower than 6 for normal Fgure 9. Output produced by the global TCP detector durng the montorng of two SSH sessons and two HTTP sessons. Although the detecton accuracy has not decreased, t may be observed how the output ranges have changed.

traffc and upper than 9 for anomalous usages. Ths phenomenon s drectly related to the loss of specalzaton of the general model that has been prevously dscussed. Nevertheless, the detecton accuracy can be controlled through the smoothng parameter as well as the Wm. For example, n the case of applcaton-dependant chans the experments reveal that a value of =10-6 s enough for a good dscrmnaton. However, for the case of the global TCP chan, a value of =10-9 or lower s necessary for an accurate separaton of correct and wrong TCP usages. 5. Conclusons and future work In ths paper we have presented prelmnary results of a new approach for the detecton of anomales n the usage of network protocols. The prevously descrbed method, appled to TCP, has demonstrated to be effectve n all our experments. Besdes the modelng scheme proposed, another mportant contrbuton s the use of the measure MAP and ts logarthm for testng purposes. Ths procedure has been wdely used n other applcatons (e.g., speech recognton) where Markov chans are approprate solutons for sequence recognton. The contnuous output gven by ths functon can be easly nterpreted as a measure of the probablty of recognton of the nput sequence. Moreover, dervatve of the logmap s an excellent canddate for the constructon of anomaly detectors. A smple method based on a threshold can be appled to the response provded by logmap. Dfferences between outputs of normal and anomalous traffc can be controlled by parameters W m and, facltatng thus the adjustment of the detectors. In the case of TCP, we have shown that the results obtaned are smlar to those that could be derved from a model drectly bult from the formal specfcaton of the protocol. Nevertheless, ths way of actuatng s not always feasble for several reasons. Frst, although an specfcaton of each protocol exsts, t uses to be ambguous and, hence, very relant on the mplementaton. For example, t s well known that dfferent operatng systems have protocol stacks wth dfferent behavors n some crcumstances. In ths context, a model of the protocol usage derved drectly from ts use n the envronment s more approprate. Furthermore, there are protocols that do not have somethng smlar to the TCP state machne. For these protocols t s useful to buld a model, not only from ts general use, but from the specfc utlzaton that the network applcatons are makng of t. Ths last fact s a crucal pont for any anomaly based network ntruson detecton. The deployment of sensors based on the proposed protocol modelng must not be conceved as a complete soluton for detecton purposes. On the contrary, t s strongly recommended ts use n conjuncton wth other anomaly detecton technques as well as sgnature methods. It must be consdered that attacks based on protocol msusage are only a pece of the current attack technology. We frmly beleve that a layered approach can be used for the detecton of anomalous usages of network protocols. Future work wll study the applcaton of ths methodology to other protocols. The modelng of applcaton level protocols (e.g., HTTP or DNS) for the detecton of abnormal uses and ntruson attempts s especally attractve and wll be nextly tackled. A prevous theoretcal and emprcal study of the protocol s requred for the completon of ths objectve n order to obtan those sgnfcant features that contan mportant nformaton concernng ts use. Moreover, once that the protocol usage s represented as sequences of observatons, other modelng technques wll be studed and evaluated. Lkewse, montorng of self, outcomng traffc ponts out as an nterestng research topc. Correlaton of ncomng and outcomng traffc models could provde better results than those obtaned by only montorng ncomng actvtes. References [1] J. Allen, A. Chrste, W. Fthen, J. McHugh, J. Pckel, and E. Stoner, State of the practce of ntruson detecton technologes, Techncal Report CMU/SEI-99- TR-028, Software Engneerng Insttute, Carnege Mellon, January 2000. [2] S. Axelsson, Intruson Detecton Systems: A Survey and Taxonomy. Avalable: http://cteseer.nj.nec.com/axelsson00ntruson.html, 2000. [3] D. Dennng, An ntruson-detecton model, n IEEE Transactons on Software Engneerng, vol.se-13, No.2, pp. 222-232, February 1987. [4] B. Mukherjee, L. T.Heberlen and K. N. Levtt, Network Intruson Detecton, IEEE Network, Vol. 8, No. 3, May/June, pp. 26-41, 1994. [5] M. Roesch, Snort lghtweght ntruson detecton for networks, n Proceedngs of the 1999 USENIX LISA conference, November 1999. [6] V. Paxon, Bro: A System for detectng network ntruders n real-tme, n Proceedngs of the 7 th USENIX Securty Symposum, San Antono, Texas, 1998.

[7] C. Warrender, S. Forrest and B. Pearlmutter, Detectng Intrusons Usng System Calls: Alternatve Data Models, Proceedngs of 1999 IEEE Symposum on Securty and Prvacy, pp. 133-145, 1999. [8] K. Llgun, R. A. Kemmerer, Fellow, IEEE and P. A. Porras, State Transtons Analyss: A Rule-based Intruson Detecton Approach, 1995. [9] S. Forrest, S. A. Hofmeyr, A. Somayaj and T. A. Logstaff, A sense of Self for Unx process, Proceedngs of 1996 IEEE Symposum on Computer Securty and Prvacy, pp. 120-128, 1996. [10] S. Jha, K. Tan, and R. A. Maxon, Markov Chans, Classfers, and Intruson Detecton, n Proceedngs of the 14 th IEEE Computer Securty Foundatons Workshop, pp. 206-219, 2001. [11] T. Lunt, A. Tamaru, F. Glham, R.Jagannathan, P. Neumann, H. Javtz, A. Valdes, and T. Garvey. A realtme ntruson detecton expert system (IDES) fnal techncal report. Teccncal Report, Computer Scence Laboratory, SRI Internatonal, Menlo Park, Calforna, February 1992. [12] J.B.D. Cabrera, B. Ravchandran, and R. K. Mehra, Statstcal Traffc Modelng for Network Intrusón Detecton, n Proceedngs of the 8 th IEEE Internatonal Symposum on Modelng, Analyss and Smulaton of Computer Telecommuncaton Systems, pp. 466-473, 2000. [13] M. Bykoba, S. Ostermann, and B. Tjaden, Detectng Network Intrusons va a Statstcal Analyss of Network Packet Characterstcs, n Proceedngs of the 33 rd IEEE Southeastern Symposum on System Theory, pp. 309-314, 2001. [14] S. Zheng, C. Peng, X. Yng, and X. Ke, A Network State Based Intruson Detecton Model, n Proceedngs of the Internatonal IEEE Conference on Computer Networks and Moble Computng, pp. 481-486, 2001. [15] J. L. Doob, Stochastc Processes, John Wley & Sons, 1953 [16] W. Feller, An Introducton to Probablty Theory and Its Applcatons, Vol. I, 3 rd Edton, John Wley & Sons, 1968. [17] J. Postel, Transmsson Control Protocol, RFC793, September 1981. [18] V. Jacobson, C. Leres, and S. McCanne, tcpdump, http://www.tcpdump.org, June 1994. [19] Fyodor, Nmap Free Stealth Port Scanner for Network Exploraton & Securty Audts. Avalable: http://www.nsecure.org/nmap/ndex.html

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information