AUTONOMOUS NETWORK SECURITY FOR DETECTION OF NETWORK ATTACKS



Similar documents
International Journal of Innovative Research in Computer and Communication Engineering

Conclusions and Future Directions

HYBRID INTRUSION DETECTION FOR CLUSTER BASED WIRELESS SENSOR NETWORK

Design and simulation of wireless network for Anomaly detection and prevention in network traffic with various approaches

Mining Anomalies in Network-Wide Flow Data. Anukool Lakhina, Ph.D. with Mark Crovella and Christophe Diot

WEB APPLICATION FIREWALL

Consensus Extraction from Heterogeneous Detectors to Improve Performance over Network Traffic Anomaly Detection

Detecting Network Anomalies. Anant Shah

Characterization of Network-Wide Anomalies in Traffic Flows

KEITH LEHNERT AND ERIC FRIEDRICH

Echidna: Efficient Clustering of Hierarchical Data for Network Traffic Analysis

Authentication Anomaly Detection: A Case Study On A Virtual Private Network

A HYBRID RULE BASED FUZZY-NEURAL EXPERT SYSTEM FOR PASSIVE NETWORK MONITORING

Increasing Reliability in Network Traffic Anomaly Detection

Joint Entropy Analysis Model for DDoS Attack Detection

A Survey on Intrusion Detection System with Data Mining Techniques

How To Detect Denial Of Service Attack On A Network With A Network Traffic Characterization Scheme

Taxonomy of Intrusion Detection System

Development of a Network Intrusion Detection System

How to Detect and Prevent Cyber Attacks

Credit Card Fraud Detection Using Self Organised Map

The Integration of SNORT with K-Means Clustering Algorithm to Detect New Attack

A Novel Approach for Network Traffic Summarization

International Journal of Computer Science Trends and Technology (IJCST) Volume 3 Issue 3, May-June 2015

A Review of Anomaly Detection Techniques in Network Intrusion Detection System

Speedy Signature Based Intrusion Detection System Using Finite State Machine and Hashing Techniques

CLASSIFYING NETWORK TRAFFIC IN THE BIG DATA ERA

Calculation Algorithm for Network Flow Parameters Entropy in Anomaly Detection

Network Intrusion Detection Systems

INCREASE NETWORK VISIBILITY AND REDUCE SECURITY THREATS WITH IMC FLOW ANALYSIS TOOLS

Detecting Anomalies in Network Traffic Using Maximum Entropy Estimation

Anomaly Detection Approaches for Communication Networks

Hillstone T-Series Intelligent Next-Generation Firewall Whitepaper: Abnormal Behavior Analysis

CHAPTER 1 INTRODUCTION

Data Clustering for Anomaly Detection in Network Intrusion Detection

Hashdoop: A MapReduce Framework for Network Anomaly Detection

On Entropy in Network Traffic Anomaly Detection

Application of Netflow logs in Analysis and Detection of DDoS Attacks

Intrusion Detection System with Deceptive Virtual Host

A new Approach for Intrusion Detection in Computer Networks Using Data Mining Technique

Characteristics of Network Traffic Flow Anomalies

Flow-based Worm Detection using Correlated Honeypot Logs

On A Network Forensics Model For Information Security

Continuous Time Bayesian Networks for Host Level Network Intrusion Detection

Efficient Security Alert Management System

Bisecting K-Means for Clustering Web Log data

Effect of sampling rate and monitoring granularity on anomaly detectability

Using Data Mining for Mobile Communication Clustering and Characterization

How To Protect A Network From Attack From A Hacker (Hbss)

Integration Misuse and Anomaly Detection Techniques on Distributed Sensors

Intrusion Detection System in Campus Network: SNORT the most powerful Open Source Network Security Tool

An Efficient Way of Denial of Service Attack Detection Based on Triangle Map Generation

Role of Anomaly IDS in Network

Social Media Mining. Data Mining Essentials

An Overview of Knowledge Discovery Database and Data mining Techniques

Sequential Non-Bayesian Network Traffic Flows Anomaly Detection and Isolation

DISTRIBUTED ANOMALY DETECTION IN WIRELESS SENSOR NETWORKS

Methodologies for detecting DoS/DDoS attacks against network servers

A Study of Web Log Analysis Using Clustering Techniques

Intrusion Detection Systems

Salvatore J. Stolfo 606 CEPSR

Denial of Service attacks: analysis and countermeasures. Marek Ostaszewski

Introduction... Error! Bookmark not defined. Intrusion detection & prevention principles... Error! Bookmark not defined.

SURVEY OF INTRUSION DETECTION SYSTEM

Detecting Constant Low-Frequency Appilication Layer Ddos Attacks Using Collaborative Algorithms B. Aravind, (M.Tech) CSE Dept, CMRTC, Hyderabad

System for Denial-of-Service Attack Detection Based On Triangle Area Generation

Statistical analysis of Snort alarms for a medium-sized network

An Artificial Immune Model for Network Intrusion Detection

Signature-aware Traffic Monitoring with IPFIX 1

Concept and Project Objectives

Web Application Security

V.Priyadharshini 1, Dr.K.Kuppusamy 2 Dept of Computer Science & Engg Alagappa University, Karaikudi,Tamilnadu,India

STONE: A Stream-based DDoS Defense Framework

A survey on Data Mining based Intrusion Detection Systems

Network packet payload analysis for intrusion detection

Fuzzy Network Profiling for Intrusion Detection

PhD Proposal: Functional monitoring problem for distributed large-scale data streams

Transcription:

AUTONOMOUS NETWORK SECURITY FOR DETECTION OF NETWORK ATTACKS Nita V. Jaiswal* Prof. D. M. Dakhne** Abstract: Current network monitoring systems rely strongly on signature-based and supervised-learning-based detection methods to hunt out network attacks and anomalies. The unsupervised detection of network attacks represents an extremely challenging goal. In this paper we present a completely unsupervised approach to detect attacks, without relying on signatures, labeled traffic, or training. The method uses robust clustering techniques to detect anomalous traffic flows, sequentially captured in a temporal sliding-window basis. The structure of the anomaly identified by the clustering algorithms is used to automatically construct specific filtering rules that characterize its nature, providing easy-to-interpret information to the network operator. The clustering algorithms are highly adapted for parallel computation, which permits to perform the unsupervised detection and construction of signatures in an online basis. We evaluate the performance of this new approach to discover and to build signatures for different network attacks without any previous knowledge, using real traffic traces. Results show that knowledge-independent detection and characterization of network attacks is possible, opening the door to a whole new generation of autonomous security algorithms. Index Terms Unsupervised Anomaly Detection & Characterization, Robust & Distributed Clustering, Automatic Generation of Signatures, Autonomous Security. Vol. 1 No. 6 December 2012 www.garph.co.uk IJARIE 6

INTRODUCTION Network traffic anomaly detection has become a vital network building-block for any ISP in today s Internet. Ranging from non-malicious unexpected events such as flash-crowds and failures, to network attacks such as Denials-of-Service (DoS/DDoS), network scans, and spreading worms, network traffic anomalies can have serious detrimental effects on the performance and integrity of the network. The principal challenge in automatically detecting and analyzing traffic anomalies is that these are a moving target. It is virtually impossible to precisely define the set of anomalies that may arise, especially in the case of network attacks, because new attacks as well a new variant of already known attacks are continuously emerging. A general anomaly detection system should therefore be able to detect a wide range of anomalies with diverse structure, using the least amount of previous information, ideally no information at all. The principal challenge in automatically detecting and analyzing network attacks is that these are a moving and ever-growing target [1]. Two different approaches are by far dominant in the literature and commercial security devices: signature-based detection and anomaly detection. Signature-based detection systems are highly effective to detect those attacks which they are programmed to alert on. However, they cannot defend the network against unknown attacks. Even more, building new signatures is expensive and timeconsuming, as it involves manual inspection by human experts. Anomaly detection uses labeled data to build normal-operation-traffic profiles, detecting anomalies as activities that deviate from this baseline. Such methods can detect new kinds of network attacks not seen before. In this paper we present a completely unsupervised method to detect and characterize network attacks, without relying on signatures, training, or labeled traffic of any kind. Our approach relies on robust clustering algorithms to detect both well-known as well as completely unknown attacks, and to automatically produce easy-to-interpret signatures to characterize them, both in an on-line basis. BODY A general anomaly detection system should therefore be able to detect a wide range of anomalies with diverse structure, using the least amount of previous information, ideally no information at all. Vol. 1 No. 6 December 2012 www.garph.co.uk IJARIE 7

Two different approaches are by far dominant in current research literature and commercial detection systems: signature-based detection and anomaly detection. Signature-based detection is the de-facto approach used in standard security devices such as IDSs, IPSs, and firewalls. When an attack is discovered, generally after its occurrence during a diagnosis phase, the associated anomalous traffic pattern is coded as a signature by human experts, which is then used to detect a new occurrence of the same attack. Signature-based detection methods are highly effective to detect those attacks which they are programmed to alert on. However, they cannot defend the network against new attacks, simply because they cannot recognize what they do not know. In addition, building new signatures is a resources-consuming task, as it involves manual traffic inspection by human experts. On the other hand, anomaly detection uses labeled data to build normal operation-traffic profiles, detecting anomalies as activities that deviate from this baseline. Such methods can detect new kinds of network attacks not seen before. Nevertheless, anomaly detection requires training for profiling, which is time consuming and depends on the availability of purely anomaly-free traffic data-sets. Labeling traffic as anomaly-free is not only time consuming and expensive, but also prone to errors in the practice, since it is difficult to guarantee that no anomalies are buried inside the collected data. In addition, it is not easy to keep an accurate and up-to-date normal-operation profile. The problem of network anomaly detection has been extensively studied during the last decade. Most of the approaches analyze statistical variations of traffic volume descriptors (e.g., number of packets, bytes, or new flows) and/or particular traffic features (e.g., distribution of IP addresses and ports), using either single-link measurements or networkwide data. A non-exhaustive list of standard methods includes the use of signal processing techniques (e.g., ARIMA modeling, wavelets-based filtering) on single-link traffic measurements [2,3],Kalman filters [4] for network-wide anomaly detection, and Sketches applied to IP-flows [6 8]. Our approach falls within the unsupervised anomaly detection domain. The vast majority of the unsupervised detection schemes proposed in the literature are based on clustering and outliers detection, being [11 13] some relevant examples. In [11], authors use a singlelinkage hierarchical clustering method to cluster data from the KDD 99 data-set, based on the standard Euclidean distance for inter-patterns similarity. [12] reports improved results in Vol. 1 No. 6 December 2012 www.garph.co.uk IJARIE 8

the same data-set, using three different clustering algorithms: Fixed-Width clustering, an optimized version of k-nn, and one class SVM. [13] presents a combined density-grid-based clustering algorithm to improve computational complexity, obtaining similar detection results. PCA and the sub-space approach is another well-known unsupervised anomaly detection technique, used in [5,7] to detect network-wide traffic anomalies in highly aggregated traffic flows. Our paper is that these two knowledge-based approaches are not sufficient to tackle the anomaly detection problem, and that a holistic solution should also include knowledgeindependent analysis techniques. To this aim we propose UNADA, an Unsupervised Network Anomaly Detection Algorithm that detects network traffic anomalies without relying on signatures, training, or labeled traffic of any kind. REFERENCES [1] S. Hansman, R. Hunt A Taxonomy of Network and Computer Attacks, in Computers and Security, vol. 24 (1), pp. 31-43, 2005. [2]. P. Barford, J. Kline, D. Plonka, and A. Ron, A Signal Analysis of Network Traffic Anomalies, in Proc. ACM IMW, 2002. [3]. J. Brutlag, Aberrant Behavior Detection in Time Series for Network Monitoring, in Proc. 14th Systems Administration Conference, 2000. [4]. A. Soule et al., Combining Filtering and Statistical Methods for Anomaly Detection, in in Proc. ACM IMC, 2005. [5]. A. Lakhina, M. Crovella, and C. Diot, Diagnosing Network-Wide Traffic Anomalies, in Proc. ACM SIGCOMM, 2004 [6]. B. Krishnamurthy et al., Sketch-based Change Detection: Methods, Evaluation, and Applications, in Proc. ACM IMC, 2003. [7]. A. Lakhina, M. Crovella and C. Diot, Mining [8]. G. Dewaele et al., Extracting Hidden Anomalies using Sketch and non Gaussian Multiresolution Statistical Detection Procedures, in Proc. SIGCOMM LSAD,2007. [9] A. Lakhina, M. Crovella, C. Diot, Mining Anomalies Using Traffic Feature Distributions, in Proc. ACM SIGCOMM, 2005. [10] A. Lakhina, M. Crovella, C. Diot, Diagnosing Network-Wide Traffic Anomalies,in Proc. ACM SIGCOMM, 2004. Vol. 1 No. 6 December 2012 www.garph.co.uk IJARIE 9

[11]. L. Portnoy, E. Eskin, and S. Stolfo, Intrusion Detection with Unlabeled Data Using Clustering, in Proc. ACM DMSA Workshop, 2001. [12]. E. Eskin et al., A Geometric Framework for Unsupervised Anomaly Detection: Detecting Intrusions in Unlabeled Data, in Applications of Data Mining in Computer Security, Kluwer Publisher, 2002. [13]. K. Leung and C. Leckie, Unsupervised Anomaly Detection in Network Intrusion Detection Using Clustering, in Proc. ACSC05, 2005. Vol. 1 No. 6 December 2012 www.garph.co.uk IJARIE 10

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information