A Statstcal odel for Detectng Abnoralty n Statc-Prorty Schedulng Networks wth Dfferentated Servces ng L 1 and We Zhao 1 School of Inforaton Scence & Technology, East Chna Noral Unversty, Shangha 0006, Chna l@ee.ecnu.edu.cn, ng_lhk@yahoo.co http://www.ee.ecnu.edu.cn/teachers/l/js_l(eng).ht Departent of Coputer Scence, Texas A& Unversty, College Staton, TX 77843-111, USA w-zhao@tau.edu http://faculty.cs.tau.edu/zhao/ Abstract. Ths paper presents a new statstcal odel for detectng sgns of abnoralty n statc-prorty schedulng networks wth dfferentated servces at connecton levels on a class-by-class bass. The forulas n ters of detecton probablty, ss probablty, probabltes of classfcatons, and detecton threshold are proposed. Keywords: Anoaly detecton, real-te systes, traffc constrant, statcprorty schedulng networks, dfferentated servces, te seres. 1 Introducton Anoaly detecton has ganed applcatons n coputer councaton networks, such as network securty, see e.g. [1], [], [3], [4], [5], [6], [7]. Ths paper consders the abnoralty dentfcaton of arrval traffc te seres (traffc for short) at connecton levels, whch relates to traffc odels. In traffc engneerng, traffc odels can be classfed nto two categores [8]. One s statstcally odelng as can be seen fro [9], [10], [11]. The other bounded odelng, see e.g. [1], [13], [14], [15]. Though statstcally odelng has ganed consderable progresses, one thng worth notng s that they are well n agreeent wth real lfe data n aggregated case. In general, nevertheless, they are not enough when traffc at connecton levels has to be taken nto account. In fact, traffc odelng at connecton level reans challengng n the feld [16]. In the acadec area of coputer scence, a rearkable thng to odel traffc at connecton level s to study traffc fro a vew of deternstc queung theory, whch s often called network calculus or bounded odelng. One of the contrbutons n ths paper s to develop traffc constrant (a knd of deternstcally bounded odel [13]) nto a statstcal bound of traffc. Recent developents of networkng exhbt that there exsts an ncreased nterest n dfferentated servces (DffServ) [13], [17]. ro a vew of abnoralty detecton, nstead of detectng abnoralty of all connectons, we are ore nterested n Y. Hao et al. (Eds.): CIS 005, Part II, LNAI 380, pp. 67 7, 005. Sprnger-Verlag Berln Hedelberg 005
68. L and W. Zhao dentfyng abnoralty of soe connectons n practce. Thus, ths paper studes abnoralty detecton n the envronent of DffServ. As far as detectons were concerned, the current stuaton s not lackng ethods for detectons [18] but short of relable detectons as can be seen fro the stateent lke ths. The challenge s to develop a syste that detects close to 100 percent of attacks. We are stll far fro achevng ths goal [19]. ro a vew of statstcal detecton, however, nstead of developng a way to detect close to 100 percent of abnoralty, we study how to acheve an accurate detecton for a gven detecton probablty. By accurate detecton, we ean that a detecton odel s able to report sgns of abnoralty for a predeterned detecton probablty. Ths presentaton proposes an accurate detecton odel of abnoralty n statc-prorty schedulng networks wth DffServ based on two ponts: 1) the null hypotheses and ) averagng traffc constrant n [13]. A key pont n ths contrbuton s to randoze traffc constrant on an nterval-by-nterval bass so as to utlze the technques fro a vew of te seres to carry out a statstcal traffc bound, whch we shall call average traffc constrant for splcty. To our best knowledge, ths paper s the frst attept to propose average traffc constrant fro a vew of stochastc processes and oreover apply t to abnoralty detecton. The rest of paper s organzed as follows. Secton ntroduces an average traffc constrant n statc-prorty schedulng networks wth DffServ. Secton 3 dscusses detecton probablty and detecton threshold. Secton 4 concludes the paper. Average Traffc Constrant In ths secton, we frst bref the conventonal traffc constrant. Then, randoze t to a statstcal constrant of traffc. The traffc constrant s gven by the followng defnton. Defnton 1: Let f() t be arrval traffc functon. If f( t+ I) f( t) ( I) for t > 0 and I > 0, then ( I ) s called traffc constrant functon of f( t ) [13]. Defnton 1 s a general descrpton of traffc constrant, eanng that the ncreent of traffc f( t ) s upper-bounded by I ( ). It s actually a bounded traffc odel [13]. The practcal sgnfcance of such odel s to odel traffc at connecton level. Due to ths, we wrte the traffc constrant functon of group of flows as follows. Defnton : Let fp, j, k() t be all flows of class wth prorty p gong through server k fro nput lnk j. Let () k t be the traffc constrant functon of (). f kt Then, () k t s gven by ( ) f k t+ I () f k t ( ) k I for t > 0 and I > 0. Defnton provdes a bounded odel of traffc n statc-prorty schedulng networks wth DffServ at connecton level. Nevertheless, t s stll a deternstc odel n the bounded odelng sense. We now present a statstcal odel fro a vew of bounded odelng. Theoretcally, the nterval length I can be any postvely real nuber. In practce, however, t s usually selected as a fnte postve nteger n practce. x the value of
A Statstcal odel for Detectng Abnoralty n Statc-Prorty Schedulng Networks 69 I and observe ( ) k I n the nterval [( n 1) I, ni], n= 1,,..., N. or each nterval, there s a traffc constrant functon ( ), k I whch s also a functon of the ndex n. We denote ths functon k(, I n ). Usually, k(, I n) k(, I q) for n q. Therefore, (, ) k I n s a rando varable over the ndex n. Now, dvde the nterval [( n 1) I, ni] nto non-overlapped segents. Each segent s of L length. or the th segent, we copute the ean E[ k( I, n)] ( = 1,,..., ), where E s the ean operator. Agan, E [ k( I, n)] l E[ for l. Thus, E[ s a rando varable too. Accordng to statstcs, f 10, E[ ( I, n )] qute accurately follows Gaussan dstrbuton [1], [0]. In ths case, k E[ ( I, n )] ~ k 1 π { E [ k( I, n)] µ ( )} exp[ ], (1) where s the varance of E[ and µ ( ) s ts ean. We call E[ ( I, n )] average traffc constrant of traffc flow f ().,, t k p j k 3 Detecton Probablty In the case of 10, t s easly seen that µ ( ) E[ k( I, n)] Pr ob z1 α / < zα / = 1 α, () where (1 α) s called confdence coeffcent. Let C (, α ) be the confdence nterval wth (1 α) confdence coeffcent. Then, zα / zα / C (, α ) = µ ( ), µ ( ) +. (3) The above expresson exhbts that µ ( ) s a teplate of average traffc constrant. Statstcally, we have (1 α)% confdence to say that E[ / takes µ ( ) as ts approxaton wth the varaton less than or equal to z α. Denote ξ E [ k( I, n)]. Then, On the other hand, / Pr ob ( ) z α α ξ > µ + =. / Pr ob ( ) z α α ξ µ =. (4) (5)
70. L and W. Zhao or facltatng the dscusson, two ters are explaned as follows. Correctly recognzng an abnoral sgn eans detecton and falng to recognze t ss. We explan the detecton probablty as well as ss probablty by the followng theore. Theore 1 (Detecton probablty and detecton threshold): Let / V ( ) z α = µ + (6) be the detecton threshold. Let P det and P ss be detecton probablty and ss probablty, respectvely. Then, P det = PV { < ξ < } = (1 α /), (7) P ss = P{ < ξ < V} = α /. (8) Proof: The probablty of ξ C (, α) s (1 α ). Accordng to () and (5), the probablty of ξ V s (1 α / ). Therefore, ξ > V exhbts a sgn of abnoralty wth (1 α / ) probablty. Hence, P det =(1 α /). Snce detecton probablty plus ss one equals 1, P ss = α /. ro Theore 1, we can acheve the followng statstcal classfcaton crteron for a gven detecton probablty by settng the value α. Corollary 1 (Classfcaton): Let f () k t be arrval traffc of class wth prorty p gong through server k fro nput lnk j at a protected ste. Then, () f k t N f E[ k( I, n)] V (9a) where N ples noral set of traffc flow, and () f kt A f E[ k( I, n)] > V. (9b) where A ples abnoral set. The proof s straghtforward fro Theore 1. The dagra of our detecton s ndcated n g. 1. Settng detecton probablty (1 α / ) f(t) eature ξ Report Classfer extractor ξ µ () Teplate V ξ Establshng teplate Detecton threshold g. 1. Dagra of detecton odel
A Statstcal odel for Detectng Abnoralty n Statc-Prorty Schedulng Networks 71 4 Conclusons In ths paper, we have extended the traffc constrant n [13], whch s conventonally a bound functon of arrval traffc, to a te seres by averagng traffc constrants of flows on an nterval-by-nterval bass n DffServ envronent. Then, we have derved a statstcal traffc constrant to bound traffc. Based on ths, we have proposed a statstcal odel for the purpose of abnoralty detecton n statc-prorty schedulng networks wth dfferentated servces at connecton level. Wth the present odel, sgns of abnoralty can be dentfed on a class-by-class bass accordng to a detecton probablty that s predeterned. The detecton probablty ay be very hgh and ss probablty ay be very low f α s set to be very sall. The results n the paper suggest that abnoralty sgns can be detected at early stage that abnoralty occurs snce dentfcaton s done at connecton level. Acknowledgeents Ths work was supported n part by the Natonal Natural Scence oundaton of Chna (NSC) under the project grant nuber 6057315, by the Natonal Scence oundaton under Contracts 0081761, 034988, 039181, by the Defense Advanced Research Projects Agency under Contract 3060-99-1-0531, and by Texas A& Unversty under ts Telecouncaton and Inforaton Task orce Progra. Any opnons, fndngs, conclusons, and/or recoendatons expressed n ths ateral, ether expressed or pled, are those of the authors and do not necessarly reflect the vews of the sponsors lsted above. References 1. L,.: An Approach to Relably Identfyng Sgns of DDOS lood Attacks based on LRD Traffc Pattern Recognton. Coputer & Securty 3 (004) 549-558. Bettat, R., Zhao, W., Teodor, D.: Real-Te Intruson Detecton and Suppresson n AT Networks. Proc., the 1st USENIX Workshop on Intruson Detecton and Network ontorng, Aprl 1999, 111-118 3. Schultz, E.: Intruson Preventon. Coputer & Securty 3 (004) 65-66 4. Cho, S.-B., Park, H.-J.: Effcent Anoaly Detecton by odelng Prvlege lows Usng Hdden arkov odel. Coputer & Securty (003) 45-55 5. Cho, S., Cha, S.: SAD: Web Sesson Anoaly Detecton based on Paraeter Estaton. Coputer & Securty 3 (004) 31-319 6. Gong,.: Decpherng Detecton Technques: Part III Denal of Servce Detecton. Whte Paper, cafee Network Securty Technologes Group, Jan. 003 7. Sorensen, S.: Copettve Overvew of Statstcal Anoaly Detecton. Whte Paper, Junper Networks Inc., www.junper.net, 004 8. chel, H., Laevens, K.: Teletraffc Engneerng n a Broad-Band Era. Proc. IEEE 85 (1997) 007-033 9. Wllnger, W., Paxson, V.: Where atheatcs eets the Internet. Notces of the Aercan atheatcal Socety 45 (1998) 961-970
7. L and W. Zhao 10. L,., Zhao, W., and et al.: odelng Autocorrelaton unctons of Self-Slar Teletraffc n Councaton Networks based on Optal Approxaton n Hlbert Space. Appled atheatcal odellng 7 (003) 155-168 11. L,., L, SC.: odelng Network Traffc Usng Cauchy Correlaton odel wth Long- Range Dependence. odern Physcs Letters B 19 (005) 89-840 1. L.-Boudec, J.-Yves, Patrck, T.: Network Calculus, A Theory of Deternstc Queung Systes for the Internet. Sprnger (001) 13. Wang, S., Xuan, D., Bettat, R., Zhao, W.: Provdng Absolute Dfferentated Servces for Real-Te Applcatons n Statc-Prorty Schedulng Networks. IEEE/AC T. Networkng 1 (004) 36-339 14. Cruz, L.: A Calculus for Network Delay, Part I: Network Eleents n Isolaton; Part II: Network Analyss. IEEE T. Infor. Theory 37 (1991) 114-131, 13-141 15. Chang, C. S.: On Deternstc Traffc Regulaton and Servce Guarantees: a Systeatc Approach by lterng. IEEE T. Inforaton Theory 44 (1998) 1097-1109 16. Estan C., Varghese, G.: New Drectons n Traffc easureent and Accountng: ocusng on the Elephants, Ignorng the ce. AC T. Coputer Systes 1 (003) 70 313 17. ne, I.: PLS DffServ-Aware Traffc Engneerng. Whte Paper, Junper Networks Inc., www.junper.net, 004 18. Leach, J.: TBSE An Engneerng Approach to The Desgn of Accurate and Relable Securty Systes. Coputer & Securty 3 (004) 65-66 19. Keerer, R. A., Vgna, G.: Intruson Detecton: a Bref Hstory and Overvew. Suppleent to Coputer (IEEE Securty & Prvacy) 35 (00) 7-30 0. Bendat, J. S., Persol, A. G.: Rando Data: Analyss and easureent Procedure. nd Edton, John Wley & Sons (1991)