Fuzz Based Dagostcs Sstem for Idetfg Network Traffc Flow omales Gobthasa Rudrusam, zrud hmad, Rahmat Budarto, zma Samsud, Sureswara Ramadass Network Research Group, School of Computer Sceces Uverst Sas Malasa, Mde Campus 800, Mde, Peag, Malasa Tel: +604-8602692, Fax: +604-6574757, E-mal: { gobthasa,azru}@rg.cs.usm.m, { rahmat,azma,sures}@cs.usm.m bstract I recet ears, much work has bee costructed the area of tool developmet order to ease a etwork admstrator s job. However, there lack tools to collect ad process flow data effcetl. Ths paper dscusses the usage of etwork traffc propertes passve etwork motorg whch are used recogzg ad detfg aomal. fuzz based dagostc sstem mbedded wth propertes to recogze ad detf etwork operato aomal tellgetl alog wth Neural Network as tuer has bee proposed ths paper. Ths paper focuses o costructg a fuzz sstem b mapulatg the decoded data packets puts to detf aomales. spects such as the selecto of a sutable fuzz set operato ad tug t have proved to crease the relablt of the computed result. I ths approach, Takag Sugeo s Fuzz model has bee mplemeted. Wth ths fuzz model, etwork operato aomales are detected accord wth the test of the aomal. Ths model also has the capablt of choosg the sutable tpe of alerts; log, emal or sms. B corporatg the fuzz model wth eural etwork, etwork operators are able to sped more tme troubleshootg faults, thus mmzg the dowtme of a partcular segmet a etwork. Kewords: fuzz sstems, eural etwork, passve etwork motorg, etwork operato aomal. Itroducto The dea of developg a fuzz based dagostcs for detfg etwork traffc aomales a etwork operato has bee a vtal step to overcome problems as well as to serve as a ad the feld of etwork motorg. The eed for proper etwork motorg tools s essetal to smulate worst case or stressed etwork performace scearos order to assst etwork capact plag. Earl expermets wth traffc measuremet tools such as NetMo [] ad Spade [2] developed for motorg etwork traffc, ad MRTG [3], a popular tool used b ma etwork operators for etwork traffc measuremet, cofrmed some smlartes whch had some drawbacks. Some of the kow features of these tools whch are also part of the reportg ege are amel to provde vsual data ad/or create log fles whch requre tedous specto of the log fles. The other costrat would clude dcato of false alarm ad/or excessve otfcato of a aomal at a partcular tmestamp. Lastl, all the alarmg ad reportg facltes have a large moolthc applcato whch s dffcult to maage ad cofgure. The steps volved the process of etwork traffc specto are to classf ad detf precse characterzato of aomalous etwork traffc behavor hece represetg t a set of rules whch make up the heart of Fuzz Sstem. The ma beeft of ths sstem s to reduce the volume of data that the etwork admstrators eed to aalze, thus eablg them to sped more tme o tasks that requre hgher skll levels, such as dagosg the cause of the problem, ad fxg the fault [6]. Three classfed major aomalous traffc behavors are etwork operato aomales, etwork abuse aomales ad flash crowd aomales [4]. Ths paper focuses mal o developg a tool to motor data etwork passvel the feld of etwork operato aomales whch clude plateau behavor, etwork devce outages ad sgfcat dffereces due to cofgurato chages. Flash crowd behavor [5] has also bee looked to. The ma am of ths research s to expermetall reduce some of the possble costrats of the curret exstg tools b troducg a fuzz based dagostcs sstem for detfg etwork traffc aomales. pproach ad Methods The Ma Structure of the Sstem The ma archtecture of the fuzz sstem s featured Fgure. Ths s a geeral overvew of the whole sstem. ll the fuzz set operatos depcted the shaded boxes are defed the followg subsectos of ths paper.
Membershp Fucto hghest fuzz fre stregth B Neural Network Fuzzfer Kowledge Storage Ital Rules Decso Process Fuzz Sets Defuzzfer Iputs from etwork adapter The Packet Capture Drver s mapulated order to have the capablt to capture raw data packets from Etheret/IEEE 802.3 techologes [6]. It sffs all the packets the wre, ot just the packets [7] whch are teded for the partcular ode. The receved frames are decapsulated ad are fltered accord wth the parameters to be set for the sstem. Packet flter SMS E-mal Log Packet flow Network adapter o Promscuous Mode Fgure The structure of the sstem Referrg to Fgure 2, the sstem cossts of two major parts whch are Fuzz Logc ad Neural Network. The former s used the decso makg processes ad the latter for learg processes. The mplemetato of both parts metoed forms a hbrd sstem whch has the capablt of learg, adaptato ad detfcato. However, ths paper, the focus s ol gve o costructg a kowledge-based Fuzz sstem b mapulatg the data packet order to detf aomales. The characterstcs of the fuzz sstem applcato ths case would be as customar, wth decoded data packet as puts. The sstem cossts of two modes, the Surve mode ad the Read to lert mode. Each mode plas ts respectve fucto as stated Fgure 2. The fuctos are mportat sce dfferet data etwork coves dfferet patter packet movemets the wre. Lkewse, the same data etwork wth dfferet segmet has dfferet characterstcs. Each etwork has ts respectve pecular etwork traffc curve that does ot chage sgfcatl over the tme [3]. I ths case, Neural Network has bee mplemeted as a tuer for fuzz sstem. Fgure 2 The two modes for the sstem. Fgure 3 The partcular felds tueled to the fuzzfer accord wth the modules. The sstem varables ad fuzz parameters B capturg the essetals of the problem, the desg of the process s costructed, leavg asde all the factors that could be arbtrar. I geeral, the smpler parameters whch are kept cotrbute to the more uderstadable behavor of the sstem ad wll be more effcet the sese of computato power cosumpto [8], [9], [0], [].I ths paper, much atteto s gve to the aspects of selectg a sutable fuzz set operato ad tug t, takg to cosderato the relablt of the computed result. I ths sstem, Takag ad Sugeo s fuzz model [0] has bee mplemeted. Ths fuzz model ca be formulated as the followg form: R : If s ad... ad s = + +... + a 0 a a the Where R =,2... l deotes the -th mplcato, l s the umber of fuzz mplcatos, whereas s the output from the -th mplcato. Cosequet parameters are a p = 0,... wth p,... as the atecedet varables ad are fuzz sets whose membershp p fuctos are deoted b the same smbols as the fuzz values. Fgure 4 presets the stadardzed atecedet parameters
used for the four modules stated Fgure 3. Sce tme s a varat elemet that plas a mportat role gag patter, t s used agast tpe of packets, umber of packets ad sze of packets captured respectvel for a fxed tmestamp. accordg to the fluctuato the percetage of aomal. 2 2 3 4 5 2 2 2 3 2 4 2 5 2 6 2 7 2 2 Fgure 4 The put parameters for data etwork traffc dagostcs Out of the dfferet fuzz varable membershp fuctos, the tpe used for ths research s the tragular fucto. Tragular fuctos are used because pecewse lear fuctos are eas to hadle wth computer the sese of storage ad computatos [0]. The crsp put for the frst two modules represet the umber of packets accordg to tpe trasmtted at a partcular tmestamp. For the purpose of motorg, the Iteretwork Packet IP packets ad Iteretwork Packet Exchage IPX packets whch are the majort tpe of packets trasmtted through the Netware server the School Of Computer Scece, USM NRG Lab are expermeted wth. NetWare s used the lab to provde servces such as trasparet remote fle access ad dstrbuted etwork servces amel prter sharg [3]. Hece, t s mportat to watch over the IPX tpe of packets. The advatage about Netware s that, t s desged wth IPX RIP ad IPX SP whch broadcasts ever 60 secod for updates. For the case of IP packets, t s used to ecapsulate dfferet tpe of packets such as UDP, TCP, ICMP, OSPF ad IGMP. It captures a broader perspectve whle retag ts uque patter for a partcular data etwork segmet. Modules for Network Utlzato ad Btes per Sec. are costructed based o the stadardzed atecedet parameters as Fgure 4. For rules costructo, data collected from the selected etwork segmets are vestgated for patters. The data cocerg abormal etwork traffc flow behavors are aalzed thoroughl. Utlzg the avalable data together wth kowledge expertse, the fer rules are developed producg a precse alert tpe wth mmum overhead. Lgustc rules ad evaluato The cotrol rules are defed usg the lgustc terms assocated wth fuzz sets that appear the fuzz parttos of the domas. Fgure 5 shows the tal cotrol rule for IP Packet vs. Tme module. However, there has to be dfferet tpes of rules costructed for other respectve modules. Extreme cases are facltated for mmedate respose b the Short Message Servces SMS ad resposes dffer Fgure 5 The tal cotrol rules for IP Packet vs. Tme module From Equato 2 a0 { ExtremeLow, Low, verage, Hgh, ExtremeHg h}, { ftermd, EarlMor g, Morg, fteroo, Eveg, Nght, Mdght}, 5, 7 2,... a 2 5, 7 2 R The cosequet sets are lear form as stated equato. The decso logc determes the degree to whch a measured put fulfls the premse of the rule called degree of applcablt [0]. The decso logc apples each rule R separatel. The value of equato 2 gves the degree of applcablt of the premse of the rule R for k cotrol rules. m{ α r =,... x x, r, It ca be derved from equato 2, that rule R mples for,... the measured put x x the fuzz set. output x,... R x : Y [0,], a m{, r x,...,, r x, The choce of the defuzzfcato strateg Gve a put,... r the fal output of the fuzz model, s ferred b takg the weghted average of the s: l = = l w = w } 2 3 4
where w > 0, ad s calculated for the put b cosequet equato of the -th mplcato, ad the weght w mples the overall truth value of premse of the -th mplcato for put calculated as : ormal crcumstaces, log whe the peak devates slghtl hgher tha ormal, emal whe the devato of the peak s more ad Short Message Servces SMS whe devato s acutel hgh. For the case of Fgure 6, the decso of perodc emal would be take. w = p= p p 5 Result Comparso wth exstg approach ccurate characterzg of mportat classes of aomales greatl facltates ther detfcato whch depeds o robust ad tmel data [3]. Some of the curret best practces for detfg ad dagosg traffc aomales cosst mal of vsualzg traffc from dfferet perspectves ad from pror experece [], [2], [3]. I geeral, automatg the aomal detfcato process has bee dffcult the sese of geeratg precse alerts to facltate a respectve abormal codto. There has bee vast amout of research o detfg etwork traffc aomales utlzg tools such as Itegrated Measuremet alss Platform for Iteret Traffc IMPIT whch has bee able to provde substatal formato to detect aomales [3]. IMPIT cludes sgal aalss utlt whch eables etwork traffc data to be decomposed to ts frequec compoets usg wavelet ad framelet sstems. Wavelet has bee used to provde meas for solatg characterstcs of sgals va a combed tme-frequec represetato. Ths s mal to determe solato of short ad log-lved traffc aomales. Devato score [3] has bee used to effectvel solate aomales ad has bee geeralzed for threshold based alerts. However, less focus has bee gve o the alert modes, methods of vestgatg ad facltatg varous etworks. I order to overcome ths, methods of embeddg tellgece etwork dagoss tool has bee expermeted wth ths research. Fuzz logc has bee mplemeted to accommodate ths purpose b costructg rules derved from dal ad weekl traffc ccle data. Fgure 6 Flash Crowd Behavor based o Btes Per. Sec. Module. Fgure 7 shows the comparso betwee the ormal ad abormal etwork traffc flow the NRG segmet. The abormalt of the flow was motored o a dfferet da whch power falure had occurred. Ths s a example of the short lved aomal whch was detected. Takg to cosderato of the scearo whch had a sudde ad rapd fluctuato of the spke, the tpcal respose was to alert va SMS. I the case of other factors cotrbutg towards the abormalt of the flow, the patter of the graph wll show devato from the stadard patter. Ths s clearl show Fgure 8 whereb a etwork devce, for stace a hub, caused a etwork segmet to go dow. ExtremeHgh Hgh verage Low ExtremeLow ExtremeHgh Hgh verage Low ExtremeLow Normal Network traffc based o Packet cout bormal Network traffc based o Packet cout FL based Dagostcs Two ma groups of aomales separated based o observed durato are log-lved ad short-lved evet [3]. The frst group cossts of flash crowd evets whch are log-lved evet. Example of flash crowd evet s the occurrece of heav traffc due to servces demad the most extreme. Referrg to the Fgure 6, the shaded area refers to flash crowd behavor of a segmet USM etwork due to a software release. Durg the flash crowd evet t should be oted that both the average of packet sze cremet ad the usage of module Bte Per Sec. eables eas detecto. The heght of peak of the graph Fgure 6 determes the approprate decso to be take based o tal rules stated Fgure 5. The four decsos ths case are gore uder Fgure 7 Comparso of ormal ad abormal etwork traffc based o packet cout
Dscusso Optmzg wth Neural Network Fgure 8 Falure of etwork devce based o Packet cout. other example of a dfferet short-lved aomal caused b loss of the router s coectvt s show Fgure 9. I ths stace, the respose of alert chose was to SMS due to the reaso that the patter showed extremel low packet cout. The fuzz sstem s uable to completel fucto tellgetl wthout a tuer of the parameter. Takg ths to cosderato, there has bee meas to tue the sstem ad hoc whch s tme cosumg. s a step to overcome ths problem, Neural Network has bee troduced to the sstem to act as a tellget tuer [4]. Neural etwork modfes the membershp fucto whe the surve mode s actvated. It serves as a mportat fucto producg the x, dsplacemet of the vertex of fuzz set wth the hghest fuzz stregth for the membershp fucto order to obta a better cotrol of the alerts whch act as cosequet parameter. B ths process, t has the ablt to lear a uque patter of a partcular etwork segmet ad alert accordgl. There have bee researches volvg was of optmzg eural etwork to defe uverse of dscourse alog wth addg cotrollg rules for best accurac selectg the sutable alert tpe. Future Work Fgure 9 Falure of a router detected based o packet cout The fgure below shows the packet cout obtaed upo flterg IPX packet from Novell Netware operatg sstem. The graphs show a comparso betwee the ormal ad abormal patter. The devato of the abormal patter was caused b hardware falure ths case a etwork adapter. The acto of the sstem curretl works based o a smple couter order to avod spammg or creatg large umber of alerts for a partcular aomal. I order to overcome ths, the research s lookg to meas to stablze the acto of the alerts. proposed method for ths s a fucto whch works as a feedback fuzz cotroller sstem [5]. Ths wll ot ol lead to cotrollg the tpe of acto to be take but s also able to cotrol the umber of the acto take. other alteratve wa to tackle the problem would be to exchage the tal cotrol rules. The other aspect whch ca be explored further s to ehace the readablt of aomales b applg a varet of tme-frequec aalss techques, partcularl wavelet ad devato score. These techques cosder sgal varato both hgh ad medum frequec bads ad are foud to be extremel effectve at solatg aomales [3]. Utlzato of techques as such eables the achevemet of two goals. Oe, a fer characterstcs of aomales whch leads to accurate tpe of acto ad secodl, formatve alerts ca be geerated for more effcet troubleshootg to mmze etwork dowtme. Cocluso Fgure 0 Comparso of ormal ad abormal patter for IPX tpe of packets. I ths research, aspects compromsg of a Fuzz based sstem together wth Neural Network has bee mplemeted to develop a tool whch takes acto tellgetl. ll the fuzz operators whch are fxed order for the sstem to be optmzed ad reducg false alerts have bee dscussed detal. Behavoral learg of the patters b eural etwork has bee explored as well to obta more accurate alerts. The results obtaed shows that umber of aomales ca be detected partcularl etwork operato aomales. Flters at
the level of etwork laer are mplemeted order to scrutze accord to a partcular tpe of packet. I ths case, the IPX ad IP tpe of packets are looked to ad dscussed elaborate. Some costrats evdetl arse durg ths research. Due to ucotrollable etwork operatos, some dffcult was faced whe takg the statstcal readg of the etwork traffc flow data. The other costrat arses durg the process of defg a stadard patter for a partcular etwork segmet. Measures to tackle ths problem were doe b obtag readg from varous etwork segmets rather tha from oe partcular segmet. Sce there lacks a stadardzed defto for etwork aomales, hece the process of characterzg the aomal s carred out a purel emprcal approach. The proper advacemet of tool for patter gatherg wll gve a breakthrough the area of aomal detfcato. Fall the explorato of deas ths paper augmets the exstg threshold based alerts. It s hoped that a sstem corporatg tellgece software based tools s developed to help admstrators [7]. Sce data etwork has become a vtal aspect the era of formato techolog, the dowtme of a etwork should be mmzed. I ths sese, these tools are helpful eough to passvel otf etwork admstrator regardg the health of a etwork from tme to tme. ckowledgmet The authors wsh to thak Uverst Sas Malasa for provdg the research grat whch was utlzed ths research. Refereces [] Ramadass, S. 200. Network Motor. I Proceedgs of sa Pacfc dvaced Network Coferece, 200, 40-44. Peag, Malasa. [2] Hoaglad, J. ad Staford, S. Statstcal Packet omal Detecto Ege URL http://www.slcodefese.com/software/spce/dex.ht m [3] Oetker, T. ad Rad, D. 6 October 2002. Mult router Traffc Grapher URL http://www.mrtg.cz/ [4] Barford, P. ad Ploka, D. Jue 200. Characterstcs of Network Flow omales, I Proceedgs of CM Iteret measuremet Workshop CM SIGCOMM 200. Sa Fracsco. [5] Jug, J., Krshamurth, B. ad Rabovch, M. 2002. Flash Crowds ad Deal of Servce ttacks: Characterzato ad Implcatos for CDNs ad Web Stes. URL http://cteseer.j.ec.com/cache/papers/cs/25742/http:zs zzszwww.research.att.comzsz~balazszpaperszszwww 02-fc.pdf/jug02flash.pdf [6] Degoa, L., Rsso, F., Vare, G. ad Vao, P. 8 ugust 2002. WPcap: The Free Packet Capture rchtecture for Wdows. URL http://wpcap.polto.t/ [7] Forouza, B.. eds. 2000. TCP/IP Protocol Sute. McGraw-Hll. [8] Cox, E. eds. 998. The Fuzz Sstems Hadbook Secod Edto. Chappaqua, New York. cademc Press. [9] Ya, J., Ra, M. ad Power, J.,. eds. 986. Usg Fuzz Logc. Readg, Mass. ddso-wesle. [0] Kruse, R, Bebhardt, J. ad Klawo, S. eds. 993. The foudato of Fuzz Logc. Joh Wle & Sos. [] Negota, CV. eds. 985. Expert Sstems ad Fuzz Sstem. The Bejam/Cummgs Publshg Compa Ic. [2] Ramos, E., Schroeder, L. ad Smpso, L. eds. 992. Data Commucato ad etworkg fudametals usg Novell NetWare. Readg, Mass. ddso-wesle. [3] Barford, P., Kle, J., Ploka, D. ad Ro,. November 2002. Sgal alss of Network Traffc omales. I Proceedgs of CM SIGCOMM Iteret Measuremet Workshop 2002. Marselles, Frace. [4] Herrma, C.S. ugust 995. Hbrd Fuzz-Neural Expert Sstem for Dagoss. I Proceedgs of the Iteratoal Jot Coferece o rtfcal Itellgece, Motreal, Caada. [5] Sgh, S. ad Stel, M. 24-25 October 996. Fuzz Search Techques Kowledge-Based Sstem. I Proceedgs of the Sxth Iteratoal Coferece o Data ad Kowledge Sstems for Maufacturg ad Egeerg DKSME 96. Tempe, rzoa. [6] Lecke, C. 995. Experece ad Treds I for Network Motorg ad Dagoss. I Proceedgs of the Iteratoal Jot Coferece o rtfcal Itellgece Workshop o I Dstrbuted Iformato Networks. Motreal, Caada. [7] Mestel,. ad Messa, E. 7-9 Jul 2000. The Challege of Itellget Sstems. I Proceedgs of the 5th IEEE Iteratoal Smposum o Itellget Cotrol ISIC 2000. Ro Patras, Greece.