Nick Duffield, Patrick Haffner, Balachander Krishnamurthy, Haakon Ringberg Rule-Based Anomaly Detection on IP Flows.

Slides:



Advertisements
Similar presentations
Intrusion Detection Systems (I) CS 6262 Fall 02. Definitions Intrusion Intrusion A set of actions aimed to compromise the security goals, namely A set.
Advertisements

Wenke Lee and Nick Feamster Georgia Tech Botnet and Spam Detection in High-Speed Networks.
Integrating Human and Synthetic Reasoning Via Model-Based Analysis.
OpenSketch Slides courtesy of Minlan Yu 1. Management = Measurement + Control Traffic engineering – Identify large traffic aggregates, traffic changes.
Centre de Comunicacions Avançades de Banda Ampla (CCABA) Universitat Politècnica de Catalunya (UPC) Identification of Network Applications based on Machine.
Decision Trees for Server Flow Authentication James P. Early and Carla E. Brodley Purdue University West Lafayette, IN 47907
FLAME: A Flow-level Anomaly Modeling Engine
Rule-based Anomaly Detection on IP Flows
Cyber Threat Analysis  Intrusions are actions that attempt to bypass security mechanisms of computer systems  Intrusions are caused by:  Attackers accessing.
Application Identification in information-poor environments Charalampos Rotsos 02/02/20101 What is application identification Current status My work Future.
1 Reversible Sketches for Efficient and Accurate Change Detection over Network Data Streams Robert Schweller Ashish Gupta Elliot Parsons Yan Chen Computer.
1 Learning to Detect Objects in Images via a Sparse, Part-Based Representation S. Agarwal, A. Awan and D. Roth IEEE Transactions on Pattern Analysis and.
Snort - an network intrusion prevention and detection system Student: Yue Jiang Professor: Dr. Bojan Cukic CS665 class presentation.
5/1/2006Sireesha/IDS1 Intrusion Detection Systems (A preliminary study) Sireesha Dasaraju CS526 - Advanced Internet Systems UCCS.
Shivkumar KalyanaramanRensselaer Q1-1 ECSE-6600: Internet Protocols Quiz 1 Time: 60 min (strictly enforced) Points: 50 YOUR NAME: Be brief, but DO NOT.
Multi-Scale Analysis for Network Traffic Prediction and Anomaly Detection Ling Huang Joint work with Anthony Joseph and Nina Taft January, 2005.
Mining Behavior Models Wenke Lee College of Computing Georgia Institute of Technology.
Collaborating Against Common Enemies Sachin Katti Balachander Krishnamurthy and Dina Katabi AT&T Labs-Research & MIT CSAIL.
Big Data Analytics and Challenge Presented by Saurabh Rastogi Asst. Prof. in Maharaja Agrasen Institute of Technology B.Tech(IT), M.Tech(IT)
A Signal Analysis of Network Traffic Anomalies Paul Barford, Jeffrey Kline, David Plonka, and Amos Ron.
Testing Intrusion Detection Systems: A Critic for the 1998 and 1999 DARPA Intrusion Detection System Evaluations as Performed by Lincoln Laboratory By.
RelSamp: Preserving Application Structure in Sampled Flow Measurements Myungjin Lee, Mohammad Hajjat, Ramana Rao Kompella, Sanjay Rao.
Intrusion Prevention System Group 6 Mu-Hsin Wei Renaud Moussounda Group 6 Mu-Hsin Wei Renaud Moussounda.
BotFinder: Finding Bots in Network Traffic Without Deep Packet Inspection F. Tegeler, X. Fu (U Goe), G. Vigna, C. Kruegel (UCSB)
Sven Ubik, CESNET TNC2004, Rhodos, 9 June 2004 Performance monitoring of high-speed networks from NREN perspective.
Tracking Port Scanners on the IP Backbone Tao Ye Sprint Burlingame, CA Avinash Sridharan University of Southern California.
Where Are the Nuggets in System Audit Data? Wenke Lee College of Computing Georgia Institute of Technology.
A Statistical Anomaly Detection Technique based on Three Different Network Features Yuji Waizumi Tohoku Univ.
Intrusion Detection Jie Lin. Outline Introduction A Frame for Intrusion Detection System Intrusion Detection Techniques Ideas for Improving Intrusion.
Intrusion Detection Systems Francis Chang Systems Software Lab OGI.
Differences between In- and Outbound Internet Backbone Traffic Wolfgang John and Sven Tafvelin Dept. of Computer Science and Engineering Chalmers University.
OpenFlow: Enabling Technology Transfer to Networking Industry Nikhil Handigol Nikhil Handigol Cisco Nerd.
Network Flow-Based Anomaly Detection of DDoS Attacks Vassilis Chatzigiannakis National Technical University of Athens, Greece TNC.
Network Intrusion Detection Using Random Forests Jiong Zhang Mohammad Zulkernine School of Computing Queen's University Kingston, Ontario, Canada.
IIT Indore © Neminah Hubballi
PRIVACY-PRESERVING COLLABORATIVE NETWORK ANOMALY DETECTION Haakon Ringberg.
SIGCOMM 2002 New Directions in Traffic Measurement and Accounting Focusing on the Elephants, Ignoring the Mice Cristian Estan and George Varghese University.
11 Automatic Discovery of Botnet Communities on Large-Scale Communication Networks Wei Lu, Mahbod Tavallaee and Ali A. Ghorbani - in ACM Symposium on InformAtion,
Scalable and Efficient Data Streaming Algorithms for Detecting Common Content in Internet Traffic Minho Sung Networking & Telecommunications Group College.
NetFlow: Digging Flows Out of the Traffic Evandro de Souza ESnet ESnet Site Coordinating Committee Meeting Columbus/OH – July/2004.
CSCI 530 Lab Intrusion Detection Systems IDS. A collection of techniques and methodologies used to monitor suspicious activities both at the network and.
Learning Rules for Anomaly Detection of Hostile Network Traffic Matthew V. Mahoney and Philip K. Chan Florida Institute of Technology.
Automatically Generating Models for Botnet Detection Presenter: 葉倚任 Authors: Peter Wurzinger, Leyla Bilge, Thorsten Holz, Jan Goebel, Christopher Kruegel,
Heuristics to Classify Internet Backbone Traffic based on Connection Patterns Wolfgang John and Sven Tafvelin Dept. of Computer Science and Engineering.
CINBAD CERN/HP ProCurve Joint Project on Networking 26 May 2009 Ryszard Erazm Jurga - CERN Milosz Marian Hulboj - CERN.
Reducing false positives in intrusion detection systems by means of frequent episodes Lars Olav Gigstad.
Online Identification of Hierarchical Heavy Hitters Yin Zhang Joint work with Sumeet SinghSubhabrata Sen Nick DuffieldCarsten Lund.
Open-Eye Georgios Androulidakis National Technical University of Athens.
HoneyComb HoneyComb Automated IDS Signature Generation using Honeypots Prepare by LIW JIA SENG Supervisor : AP. Dr. Mohamed Othman.
Centre de Comunicacions Avançades de Banda Ampla (CCABA) Universitat Politècnica de Catalunya (UPC) Identification of Network Applications based on Machine.
10/1/20071 Automatic Evaluation of Intrusion Detection Systems F. Massicotte, F. Gagnon, Y. Labich, L. Briand, Computer Security Applications Conference,
Classification (slides adapted from Rob Schapire) Eran Segal Weizmann Institute.
ASTUTE: Detecting a Different Class of Traffic Anomalies Fernando Silveira 1,2, Christophe Diot 1, Nina Taft 3, Ramesh Govindan 4 1 Technicolor 2 UPMC.
Consensus Extraction from Heterogeneous Detectors to Improve Performance over Network Traffic Anomaly Detection Jing Gao 1, Wei Fan 2, Deepak Turaga 2,
1 Transport Layer: Basics Outline Intro to transport UDP Congestion control basics.
Machine Learning for Network Anomaly Detection Matt Mahoney.
2009/6/221 BotMiner: Clustering Analysis of Network Traffic for Protocol- and Structure- Independent Botnet Detection Reporter : Fong-Ruei, Li Machine.
1 Minneapolis‘ IETF IPFIX Aggregation draft-dressler-ipfix-aggregation-00.txt.
Sven Ubik, Aleš Friedl CESNET TNC 2009, Malaga, Spain, 11 June 2009 Experience with passive monitoring deployment in GEANT2 network.
DOWeR Detecting Outliers in Web Service Requests Master’s Presentation of Christian Blass.
NetFlow Analyzer Best Practices, Tips, Tricks. Agenda Professional vs Enterprise Edition System Requirements Storage Settings Performance Tuning Configure.
Snort – IDS / IPS.
Monitoring MIPv6 Traffic with IPFIX
Impact of Packet Sampling on Anomaly Detection Metrics
Damiano Bolzoni, Sandro Etalle, Pieter H. Hartel
Flowmon Overview for MAMI Management and Measurement Summit
DDoS Attack Detection under SDN Context
2019/1/1 High Performance Intrusion Detection Using HTTP-Based Payload Aggregation 2017 IEEE 42nd Conference on Local Computer Networks (LCN) Author: Felix.
Transport Layer Identification of P2P Traffic
Chapter 4: outline 4.1 Overview of Network layer data plane
Presentation transcript:

Nick Duffield, Patrick Haffner, Balachander Krishnamurthy, Haakon Ringberg Rule-Based Anomaly Detection on IP Flows

2  Intrusion Detection Systems (IDSes) p rotect the edge of a network  Inspect IP packets  Look for worms, DoS, scans, instant messaging, etc  Many IDSes leverage known signatures of traffic  e.g., Slammer packets contain “MS-SQL” (say) in the payload  or AOL IM packets use specific TCP ports and application headers IP header TCP header App header Payload Enterprise Unwanted traffic detection

Benefits Programmable Leverage existing community Many rules already exist CERT, SANS Institute, etc Classification “for free” A predicate is a boolean function on a packet feature e.g., TCP port = 80 A signature (or rule) is a set of predicates 3 Packet and rule-based IDSs

Drawbacks Packet inspection at the edge requires deployment at many interfaces Too many packets per second 4 A predicate is a boolean function on a packet feature e.g., TCP port = 80 A signature (or rule) is a set of predicates

Drawbacks Packet inspection at the edge requires deployment at many interfaces Too many packets per second DPI predicates can be computationally expensive Packet has: Port number X, Y, or Z Contains pattern “foo” within the first 20 bytes Contains pattern “ba*r” within the first 40 bytes 5 Packet and rule-based IDSs A predicate is a boolean function on a packet feature e.g., TCP port = 80 A signature (or rule) is a set of predicates

src IP dst IP src Port dst Port Durat ion # Packets A B5 min36 ……………… Our idea: IDS on IP flows 6 How well can rule-based IDS’s be mimicked on IP flows? Efficient Only fixed-offset rule predicates More compact (no payload) Flow collection infrastructure is ubiquitous IP flows capture the concept of a connection

Idea 1. IDS’es associate a “label” with every packet 2. An IP flow is associated with a set of packets 3. Our systems associates the labels with flows 7

Snort rule taxonomy 8 Header-onlyMeta- Information Payload dependent Inspect only IP flow header Inexact correspondence Inspects packet payload e.g., port numberse.g., TCP flagse.g., ”contains ab*c” Relies on features that cannot be exactly reproduced in the IP flow realm

Simple translation 9 3. Our systems associates the labels with flows Simple rule translation would capture only flow predicates Low accuracy or low applicability dst port = MS SQL contains “Slammer” 9 dst port = MS SQL Snort rule: Only flow predicates: Slammer Worm

Machine Learning (ML) 3. Our systems associates the labels with flows 10 Leverage ML to learn mapping from “IP flow space” to label IP flow space = src port * # packets * flags * duration : if raised otherwise src port # packets

Boosting 11 Boosting combines a set of weak learners to create a strong learner h1h1 h2h2 h3h3 H final sign

dst port = MS SQL contains “Slammer” Benefit of Machine Learning (ML) Rule translation would capture flow-only predicates Low accuracy or low applicability ML algorithms discover new predicates that capture the rule Latent correlations between predicates Capturing same subspace using different dimensions 12 dst port = MS SQL Snort rule:Only flow predicates:ML-generated rule: Slammer Worm dst port = MS SQL packet size = 404 flow duration

1.Operate at a small # of interfaces 2.Use ML algorithms to learn to classify on IP flows 3.Apply learned classifiers across all/other interfaces Architecture 13

Evaluation Border router on OC-3 link Used Snort rules in place Unsampled NetFlow v5 and packet traces Statistics One month, 2 MB/s average, 1 billion flows 400k Snort alarms 14

Accuracy metrics Receiver Operator Characteristic (ROC) Full FP vs TP tradeoff But need a single number Area Under Curve (AUC) Average Precision AP of p 1 - p p FP per TP 15

Training on week 1, testing on week n High degree of accuracy for header and meta Minimal drift within a month Rule classWeek1-2Week1-3Week1-4 Header rules Meta- information Payload Classifier accuracy 5 FP per 100 TP 43 FP per 100 TP

Accuracy is a function of correlation between flow and packet-level features w/o dst port w/o mean packet size RuleOverall Accuracy MS-SQL version overflow1.00 ICMP PING speedera0.82 NON-RFC HTTP DELIM Difference in rule accuracy

Choosing an operating point 18 XZ Y X = alarms we want raised Z = alarms that are raised Precision Y Z Exactness Recall Y X Completeness AP is a single number, but not most intuitive Precision & recall are useful for operators  “I need to detect 99% of these alarms!”

AP is a single number, but not most intuitive Precision & recall are useful for operators  “I need to detect 99% of these alarms!” RulePrecision w/recall 1.00 Precision w/recall=0.99 MS-SQL version overflow1.00 ICMP PING speedera CHAT AIM receive message Choosing an operating point

Computational efficiency 1. Machine learning (boosting) 33 hours per rule for one week of OC48 2. Classification of flows 57k flows/sec 1.5 GHz Itanium 2 Line rate classification for OC48 20

Conclusion Applying Snort alarms to flows is feasible ML algorithms discover latent correlations between packet and flow predicates High degree of accuracy for many rules Minimal drift within a month Prototype can scale up to OC48 speeds Qualitatively predictive rule taxonomy Future work Performance on sampled NetFlow Cross-site training /classification 21

22 Thank you! Questions? Nick Duffield, Patrick Haffner, Balachander Krishnamurthy, Haakon Ringberg

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2024 SlidePlayer.com. Inc. All rights reserved.