A Machine Learning Approach to Detecting Attacks by Identifying Anomalies in Network Traffic A Dissertation by Matthew V. Mahoney Major Advisor: Philip.

Slides:



Advertisements
Similar presentations
Intrusion Detection Systems (I) CS 6262 Fall 02. Definitions Intrusion Intrusion A set of actions aimed to compromise the security goals, namely A set.
Advertisements

Loss-Sensitive Decision Rules for Intrusion Detection and Response Linda Zhao Statistics Department University of Pennsylvania Joint work with I. Lee,
Learning Rules from System Call Arguments and Sequences for Anomaly Detection Gaurav Tandon and Philip Chan Department of Computer Sciences Florida Institute.
Network and Application Attacks Contributed by- Chandra Prakash Suryawanshi CISSP, CEH, SANS-GSEC, CISA, ISO 27001LI, BS 25999LA, ERM (ISB) June 2006.
 Dynamic policies o Change as system security state/load changes o GAA architecture  Extended access control lists  Pre-, mid- and post-conditions,
Network Traffic Anomaly Detection Based on Packet Bytes Matthew V. Mahoney Florida Institute of Technology
1 Reading Log Files. 2 Segment Format
Chapter 7 – Transport Layer Protocols
FIREWALLS. What is a Firewall? A firewall is hardware or software (or a combination of hardware and software) that monitors the transmission of packets.
Winter CMPE 155 Week 7. Winter Assignment 6: Firewalls What is a firewall? –Security at the network level. Wide-area network access makes.
Cyber Threat Analysis  Intrusions are actions that attempt to bypass security mechanisms of computer systems  Intrusions are caused by:  Attackers accessing.
Snort - an network intrusion prevention and detection system Student: Yue Jiang Professor: Dr. Bojan Cukic CS665 class presentation.
EECS Presentation Web Tap: Intelligent Intrusion Detection Kevin Borders.
5/1/2006Sireesha/IDS1 Intrusion Detection Systems (A preliminary study) Sireesha Dasaraju CS526 - Advanced Internet Systems UCCS.
FIREWALLS & NETWORK SECURITY with Intrusion Detection and VPNs, 2 nd ed. 6 Packet Filtering By Whitman, Mattord, & Austin© 2008 Course Technology.
Bro: A System for Detecting Network Intruders in Real-Time Presented by Zachary Schneirov CS Professor Yan Chen.
Intrusion Detection - Arun Hodigere. Intrusion and Intrusion Detection Intrusion : Attempting to break into or misuse your system. Intruders may be from.
1 Advanced Application and Web Filtering. 2 Common security attacks Finding a way into the network Exploiting software bugs, buffer overflows Denial of.
A question of protocol Geoff Huston APNIC 36. Originally there was RFC791: “All hosts must be prepared to accept datagrams of up to 576 octets (whether.
Lucent Technologies – Proprietary Use pursuant to company instruction Learning Sequential Models for Detecting Anomalous Protocol Usage (work in progress)
Data Mining for Intrusion Detection: A Critical Review Klaus Julisch From: Applications of data Mining in Computer Security (Eds. D. Barabara and S. Jajodia)
IDS Mike O’Connor Eric Tallman Matt Yasiejko. Overview IDS defined IDS defined What it does What it does Sample logs Sample logs Why we need it Why we.
Packet Filtering. 2 Objectives Describe packets and packet filtering Explain the approaches to packet filtering Recommend specific filtering rules.
A Statistical Anomaly Detection Technique based on Three Different Network Features Yuji Waizumi Tohoku Univ.
January 2009Prof. Reuven Aviv: Firewalls1 Firewalls.
Chapter 6: Packet Filtering
Intrusion Prevention System. Module Objectives By the end of this module, participants will be able to: Use the FortiGate Intrusion Prevention System.
1 Semester 2 Module 10 Intermediate TCP/IP Yuda college of business James Chen
Network security Further protocols and issues. Protocols: recap There are a few main protocols that govern the internet: – Internet Protocol: IP – Transmission.
TCP/IP Essentials A Lab-Based Approach Shivendra Panwar, Shiwen Mao Jeong-dong Ryoo, and Yihan Li Chapter 5 UDP and Its Applications.
OV Copyright © 2013 Logical Operations, Inc. All rights reserved. Network Security  Network Perimeter Security  Intrusion Detection and Prevention.
Intrusion Detection and Prevention. Objectives ● Purpose of IDS's ● Function of IDS's in a secure network design ● Install and use an IDS ● Customize.
An Analysis of the 1999 DARPA/Lincoln Laboratory Evaluation Data for Network Anomaly Detection Matthew V. Mahoney and Philip K. Chan.
Module 4: Configuring ISA Server as a Firewall. Overview Using ISA Server as a Firewall Examining Perimeter Networks and Templates Configuring System.
OV Copyright © 2011 Element K Content LLC. All rights reserved. Network Security  Network Perimeter Security  Intrusion Detection and Prevention.
CSCI 530 Lab Intrusion Detection Systems IDS. A collection of techniques and methodologies used to monitor suspicious activities both at the network and.
Packet Filtering Chapter 4. Learning Objectives Understand packets and packet filtering Understand approaches to packet filtering Set specific filtering.
MonNet – a project for network and traffic monitoring Detection of malicious Traffic on Backbone Links via Packet Header Analysis Wolfgang John and Tomas.
An Analysis of the 1999 DARPA/Lincoln Laboratory Evaluation Data for Network Anomaly Detection Matt Mahoney Feb. 18, 2003.
Access Control List (ACL)
Learning Rules for Anomaly Detection of Hostile Network Traffic Matthew V. Mahoney and Philip K. Chan Florida Institute of Technology.
Firewalls  Firewall sits between the corporate network and the Internet Prevents unauthorized access from the InternetPrevents unauthorized access from.
Computer Network Forensics Lecture 6 – Intrusion Detection © Joe Cleetus Concurrent Engineering Research Center, Lane Dept of Computer Science and Engineering,
1 Figure 4-1: Targeted System Penetration (Break-In Attacks) Host Scanning  Ping often is blocked by firewalls  Send TCP SYN/ACK to generate RST segments.
Module 7: Advanced Application and Web Filtering.
Boundary Detection in Tokenizing Network Application Payload for Anomaly Detection Rachna Vargiya and Philip Chan Department of Computer Sciences Florida.
Intrusion Detection Systems Paper written detailing importance of audit data in detecting misuse + user behavior 1984-SRI int’l develop method of.
1 Figure 3-13: Internet Protocol (IP) IP Addresses and Security  IP address spoofing: Sending a message with a false IP address (Figure 3-17)  Gives.
Intrusion Detection System
© 2004, Cisco Systems, Inc. All rights reserved. CSPFA 3.2—10-1 Lesson 10 Attack Guards, Intrusion Detection, and Shunning.
Firewalls A brief introduction to firewalls. What does a Firewall do? Firewalls are essential tools in managing and controlling network traffic Firewalls.
Machine Learning for Network Anomaly Detection Matt Mahoney.
Access Control List (ACL) W.lilakiatsakun. Transport Layer Review (1) TCP (Transmission Control Protocol) – HTTP (Web) – SMTP (Mail) UDP (User Datagram.
Unit 2 Personal Cyber Security and Social Engineering Part 2.
Firewalls. Overview of Firewalls As the name implies, a firewall acts to provide secured access between two networks A firewall may be implemented as.
25/09/ Firewall, IDS & IPS basics. Summary Firewalls Intrusion detection system Intrusion prevention system.
Snort – IDS / IPS.
The Transport Layer Implementation Services Functions Protocols
IT443 – Network Security Administration Instructor: Bo Sheng
Domain 4 – Communication and Network Security
Firewall – Survey Purpose of a Firewall Characteristic of a firewall
Principles of Computer Security
Overview of Networking & Operating System Security
6.6 Firewalls Packet Filter (=filtering router)
Transport Protocols Relates to Lab 5. An overview of the transport protocols of the TCP/IP protocol suite. Also, a short discussion of UDP.
Intrusion Detection Systems (IDS)
Detecting Targeted Attacks Using Shadow Honeypots
CORE Security Technologies
Presentation transcript:

A Machine Learning Approach to Detecting Attacks by Identifying Anomalies in Network Traffic A Dissertation by Matthew V. Mahoney Major Advisor: Philip K. Chan

Overview Related work in intrusion detection Approach Experimental results –Simulated network –Real background traffic Conclusions and future work

Limitations of Intrusion Detection Host based (audit logs, virus checkers, system calls (Forrest 1996)) –Cannot be trusted after a compromise Network signature detection (SNORT (Roesch 1999), Bro (Paxson 1998)) –Cannot detect novel attacks –Alarms occur in bursts Address/port anomaly detection (ADAM (Barbara 2001), SPADE (Hoagland 2000), eBayes (Valdes & Skinner 2000)) –Cannot detect attacks on public servers (web, mail)

Anomaly SignatureNetwork Host User System BSM Virus Detection SNORT Bro Audit Logs Firewalls SPADE ADAM eBayes Network Protocol Anomaly Detection Intrusion Detection Dimensions Model Data Method

Problem Statement Detect (not prevent) attacks in network traffic No prior knowledge of attack characteristics Model of normal traffic IDS Training – no known attacks Test data with attacksAlarms

Approach 1.Model protocols (extend user model) 2.Time-based model of “bursty” traffic 3.Learn conditional rules 4.Batch and continuous modeling 5.Test with simulated attacks and real background traffic

Approach 1. Protocol Modeling User model (conventional) –Source address for authentication –Destination port to detect scans Protocol model (new) –Unusual features (more likely to be vulnerable) –Client idiosyncrasies –IDS evasion –Victim’s symptoms after an attack

Example Protocol Anomalies AttackHow detected Category Teardrop – overlapping IP fragments crashes target IP fragments Unusual feature Sendmail – buffer overflow gives remote root shell Lower case mail Idiosyn- crasy FIN scan (portsweep) - FIN packets not logged FIN with- out ACK Evasion ARPpoison – Forged replies to ARP-who-has Interrupt- ed TCP Victim symptoms

Approach 2 -Non-Poisson Traffic Model (Paxson & Floyd, 1995) Events occur in bursts on all time scales Long range dependency No average rate of events Event probability depends on –The average rate in the past –And the time since it last occurred

Time-Based Model If port = 25 then word1 = HELO or EHLO Anomaly: any value never seen in training Score = tn/r –t = time since last anomaly for this rule –n = number of training instances (port = 25) –r = number of allowed values (2) Only the first anomaly in a burst receives a high score

Example Training = AAAABBBBAA Test = AACCC C is an anomaly r/n = average rate of training anomalies = 2/10 (first A and first B) t = time since last anomaly = 9, 1, 1 Score (C) = tn/r = 45, 5, 5

Approach 3. Rule Learning 1.Sample training pairs to suggest rules with n/r = 2/1 2.Remove redundant rules, favoring high n/r 3.Validation: remove rules that generate alarms on attack-free traffic

Learning Step 1 - Sampling PortWord1Word2Word3 80GET/HTTP/1.0 80GET/index.htmlHTTP/1.0 If port = 80 then word1 = GET word3 = HTTP/1.0 If word3 = HTTP/1.0 and word1 = GET then port = 80

Learning Step 2 – Remove Redundant Rules (Sorted by n/r) R1: if port = 80 then word1 = GET (n/r = 2/1, OK) R2: word1 = HELO or GET (n/r = 3/2, OK) R3: if port = 25 then word1 = HELO (n/r = 1/1, remove) R4: word2 = pascal, /, or /index.html (n/r = 3/3, OK) PortWord1Word2Word3 25HELOpascalMAIL 80GET/HTTP/1.0 80GET/index.htmlHTTP/1.0

Learning Step 3 – Rule Validation Training (no attacks) – Learn rules, n/r Validation (no attacks) – Discard rules that generate alarms Testing (with attacks) TrainValidateTest

Approach 4. Continuous Modeling No separate training and test phases Training data may contain attacks Model allows for previously seen values Score = tn/r + t i /f i –t i = tine since value i last seen –f i = frequency of i in training, f i > 0 No validation step

Implementation ModelDataCon- ditions Valid- ation Score PHADPacket headers NoneNotn/r ALADTCP streams Server, port Notn/r LERADTCP streams LearnedYestn/r NETADPacket bytes ProtocolYestn/r + t i /f i

Example Rules (LERAD) /1 if SA3=172 then SA2 = /1 if SA2=016 then SA3 = /1 if F1=.UDP then F3 = /1 if F1=.UDP then F2 = /1 if F3=. then F1 =.UDP /1 if F3=. then DUR = /1 if DA0=100 then DA1 = /1 if W6=. then W7 = /1 if W5=. then W6 = /1 if W4=. then W8 = /1 if W4=. then W5 = /1 if DA1=118 then W /1 if DA1=118 then SA1 = /1 if SP=520 then DP = /1 if SP=520 then W /1 if DP=520 then DA1 = /1 if DA1=118 SA1=112 then LEN = /2 if F2=.AP then F1 =.S.AS /1 if then DP = /6 if then DA1 = /6 if then F1 =.UDP.S.AF.ICMP.AS.R /1 if W3=.HELO then W /1 if F1=.S W3=.HELO then DP = /1 if DP=25 W5=.MAIL then W3 =.HELO

1999 DARPA IDS Evaluation (Lippmann et al. 2000) 7 days training data with no attacks 2 weeks test data with 177 visible attacks Must identify victim and time of attack SunOSSolarisLinuxWinNT IDS Victims Internet (simulated) Attacks

Attacks Detected at 10 FA/Day

Unlikely Detections Attacks on public servers (web, mail, DNS) detected by source address Application server attacks detected by packet header fields U2R (user to root) detected by FTP upload

Unrealistic Background Traffic Source Address, client versions (too few clients) TTL, TCP options, TCP window size (artifacts) Checksum errors, “crud”, invalid keywords and values (too clean) r Time Simulated Real

5. Injecting Real Background Traffic Collected on a university departmental web server Filtered: truncated inbound client traffic only IDS modified to avoid conditioning on traffic source SunOSSolarisLinuxWinNT IDS Internet (simulated and real) Attacks Real web server

Mixed Traffic: Fewer Detections, but More are Legitimate

Detections vs. False Alarms (Simulated and Combined Traffic)

Results Summary Original 1999 evaluation: 40-55% detected at 10 false alarms per day NETAD (excluding U2R): 75% Mixed traffic: LERAD + NETAD: 30% At 50 FA/day: NETAD: 47%

Contributions 1.Protocol modeling 2.Time based modeling for bursty traffic 3.Rule learning 4.Continuous modeling 5.Removing simulation artifacts

Limitations False alarms – Unusual data is not always hostile Rule learning requires 2 passes (not continuous) Tests with real traffic are not reproducible (privacy concerns) Unlabeled attacks in real traffic –GET /MSADC/root.exe?/c+dir HTTP/1.0 –GET /scripts/..%255c%255c../winnt/system32/cmd.exe?/c+dir

Future Work Modify rule learning for continuous traffic Add other attributes User feedback (should this anomaly be added to the model?) Test with real attacks

Acknowledgments Philip K. Chan – Directing research Advisors – Ryan Stansifer, Kamel Rekab, James Whittaker Ongoing work –Gaurav Tandon – Host based detection using LERAD (system call arguments) –Rachna Vargiya – Parsing application payload –Hyoung Rae Kim – Payload lexical/semantic analysis –Muhammad Arshad – Outlier detection in network traffic DARPA – Providing funding and test data

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2024 SlidePlayer.com. Inc. All rights reserved.