Learning Rules for Anomaly Detection of Hostile Network Traffic Matthew V. Mahoney and Philip K. Chan Florida Institute of Technology.

Slides:



Advertisements
Similar presentations
Loss-Sensitive Decision Rules for Intrusion Detection and Response Linda Zhao Statistics Department University of Pennsylvania Joint work with I. Lee,
Advertisements

Scalable Parallel Intrusion Detection Fahad Zafar Advising Faculty: Dr. John Dorband and Dr. Yaacov Yeesha 1 University of Maryland Baltimore County.
Learning Rules from System Call Arguments and Sequences for Anomaly Detection Gaurav Tandon and Philip Chan Department of Computer Sciences Florida Institute.
Network Traffic Anomaly Detection Based on Packet Bytes Matthew V. Mahoney Florida Institute of Technology
1 Reading Log Files. 2 Segment Format
Anomaly Detection Steven M. Bellovin Matsuzaki ‘maz’ Yoshinobu 1.
Cyber Threat Analysis  Intrusions are actions that attempt to bypass security mechanisms of computer systems  Intrusions are caused by:  Attackers accessing.
Firewalls and Intrusion Detection Systems
Behavior Intrusion Detection: Enhanced Hakan Evecek Rodolfo Ortiz Hakan Evecek Rodolfo Ortiz.
Snort - an network intrusion prevention and detection system Student: Yue Jiang Professor: Dr. Bojan Cukic CS665 class presentation.
1 Some TCP/IP Basics....NFSDNSTELNETSMTPFTP UDPTCP IP and ICMP Ethernet, serial line,..etc. Application Layer Transport Layer Network Layer Low-level &
© 2006 Cisco Systems, Inc. All rights reserved. Implementing Secure Converged Wide Area Networks (ISCW) Module 6: Cisco IOS Threat Defense Features.
School of Computer Science and Information Systems
Intrusion Detection CS-480b Dick Steflik. Hacking Attempts IP Address Scans scan the range of addresses looking for hosts (ping scan) Port Scans scan.
Report on statistical Intrusion Detection systems By Ganesh Godavari.
FIREWALLS & NETWORK SECURITY with Intrusion Detection and VPNs, 2 nd ed. 6 Packet Filtering By Whitman, Mattord, & Austin© 2008 Course Technology.
INTRUSION DETECTION SYSTEM
Network Intrusion Detection Systems Slides by: MM Clements A Adekunle The University of Greenwich.
Firewalls CS432. Overview  What are firewalls?  Types of firewalls Packet filtering firewalls Packet filtering firewalls Sateful firewalls Sateful firewalls.
A Machine Learning Approach to Detecting Attacks by Identifying Anomalies in Network Traffic A Dissertation by Matthew V. Mahoney Major Advisor: Philip.
Lucent Technologies – Proprietary Use pursuant to company instruction Learning Sequential Models for Detecting Anomalous Protocol Usage (work in progress)
A Brief Taxonomy of Firewalls
Chirag N. Modi and Prof. Dhiren R. Patel NIT Surat, India Ph. D Colloquium, CSI-2011 Signature Apriori based Network.
Packet Filtering. 2 Objectives Describe packets and packet filtering Explain the approaches to packet filtering Recommend specific filtering rules.
FIREWALL Mạng máy tính nâng cao-V1.
A Statistical Anomaly Detection Technique based on Three Different Network Features Yuji Waizumi Tohoku Univ.
Chapter 6: Packet Filtering
Part 2  Access Control 1 CAPTCHA Part 2  Access Control 2 Turing Test Proposed by Alan Turing in 1950 Human asks questions to another human and a computer,
Step-by-Step Intrusion Detection using TCPdump SHADOW.
Intrusion Prevention System. Module Objectives By the end of this module, participants will be able to: Use the FortiGate Intrusion Prevention System.
Fast Portscan Detection Using Sequential Hypothesis Testing Authors: Jaeyeon Jung, Vern Paxson, Arthur W. Berger, and Hari Balakrishnan Publication: IEEE.
Chabot College ELEC Ports (Layer 4).
Honeypot and Intrusion Detection System
Intrusion Detection and Prevention. Objectives ● Purpose of IDS's ● Function of IDS's in a secure network design ● Install and use an IDS ● Customize.
An Analysis of the 1999 DARPA/Lincoln Laboratory Evaluation Data for Network Anomaly Detection Matthew V. Mahoney and Philip K. Chan.
Module 4: Configuring ISA Server as a Firewall. Overview Using ISA Server as a Firewall Examining Perimeter Networks and Templates Configuring System.
CSCI 530 Lab Intrusion Detection Systems IDS. A collection of techniques and methodologies used to monitor suspicious activities both at the network and.
FlowScan at the University of Wisconsin Perry Brunelli, Network Services.
1 CHAPTER 3 CLASSES OF ATTACK. 2 Denial of Service (DoS) Takes place when availability to resource is intentionally blocked or degraded Takes place when.
Transmission Control Protocol TCP. Transport layer function.
Packet Filtering Chapter 4. Learning Objectives Understand packets and packet filtering Understand approaches to packet filtering Set specific filtering.
An Analysis of the 1999 DARPA/Lincoln Laboratory Evaluation Data for Network Anomaly Detection Matt Mahoney Feb. 18, 2003.
1 Topic 2: Lesson 3 Intro to Firewalls Summary. 2 Basic questions What is a firewall? What is a firewall? What can a firewall do? What can a firewall.
Firewalls  Firewall sits between the corporate network and the Internet Prevents unauthorized access from the InternetPrevents unauthorized access from.
Computer Network Forensics Lecture 6 – Intrusion Detection © Joe Cleetus Concurrent Engineering Research Center, Lane Dept of Computer Science and Engineering,
1 Figure 4-1: Targeted System Penetration (Break-In Attacks) Host Scanning  Ping often is blocked by firewalls  Send TCP SYN/ACK to generate RST segments.
Denial of Service Sharmistha Roy Adversarial challenges in Web Based Services.
Module 7: Advanced Application and Web Filtering.
1 Very Fast containment of Scanning Worms By: Artur Zak Modified by: David Allen Nicholas Weaver Stuart Staniford Vern Paxson ICSI Nevis Netowrks ICSI.
Boundary Detection in Tokenizing Network Application Payload for Anomaly Detection Rachna Vargiya and Philip Chan Department of Computer Sciences Florida.
Chapter 8 Network Security Thanks and enjoy! JFK/KWR All material copyright J.F Kurose and K.W. Ross, All Rights Reserved Computer Networking:
ICS-FORTH WISDOM Workpackage 3: New security algorithm design FORTH-ICS Update and plans for the next six months Heraklion, 4 th June 2007.
1 Virtual Dark IP for Internet Threat Detection Akihiro Shimoda & Shigeki Goto Waseda University
Firewalls A brief introduction to firewalls. What does a Firewall do? Firewalls are essential tools in managing and controlling network traffic Firewalls.
Machine Learning for Network Anomaly Detection Matt Mahoney.
Network-based and Attack-resilient Length Signature Generation for Zero-day Polymorphic Worms Zhichun Li 1, Lanjia Wang 2, Yan Chen 1 and Judy Fu 3 1 Lab.
1 CURELAN TECHNOLOGY Co., LTD Flowviewer FM-800A CURELAN TECHNOLOGY Co., LTD
Chapter 8.  Upon completion of this chapter, you should be able to:  Understand the purpose of a firewall  Name two types of firewalls  Identify common.
25/09/ Firewall, IDS & IPS basics. Summary Firewalls Intrusion detection system Intrusion prevention system.
Snort – IDS / IPS.
Multiplexing.
Firewall – Survey Purpose of a Firewall Characteristic of a firewall
Principles of Computer Security
Firewall Exercise.
Intrusion Detection & Prevention
Firewalls Purpose of a Firewall Characteristic of a firewall
Detecting Targeted Attacks Using Shadow Honeypots
Lecture 2: Overview of TCP/IP protocol
Lecture 3: Secure Network Architecture
Session 20 INST 346 Technologies, Infrastructure and Architecture
Presentation transcript:

Learning Rules for Anomaly Detection of Hostile Network Traffic Matthew V. Mahoney and Philip K. Chan Florida Institute of Technology

Problem: How to detect novel intrusions in network traffic given only a model of normal traffic  Normal web server request GET /index.html HTTP/1.0 GET /index.html HTTP/1.0  Code Red II worm GET /default.ida?NNNNNNNNN… GET /default.ida?NNNNNNNNN…

What has been done  Firewalls Can’t block attacks on open ports (web, mail, DNS) Can’t block attacks on open ports (web, mail, DNS)  Signature Detection (SNORT, BRO) Hand coded rules (search for “default.ida?NNN”) Hand coded rules (search for “default.ida?NNN”) Can’t detect new attacks Can’t detect new attacks  Anomaly Detection (eBayes, ADAM, SPADE) Learn rules from normal traffic for low-level protocols (IP, TCP, ICMP) Learn rules from normal traffic for low-level protocols (IP, TCP, ICMP) But application protocols (HTTP, mail) are too hard to model But application protocols (HTTP, mail) are too hard to model

Learning Rules for Anomaly Detection (LERAD)  Associative mining (APRIORI, etc.) learns rules with high support and confidence for one value  LERAD learns rules with high support (n) and a small set of allowed values (r)  Any value seen at least once in training is allowed If port = 80 and word1 = “GET” then word3  {“HTTP/1.0”, “HTTP/1.1”} (r = 2)

LERAD Steps 1. Generate candidate rules 2. Remove redundant rules 3. Remove poorly trained rules LERAD is fast because steps 1-2 can be done on a small random sample (~100 tuples)

Step 1. Generate Candidate Rules Suggested by matching attribute values SamplePortWord1Word2Word3 S180GET/index.htmlHTTP/1.0 S280GET/banner.gifHTTP/1.0 S325HELOpascalMAIL  S1 and S2 suggest: port = 80 if port = 80 then word1 = “GET” if word3 = “HTTP/1.0” and word1 = “GET then port = 80  S2 and S3 suggest no rules

Step 2. Remove Redundant Rules Favor rules with higher score = n/r SamplePortWord1Word2Word3 S180GET/index.htmlHTTP/1.0 S280GET/banner.gifHTTP/1.0 S325HELOpascalMAIL Rule 1: if port = 80 then word1 = “GET” (n/r = 2/1) Rule 2: if word2 = “/index.html” then word1 = “GET” (n/r = 1/1) Rule 2 has lower score and covers no new values, so it is redundant

Step 3. Remove Poorly Trained Rules Rules with violations in a validation set will probably generate false alarms Train Validate Test r (number of allowed values) Fully trained rule (kept) Incompletely trained rule (removed)

Attribute Sets  Inbound client packets (PKT) IP packet cut into bit fields IP packet cut into bit fields  Inbound client TCP streams Date, time Source, destination IP addresses and ports Length, duration TCP flags First 8 application words Anomaly score = tn/r summed over violated rules, t = time since previous violation

Experimental Evaluation  1999 DARPA/Lincoln Laboratory Intrusion Detection Evaluation (IDEVAL) Train on week 3 (no attacks) Train on week 3 (no attacks) Test on inside sniffer weeks 4-5 (148 simulated probes, DOS, and R2L attacks) Test on inside sniffer weeks 4-5 (148 simulated probes, DOS, and R2L attacks) Top participants in 1999 detected 40-55% of attacks at 10 false alarms per day Top participants in 1999 detected 40-55% of attacks at 10 false alarms per day  2002 university departmental server traffic (UNIV) 623 hours over 10 weeks 623 hours over 10 weeks Train and test on adjacent weeks (some unlabeled attacks in training data) Train and test on adjacent weeks (some unlabeled attacks in training data) 6 known real attacks (some multiple instances) 6 known real attacks (some multiple instances)

Experimental Results Percent of attacks detected at 10 false alarms per day

UNIV Detection/False Alarm Tradeoff Percent of attacks detected at 0 to 40 false alarms per day

Run Time Performance (750 MHz PC – Windows Me)  Preprocess 9 GB IDEVAL traffic = 7 min.  Train + test < 2 min. (all systems)

Anomalies are due to bugs and idiosyncrasies in hostile code No obvious way to distinguish from benign events UNIV attack How detected Inside port scan HEAD / HTTP\1.0 (backslash) Code Red II worm TCP segmentation after GET Nimda worm host: www Scalper worm host: unknown Proxy scan host: DNS version probe (not detected)

Contributions  LERAD differs from association mining in that the goal is to find rules for anomaly detection: a small set of allowed values  LERAD is fast because rules are generated from a small sample  Testing is fast (50-75 rules)  LERAD improves intrusion detection Models application protocols Models application protocols Detects more attacks Detects more attacks

Thank you

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.