Presentation is loading. Please wait.

Presentation is loading. Please wait.

A Machine Learning Approach to Detecting Attacks by Identifying Anomalies in Network Traffic A Dissertation by Matthew V. Mahoney Major Advisor: Philip.

Published byEdith Montgomery Modified over 9 years ago

Similar presentations

Presentation on theme: "A Machine Learning Approach to Detecting Attacks by Identifying Anomalies in Network Traffic A Dissertation by Matthew V. Mahoney Major Advisor: Philip."— Presentation transcript:

1 A Machine Learning Approach to Detecting Attacks by Identifying Anomalies in Network Traffic A Dissertation by Matthew V. Mahoney Major Advisor: Philip K. Chan

2 Overview Related work in intrusion detection Approach Experimental results –Simulated network –Real background traffic Conclusions and future work

3 Limitations of Intrusion Detection Host based (audit logs, virus checkers, system calls (Forrest 1996)) –Cannot be trusted after a compromise Network signature detection (SNORT (Roesch 1999), Bro (Paxson 1998)) –Cannot detect novel attacks –Alarms occur in bursts Address/port anomaly detection (ADAM (Barbara 2001), SPADE (Hoagland 2000), eBayes (Valdes & Skinner 2000)) –Cannot detect attacks on public servers (web, mail)

4 Anomaly SignatureNetwork Host User System BSM Virus Detection SNORT Bro Audit Logs Firewalls SPADE ADAM eBayes Network Protocol Anomaly Detection Intrusion Detection Dimensions Model Data Method

5 Problem Statement Detect (not prevent) attacks in network traffic No prior knowledge of attack characteristics Model of normal traffic IDS Training – no known attacks Test data with attacksAlarms

6 Approach 1.Model protocols (extend user model) 2.Time-based model of “bursty” traffic 3.Learn conditional rules 4.Batch and continuous modeling 5.Test with simulated attacks and real background traffic

7 Approach 1. Protocol Modeling User model (conventional) –Source address for authentication –Destination port to detect scans Protocol model (new) –Unusual features (more likely to be vulnerable) –Client idiosyncrasies –IDS evasion –Victim’s symptoms after an attack

8 Example Protocol Anomalies AttackHow detected Category Teardrop – overlapping IP fragments crashes target IP fragments Unusual feature Sendmail – buffer overflow gives remote root shell Lower case mail Idiosyn- crasy FIN scan (portsweep) - FIN packets not logged FIN with- out ACK Evasion ARPpoison – Forged replies to ARP-who-has Interrupt- ed TCP Victim symptoms

9 Approach 2 -Non-Poisson Traffic Model (Paxson & Floyd, 1995) Events occur in bursts on all time scales Long range dependency No average rate of events Event probability depends on –The average rate in the past –And the time since it last occurred

10 Time-Based Model If port = 25 then word1 = HELO or EHLO Anomaly: any value never seen in training Score = tn/r –t = time since last anomaly for this rule –n = number of training instances (port = 25) –r = number of allowed values (2) Only the first anomaly in a burst receives a high score

11 Example Training = AAAABBBBAA Test = AACCC C is an anomaly r/n = average rate of training anomalies = 2/10 (first A and first B) t = time since last anomaly = 9, 1, 1 Score (C) = tn/r = 45, 5, 5

12 Approach 3. Rule Learning 1.Sample training pairs to suggest rules with n/r = 2/1 2.Remove redundant rules, favoring high n/r 3.Validation: remove rules that generate alarms on attack-free traffic

13 Learning Step 1 - Sampling PortWord1Word2Word3 80GET/HTTP/1.0 80GET/index.htmlHTTP/1.0 If port = 80 then word1 = GET word3 = HTTP/1.0 If word3 = HTTP/1.0 and word1 = GET then port = 80

14 Learning Step 2 – Remove Redundant Rules (Sorted by n/r) R1: if port = 80 then word1 = GET (n/r = 2/1, OK) R2: word1 = HELO or GET (n/r = 3/2, OK) R3: if port = 25 then word1 = HELO (n/r = 1/1, remove) R4: word2 = pascal, /, or /index.html (n/r = 3/3, OK) PortWord1Word2Word3 25HELOpascalMAIL 80GET/HTTP/1.0 80GET/index.htmlHTTP/1.0

15 Learning Step 3 – Rule Validation Training (no attacks) – Learn rules, n/r Validation (no attacks) – Discard rules that generate alarms Testing (with attacks) TrainValidateTest

16 Approach 4. Continuous Modeling No separate training and test phases Training data may contain attacks Model allows for previously seen values Score = tn/r + t i /f i –t i = tine since value i last seen –f i = frequency of i in training, f i > 0 No validation step

17 Implementation ModelDataCon- ditions Valid- ation Score PHADPacket headers NoneNotn/r ALADTCP streams Server, port Notn/r LERADTCP streams LearnedYestn/r NETADPacket bytes ProtocolYestn/r + t i /f i

18 Example Rules (LERAD) 1 39406/1 if SA3=172 then SA2 = 016 2 39406/1 if SA2=016 then SA3 = 172 3 28055/1 if F1=.UDP then F3 =. 4 28055/1 if F1=.UDP then F2 =. 5 28055/1 if F3=. then F1 =.UDP 6 28055/1 if F3=. then DUR = 0 7 27757/1 if DA0=100 then DA1 = 112 8 25229/1 if W6=. then W7 =. 9 25221/1 if W5=. then W6 =. 10 25220/1 if W4=. then W8 =. 11 25220/1 if W4=. then W5 =. 12 17573/1 if DA1=118 then W1 =.^B^A^@^@ 13 17573/1 if DA1=118 then SA1 = 112 14 17573/1 if SP=520 then DP = 520 15 17573/1 if SP=520 then W2 =.^P^@^@^@ 16 17573/1 if DP=520 then DA1 = 118 17 17573/1 if DA1=118 SA1=112 then LEN = 5 18 28882/2 if F2=.AP then F1 =.S.AS 19 12867/1 if W1=.^@GET then DP = 80 20 68939/6 if then DA1 = 118 112 113 115 114 116 21 68939/6 if then F1 =.UDP.S.AF.ICMP.AS.R 22 9914/1 if W3=.HELO then W1 =.^@EHLO 23 9914/1 if F1=.S W3=.HELO then DP = 25 24 9914/1 if DP=25 W5=.MAIL then W3 =.HELO

19 1999 DARPA IDS Evaluation (Lippmann et al. 2000) 7 days training data with no attacks 2 weeks test data with 177 visible attacks Must identify victim and time of attack SunOSSolarisLinuxWinNT IDS Victims Internet (simulated) Attacks

20 Attacks Detected at 10 FA/Day

21 Unlikely Detections Attacks on public servers (web, mail, DNS) detected by source address Application server attacks detected by packet header fields U2R (user to root) detected by FTP upload

22 Unrealistic Background Traffic Source Address, client versions (too few clients) TTL, TCP options, TCP window size (artifacts) Checksum errors, “crud”, invalid keywords and values (too clean) r Time Simulated Real

23 5. Injecting Real Background Traffic Collected on a university departmental web server Filtered: truncated inbound client traffic only IDS modified to avoid conditioning on traffic source SunOSSolarisLinuxWinNT IDS Internet (simulated and real) Attacks Real web server

24 Mixed Traffic: Fewer Detections, but More are Legitimate

25 Detections vs. False Alarms (Simulated and Combined Traffic)

26 Results Summary Original 1999 evaluation: 40-55% detected at 10 false alarms per day NETAD (excluding U2R): 75% Mixed traffic: LERAD + NETAD: 30% At 50 FA/day: NETAD: 47%

27 Contributions 1.Protocol modeling 2.Time based modeling for bursty traffic 3.Rule learning 4.Continuous modeling 5.Removing simulation artifacts

28 Limitations False alarms – Unusual data is not always hostile Rule learning requires 2 passes (not continuous) Tests with real traffic are not reproducible (privacy concerns) Unlabeled attacks in real traffic –GET /MSADC/root.exe?/c+dir HTTP/1.0 –GET /scripts/..%255c%255c../winnt/system32/cmd.exe?/c+dir

29 Future Work Modify rule learning for continuous traffic Add other attributes User feedback (should this anomaly be added to the model?) Test with real attacks

30 Acknowledgments Philip K. Chan – Directing research Advisors – Ryan Stansifer, Kamel Rekab, James Whittaker Ongoing work –Gaurav Tandon – Host based detection using LERAD (system call arguments) –Rachna Vargiya – Parsing application payload –Hyoung Rae Kim – Payload lexical/semantic analysis –Muhammad Arshad – Outlier detection in network traffic DARPA – Providing funding and test data

Download ppt "A Machine Learning Approach to Detecting Attacks by Identifying Anomalies in Network Traffic A Dissertation by Matthew V. Mahoney Major Advisor: Philip."

Similar presentations

Intrusion Detection Systems (I) CS 6262 Fall 02. Definitions Intrusion Intrusion A set of actions aimed to compromise the security goals, namely A set.

Intrusion Detection Systems (I) CS 6262 Fall 02. Definitions Intrusion Intrusion A set of actions aimed to compromise the security goals, namely A set.
Loss-Sensitive Decision Rules for Intrusion Detection and Response Linda Zhao Statistics Department University of Pennsylvania Joint work with I. Lee,

Loss-Sensitive Decision Rules for Intrusion Detection and Response Linda Zhao Statistics Department University of Pennsylvania Joint work with I. Lee,
Learning Rules from System Call Arguments and Sequences for Anomaly Detection Gaurav Tandon and Philip Chan Department of Computer Sciences Florida Institute.

Learning Rules from System Call Arguments and Sequences for Anomaly Detection Gaurav Tandon and Philip Chan Department of Computer Sciences Florida Institute.
Network and Application Attacks Contributed by- Chandra Prakash Suryawanshi CISSP, CEH, SANS-GSEC, CISA, ISO 27001LI, BS 25999LA, ERM (ISB) June 2006.

Network and Application Attacks Contributed by- Chandra Prakash Suryawanshi CISSP, CEH, SANS-GSEC, CISA, ISO 27001LI, BS 25999LA, ERM (ISB) June 2006.
 Dynamic policies o Change as system security state/load changes o GAA architecture  Extended access control lists  Pre-, mid- and post-conditions,

 Dynamic policies o Change as system security state/load changes o GAA architecture  Extended access control lists  Pre-, mid- and post-conditions,
Network Traffic Anomaly Detection Based on Packet Bytes Matthew V. Mahoney Florida Institute of Technology

Network Traffic Anomaly Detection Based on Packet Bytes Matthew V. Mahoney Florida Institute of Technology
1 Reading Log Files. 2 Segment Format

1 Reading Log Files. 2 Segment Format
Chapter 7 – Transport Layer Protocols

Chapter 7 – Transport Layer Protocols
FIREWALLS. What is a Firewall? A firewall is hardware or software (or a combination of hardware and software) that monitors the transmission of packets.

FIREWALLS. What is a Firewall? A firewall is hardware or software (or a combination of hardware and software) that monitors the transmission of packets.
Winter 20021 CMPE 155 Week 7. Winter 20022 Assignment 6: Firewalls What is a firewall? –Security at the network level. Wide-area network access makes.

Winter CMPE 155 Week 7. Winter Assignment 6: Firewalls What is a firewall? –Security at the network level. Wide-area network access makes.
Cyber Threat Analysis  Intrusions are actions that attempt to bypass security mechanisms of computer systems  Intrusions are caused by:  Attackers accessing.

Cyber Threat Analysis  Intrusions are actions that attempt to bypass security mechanisms of computer systems  Intrusions are caused by:  Attackers accessing.
Snort - an network intrusion prevention and detection system Student: Yue Jiang Professor: Dr. Bojan Cukic CS665 class presentation.

Snort - an network intrusion prevention and detection system Student: Yue Jiang Professor: Dr. Bojan Cukic CS665 class presentation.
EECS 598-2 Presentation Web Tap: Intelligent Intrusion Detection Kevin Borders.

EECS Presentation Web Tap: Intelligent Intrusion Detection Kevin Borders.
5/1/2006Sireesha/IDS1 Intrusion Detection Systems (A preliminary study) Sireesha Dasaraju CS526 - Advanced Internet Systems UCCS.

5/1/2006Sireesha/IDS1 Intrusion Detection Systems (A preliminary study) Sireesha Dasaraju CS526 - Advanced Internet Systems UCCS.
FIREWALLS & NETWORK SECURITY with Intrusion Detection and VPNs, 2 nd ed. 6 Packet Filtering By Whitman, Mattord, & Austin© 2008 Course Technology.

FIREWALLS & NETWORK SECURITY with Intrusion Detection and VPNs, 2 nd ed. 6 Packet Filtering By Whitman, Mattord, & Austin© 2008 Course Technology.
Bro: A System for Detecting Network Intruders in Real-Time Presented by Zachary Schneirov CS 395-0 Professor Yan Chen.

Bro: A System for Detecting Network Intruders in Real-Time Presented by Zachary Schneirov CS Professor Yan Chen.
Intrusion Detection - Arun Hodigere. Intrusion and Intrusion Detection Intrusion : Attempting to break into or misuse your system. Intruders may be from.

Intrusion Detection - Arun Hodigere. Intrusion and Intrusion Detection Intrusion : Attempting to break into or misuse your system. Intruders may be from.
1 Advanced Application and Web Filtering. 2 Common security attacks Finding a way into the network Exploiting software bugs, buffer overflows Denial of.

1 Advanced Application and Web Filtering. 2 Common security attacks Finding a way into the network Exploiting software bugs, buffer overflows Denial of.
A question of protocol Geoff Huston APNIC 36. Originally there was RFC791: “All hosts must be prepared to accept datagrams of up to 576 octets (whether.

A question of protocol Geoff Huston APNIC 36. Originally there was RFC791: “All hosts must be prepared to accept datagrams of up to 576 octets (whether.
Lucent Technologies – Proprietary Use pursuant to company instruction Learning Sequential Models for Detecting Anomalous Protocol Usage (work in progress)

Lucent Technologies – Proprietary Use pursuant to company instruction Learning Sequential Models for Detecting Anomalous Protocol Usage (work in progress)

Similar presentations

Ads by Google