Presentation is loading. Please wait.

Presentation is loading. Please wait.

Machine Learning for Network Anomaly Detection Matt Mahoney.

Published byLetitia Grant Modified over 8 years ago

Similar presentations

Presentation on theme: "Machine Learning for Network Anomaly Detection Matt Mahoney."— Presentation transcript:

1 Machine Learning for Network Anomaly Detection Matt Mahoney

2 Network Anomaly Detection Network – Monitors traffic to protect connected hosts Anomaly – Models normal behavior to detect novel attacks (some false alarms) Detection – Was there an attack?

3 Host Based Methods Virus Scanners File System Integrity Checkers (Tripwire, DERBI) Audit Logs System Call Monitoring – Self/Nonself (Forrest)

4 Network Based Methods Firewalls Signature Detection (SNORT, Bro) Anomaly Detection (eBayes, NIDES, ADAM, SPADE)

5 User Modeling Source address – unauthorized users of authenticated services (telnet, ssh, pop3, imap) Destination address – IP scans Destination port – port scans

6 Frequency Based Models Used by SPADE, ADAM, NIDES, eBayes, etc. Anomaly score = 1/P(event) Event probabilities estimated by counting

7 Attacks on Public Services PHF – exploits a CGI script bug on older Apache web servers GET /cgi-bin/phf?Qalias=x%0a/usr /bin/ypcat%20passwd

8 Buffer Overflows 1988 Morris Worm – fingerd 2003 SQL Sapphire Worm char buf[100]; gets(buf); bufstackExploit code Return Address 0100

9 TCP/IP Denial of Service Attacks Teardrop – overlapping IP fragments Ping of Death – IP fragments reassemble to > 64K Dosnuke – urgent data in NetBIOS packet Land – identical source and destination addresses

10 Protocol Modeling Attacks exploit bugs Bugs are most common in the least tested code Most testing occurs after delivery Therefore unusual data is more likely to be hostile

11 Protocol Models PHAD, NETAD – Packet Headers (Ethernet, IP, TCP, UDP, ICMP) ALAD, LERAD – Client TCP application payloads (HTTP, SMTP, FTP, …)

12 Time Based Models Training and test phases Values never seen in training are suspicious Score = t/p = tn/r where –t = time since last anomaly –n = number of training examples –r = number of allowed values –p = r/n = fraction of values that are novel

13 Example tn/r Training: 0000111000 n/r = 10/2 Testing: 01223 –0: no score –1: no score –2: tn/r = 6 x 10/2 = 30 –2: tn/r = 1 x 10/2 = 5 –3: tn/r = 1 x 10/2 = 5

14 PHAD – Fixed Rules 34 packet header fields –Ethernet (address, protocol) –IP (TOS, TTL, fragmentation, addresses) –TCP (options, flags, port numbers) –UDP (port numbers, checksum) –ICMP (type, code, checksum) Global model

15 LERAD – Learns conditional Rules Models inbound client TCP (addresses, ports, flags, 8 words in payload) Learns conditional rules If port = 80 then word1 = GET, POST (n/r = 10000/2)

16 LERAD Rule Learning If word1 = GET then port = 80 (n/r = 2/1) word1 = GET, HELO (n/r = 3/2) If address = Marx then port = 80, 25 (n/r = 2/2) AddressPortWord1Word2 Hume80GET/ Marx80GET/index.html Marx25HELOPascal

17 LERAD Rule Learning Randomly pick rules based on matching attributes Select nonoverlapping rules with high n/r on a sample Train on full training set (new n/r) Discard rules that discover novel values in last 10% of training (known false alarms)

18 DARPA/Lincoln Labs Evaluation 1 week of attack-free training data 2 weeks with 201 attacks SunOSSolarisLinuxNT Router Internet Sniffer Attacks

19 Attacks out of 201 Detected at 10 False Alarms per Day

20 Problems with Synthetic Traffic Attributes are too predictable: TTL, TOS, TCP options, TCP window size, HTTP, SMTP command formatting Too few sources: Client addresses, HTTP user agents, ssh versions Too “clean”: no checksum errors, fragmentation, garbage data in reserved fields, malformed commands

21 Real Traffic is Less Predictable r (Number of values) Time Synthetic Real

22 Mixed Traffic: Fewer Detections, but More are Legitimate

23 Project Status Philip K. Chan – Project Leader Gaurav Tandon – Applying LERAD to system call arguments Rachna Vargiya – Application payload tokenization Mohammad Arshad – Network traffic outlier analysis by clustering

24 Further Reading Learning Nonstationary Models of Normal Network Traffic for Detecting Novel Attacks by Matthew V. Mahoney and Philip K. Chan, Proc. KDD.Learning Nonstationary Models of Normal Network Traffic for Detecting Novel Attacks Network Traffic Anomaly Detection Based on Packet Bytes by Matthew V. Mahoney, Proc. ACM-SAC.Network Traffic Anomaly Detection Based on Packet Bytes http://cs.fit.edu/~mmahoney/dist/

Download ppt "Machine Learning for Network Anomaly Detection Matt Mahoney."

Similar presentations

Network and Application Attacks Contributed by- Chandra Prakash Suryawanshi CISSP, CEH, SANS-GSEC, CISA, ISO 27001LI, BS 25999LA, ERM (ISB) June 2006.

Network and Application Attacks Contributed by- Chandra Prakash Suryawanshi CISSP, CEH, SANS-GSEC, CISA, ISO 27001LI, BS 25999LA, ERM (ISB) June 2006.
Network Traffic Anomaly Detection Based on Packet Bytes Matthew V. Mahoney Florida Institute of Technology

Network Traffic Anomaly Detection Based on Packet Bytes Matthew V. Mahoney Florida Institute of Technology
1 Reading Log Files. 2 Segment Format

1 Reading Log Files. 2 Segment Format
FIREWALLS. What is a Firewall? A firewall is hardware or software (or a combination of hardware and software) that monitors the transmission of packets.

FIREWALLS. What is a Firewall? A firewall is hardware or software (or a combination of hardware and software) that monitors the transmission of packets.
Cyber Threat Analysis  Intrusions are actions that attempt to bypass security mechanisms of computer systems  Intrusions are caused by:  Attackers accessing.

Cyber Threat Analysis  Intrusions are actions that attempt to bypass security mechanisms of computer systems  Intrusions are caused by:  Attackers accessing.
Snort - an network intrusion prevention and detection system Student: Yue Jiang Professor: Dr. Bojan Cukic CS665 class presentation.

Snort - an network intrusion prevention and detection system Student: Yue Jiang Professor: Dr. Bojan Cukic CS665 class presentation.
5/1/2006Sireesha/IDS1 Intrusion Detection Systems (A preliminary study) Sireesha Dasaraju CS526 - Advanced Internet Systems UCCS.

5/1/2006Sireesha/IDS1 Intrusion Detection Systems (A preliminary study) Sireesha Dasaraju CS526 - Advanced Internet Systems UCCS.
FIREWALLS & NETWORK SECURITY with Intrusion Detection and VPNs, 2 nd ed. 6 Packet Filtering By Whitman, Mattord, & Austin© 2008 Course Technology.

FIREWALLS & NETWORK SECURITY with Intrusion Detection and VPNs, 2 nd ed. 6 Packet Filtering By Whitman, Mattord, & Austin© 2008 Course Technology.
Attack Profiles CS-480b Dick Steflik Attack Categories Denial-of-Service Exploitation Attacks Information Gathering Attacks Disinformation Attacks.

Attack Profiles CS-480b Dick Steflik Attack Categories Denial-of-Service Exploitation Attacks Information Gathering Attacks Disinformation Attacks.
Defining Network Protocols Application Protocols –Application Layer –Presentation Layer –Session Layer Transport Protocols –Transport Layer Network Protocols.

Defining Network Protocols Application Protocols –Application Layer –Presentation Layer –Session Layer Transport Protocols –Transport Layer Network Protocols.
Intrusion Detection - Arun Hodigere. Intrusion and Intrusion Detection Intrusion : Attempting to break into or misuse your system. Intruders may be from.

Intrusion Detection - Arun Hodigere. Intrusion and Intrusion Detection Intrusion : Attempting to break into or misuse your system. Intruders may be from.
Basic Elements of Attacks and Their Detection. Contents Elements of TCP/IP addressing Layers in Internet communication Phases of an attack 2/46.

Basic Elements of Attacks and Their Detection. Contents Elements of TCP/IP addressing Layers in Internet communication Phases of an attack 2/46.
1 Advanced Application and Web Filtering. 2 Common security attacks Finding a way into the network Exploiting software bugs, buffer overflows Denial of.

1 Advanced Application and Web Filtering. 2 Common security attacks Finding a way into the network Exploiting software bugs, buffer overflows Denial of.
IST 228\Ch3\IP Addressing1 TCP/IP and DoD Model (TCP/IP Model)

IST 228\Ch3\IP Addressing1 TCP/IP and DoD Model (TCP/IP Model)
CS 350 Chapter-6. A brief history of TCP/IP 1983 TCP/IP came to ARPAnet ARPAnet and MILNET dissolved in 1990 BSD UNIX.

CS 350 Chapter-6. A brief history of TCP/IP 1983 TCP/IP came to ARPAnet ARPAnet and MILNET dissolved in 1990 BSD UNIX.
A Machine Learning Approach to Detecting Attacks by Identifying Anomalies in Network Traffic A Dissertation by Matthew V. Mahoney Major Advisor: Philip.

A Machine Learning Approach to Detecting Attacks by Identifying Anomalies in Network Traffic A Dissertation by Matthew V. Mahoney Major Advisor: Philip.
ITIS 6167/8167: Network Security Weichao Wang. 2 Contents ICMP protocol and attacks UDP protocol and attacks TCP protocol and attacks.

ITIS 6167/8167: Network Security Weichao Wang. 2 Contents ICMP protocol and attacks UDP protocol and attacks TCP protocol and attacks.
Network Administration

Network Administration
Packet Filtering. 2 Objectives Describe packets and packet filtering Explain the approaches to packet filtering Recommend specific filtering rules.

Packet Filtering. 2 Objectives Describe packets and packet filtering Explain the approaches to packet filtering Recommend specific filtering rules.
A Statistical Anomaly Detection Technique based on Three Different Network Features Yuji Waizumi Tohoku Univ.

A Statistical Anomaly Detection Technique based on Three Different Network Features Yuji Waizumi Tohoku Univ.

Similar presentations

Ads by Google