Presentation is loading. Please wait.

Presentation is loading. Please wait.

Decision Trees for Server Flow Authentication James P. Early and Carla E. Brodley Purdue University West Lafayette, IN 47907

Published byJimena Richins Modified over 9 years ago

Similar presentations

Presentation on theme: "Decision Trees for Server Flow Authentication James P. Early and Carla E. Brodley Purdue University West Lafayette, IN 47907"— Presentation transcript:

1 Decision Trees for Server Flow Authentication James P. Early and Carla E. Brodley Purdue University West Lafayette, IN 47907 earlyjp@cerias.purdue.edu, brodley@ecn.purdue.edu September 24, 2003

2 Motivation Port numbers can be unreliable for determining traffic type –Proxies –Port Remappers (e.g., AntiFirewall) –“Backdoored” services –User-installed services

3 Motivation Strong reliance on port number –Firewall filtering rules –IDS signatures Given a flow of packets from a server, can we identify the application?

4 Modeling Flow Behavior Capture operational characteristics Connection initialization data not required Payload data not required Intuition: Application protocols use the underlying TCP state mechanism in different ways, thus they can be differentiated

5 Feature Construction Individual packet features –TCP state flags –Packet length –Inter-arrival time Use an overlapping packet window

6 Supervised Learning Train learner to classify unseen flows as one of k classes Assumption: Policy specifies services for a host Does flow match expected service?

7 Aggregate Flow Experiments FTP, SSH, Telnet, SMTP, HTTP Data sets (1999 Lincoln Labs) Training : Week 1 Test: Week 3 Fifty flows / protocol Packet window sizes: 10 to 1000 Use C5.0 to build decision tree

8 Aggregate Flow Results Window Size FTPSSHTelnetSMTPHTTP 1000100%88%94%82%100% 500100%96%94%86%100% 20098%96% 84%98% 100100%96% 86%100% 5098%96% 82%100% 20100%98% 82%98% 10100% 82%98%

9 Per-Host Flow Experiments Operational characteristics of a host –Server implementation –OS platform Five hosts with three or more services Build decision trees (window size 100) Classify unseen flows for same host

10 Per-Host Flow Results HostFTPSSHTelnetSMTPWWW 172.016.112.10095%-100%90%100% 172.016.112.05092%100%84%100%- 172.016.113.050100%- - 172.016.114.050100%95%100%95% 197.218.177.069100%- -

11 Water Cooler Effect Cause: long lapses in user activity Result: large increase in mean IAT Future work Analysis of sub-flows

12 Experiments Using Live Traffic Data collected from our test network Augmented with file-sharing data (Kazaa) Accuracy 85-100% Comparable to synthetic data

13 Utilizing Flow Classifiers

14 Subverting Classification Water Cooler Effect Extraneous TCP Flags (e.g., URG) Duplication of particular behavior unlikely

15 Related Work “ Flow Classification for Intrusion Detection” Tom Dunigan and George Ostrouchov, ORNL/TM-2001/115 (2000) “Detection and Classification of TCP/IP Network Services” Tan, K.M.C. and Collie, B.S., Proceedings of the 13 th Annual Computer Security Applications Conference (1997) Signature Based –Connection –Payload

16 Conclusions Designed features that model application behavior Achieved high classification accuracy in real time Future work –IDS integration –Mitigation of Water Cooler Effect –Attempts to subvert classification

Download ppt "Decision Trees for Server Flow Authentication James P. Early and Carla E. Brodley Purdue University West Lafayette, IN 47907"

Similar presentations

Centre de Comunicacions Avançades de Banda Ampla (CCABA) Universitat Politècnica de Catalunya (UPC) Identification of Network Applications based on Machine.

Centre de Comunicacions Avançades de Banda Ampla (CCABA) Universitat Politècnica de Catalunya (UPC) Identification of Network Applications based on Machine.
FIREWALLS. What is a Firewall? A firewall is hardware or software (or a combination of hardware and software) that monitors the transmission of packets.

FIREWALLS. What is a Firewall? A firewall is hardware or software (or a combination of hardware and software) that monitors the transmission of packets.
FIREWALLS The function of a strong position is to make the forces holding it practically unassailable —On War, Carl Von Clausewitz On the day that you.

FIREWALLS The function of a strong position is to make the forces holding it practically unassailable —On War, Carl Von Clausewitz On the day that you.
Security Firewall Firewall design principle. Firewall Characteristics.

Security Firewall Firewall design principle. Firewall Characteristics.
Firewalls and Intrusion Detection Systems

Firewalls and Intrusion Detection Systems
 Firewalls and Application Level Gateways (ALGs)  Usually configured to protect from at least two types of attack ▪ Control sites which local users.

 Firewalls and Application Level Gateways (ALGs)  Usually configured to protect from at least two types of attack ▪ Control sites which local users.
Chapter 7 Firewalls. Firewall Definition  A network device that enforces network access control based upon a defined security policy.

Chapter 7 Firewalls. Firewall Definition  A network device that enforces network access control based upon a defined security policy.
Beyond the perimeter: the need for early detection of Denial of Service Attacks John Haggerty,Qi Shi,Madjid Merabti Presented by Abhijit Pandey.

Beyond the perimeter: the need for early detection of Denial of Service Attacks John Haggerty,Qi Shi,Madjid Merabti Presented by Abhijit Pandey.
Mining Behavior Models Wenke Lee College of Computing Georgia Institute of Technology.

Mining Behavior Models Wenke Lee College of Computing Georgia Institute of Technology.
Circuit & Application Level Gateways CS-431 Dick Steflik.

Circuit & Application Level Gateways CS-431 Dick Steflik.
FIREWALLS & NETWORK SECURITY with Intrusion Detection and VPNs, 2 nd ed. 6 Packet Filtering By Whitman, Mattord, & Austin© 2008 Course Technology.

FIREWALLS & NETWORK SECURITY with Intrusion Detection and VPNs, 2 nd ed. 6 Packet Filtering By Whitman, Mattord, & Austin© 2008 Course Technology.
Intrusion Detection System Marmagna Desai [ 520 Presentation]

Intrusion Detection System Marmagna Desai [ 520 Presentation]
Firewalls Marin Stamov. Introduction Technological barrier designed to prevent unauthorized or unwanted communications between computer networks or hosts.

Firewalls Marin Stamov. Introduction Technological barrier designed to prevent unauthorized or unwanted communications between computer networks or hosts.
FIREWALL TECHNOLOGIES Tahani al jehani. Firewall benefits  A firewall functions as a choke point – all traffic in and out must pass through this single.

FIREWALL TECHNOLOGIES Tahani al jehani. Firewall benefits  A firewall functions as a choke point – all traffic in and out must pass through this single.
1 Advanced Application and Web Filtering. 2 Common security attacks Finding a way into the network Exploiting software bugs, buffer overflows Denial of.

1 Advanced Application and Web Filtering. 2 Common security attacks Finding a way into the network Exploiting software bugs, buffer overflows Denial of.
A Brief Taxonomy of Firewalls

A Brief Taxonomy of Firewalls
A fast identification method for P2P flow based on nodes connection degree LING XING, WEI-WEI ZHENG, JIAN-GUO MA, WEI- DONG MA Apperceiving Computing and.

A fast identification method for P2P flow based on nodes connection degree LING XING, WEI-WEI ZHENG, JIAN-GUO MA, WEI- DONG MA Apperceiving Computing and.
Port Knocking Software Project Presentation Paper Study – Part 1 Group member: Liew Jiun Hau (20086034) Lee Shirly (20095815) Ong Ivy (20095040)

Port Knocking Software Project Presentation Paper Study – Part 1 Group member: Liew Jiun Hau ( ) Lee Shirly ( ) Ong Ivy ( )
Packet Filtering. 2 Objectives Describe packets and packet filtering Explain the approaches to packet filtering Recommend specific filtering rules.

Packet Filtering. 2 Objectives Describe packets and packet filtering Explain the approaches to packet filtering Recommend specific filtering rules.
Intranet, Extranet, Firewall. Intranet and Extranet.

Intranet, Extranet, Firewall. Intranet and Extranet.

Similar presentations

Ads by Google