Presentation is loading. Please wait.

Presentation is loading. Please wait.

A Statistical Anomaly Detection Technique based on Three Different Network Features Yuji Waizumi Tohoku Univ.

Published byLawrence Williams Modified over 8 years ago

Similar presentations

Presentation on theme: "A Statistical Anomaly Detection Technique based on Three Different Network Features Yuji Waizumi Tohoku Univ."— Presentation transcript:

1 A Statistical Anomaly Detection Technique based on Three Different Network Features Yuji Waizumi Tohoku Univ.

2 Background The Internet has entered the business world Need to protect information and systems from hackers and attacks Network security has been becoming important issue Many intrusion/attack detection methods has been proposed

3 Intrusion Detection System Two major detection principles: Signature Detection  Attempts to flag behavior that is close to some previously defined pattern signature of a known intrusion Anomaly Detection  Attempts to quantify the usual or acceptable behavior and flags other irregular behavior as potentially intrusive.

4 Motivation Anomaly detection system Pro: can detect unknown attacks Con: many false positives Improve the performance of Anomaly detection system Analyze the characteristics of attacks Propose method to construct features as numerical values from network traffic Construct detection system using the features

5 Classification of Attacks DARPA Intrusion Detection Evaluation DoS: Denial of Service Probe: Surveillance of Targets Remote to Local(R2L), User to Root(U2R): Unauthorized Access to a Host or Super User

6 Re-classification of Attacks Classification by Traffic Characteristics DoS, Probe  Traffic Quantity  Access Range Probe  Structure of Communication Flows DoS, R2L, U2R  Contents of Communications To detect attacks with above characteristics, it is necessary to construct features corresponding those classes.

7 Network Traffic Feature Numerical values(vectors) expressing state of traffic We propose three different network feature sets Based of re-classification of attacks Analyzed independently

8 Time Slot Feature (34 dimension) Count various packets, flags, transmission and reception bytes, and port variety by a unit time Estimate scale and range of attacks Target Probe (Scan) DoS Each slot is expressed as a vector Ex) (TCP,icmp,SYN,FIN,RST,UDP,DNS, … )

9 Examples (Time Slot Feature) normal traffic only rst flag (port 21) rst flag (port 23) ftp scantelnet scan Vector element Element value Values are regularizes as mean=0, variance=1.0

10 Flow Counting Feature Flow is specified by (srcIP, dstIP, srcPort,dstPort,protocol) Count packets, flags, transmission and reception bytes in a flow Target Scan with illegal flags Ports used as backdoors TCP:19 dim., UDP:7 dim.

11 Examples (Flow Counting Feature) Normal traffic Port sweep(scan) Decrease of SYN packet Vector element Element value Specific packets of attacks are extremely high and low.

12 Flow Payload Feature Represent content of communication Histogram of character codes of a flow Count 8bit-unit(256 class) Transmission and reception are counted independently (total 512 class) Target Buffer overflow Malicious code

13 Examples (Flow Payload Feature) Specific character of attacks are extremely high and low. Normal traffic imap attack

14 Modeling Normal Behavior Each packet appears based on protocol Correlations between elements of the feature vectors Profile based on correlations can represent normal behavior of network traffic

15 Principal Component Analysis:PCA Extract correlation among samples as Principal Component Principal Component lay along sample distribution Principal Component Non-correlated data

16 Discriminant Function Projection Distance Principal Component Anomaly sample Projection Distance Long Distant Samples: Unordinary traffic Break Correlation Detection Criterion

17 Detection Algorithm Independent Detection The three features are used for PCA independently "Logical OR" operation for detection alerts by each feature Time Slot Flow Counting Flow Payload Features Network Traffic PCA Alert OR Alert

18 Performance Evaluation Two Examine Scenario Scenario1  Learn Week1 and 3  Test Week4 and 5 Scenario2  Learn Week 4 and 5  Test Week 4 and 5  More Practical Situation Real network traffic may include attack traffic Criterion for Evaluation Detection rate when number of miss-detection (false positive) per day is 10

19 Data Set 1999 DARPA off-line intrusion detection evaluation test set Contain 5 weeks data (from Monday to Friday) Week1,3: Normal traffic only Week2: Including attacks (for learning) Week4,5: Including attacks (for testing)

20 Scenario 1 Result # of detection # of target Detection rate Proposed Method10417160.8% NETAD13218571.4% Forensics152755.6% Expert18516950.3% Expert28117346.8% Dmine4110240.2% 2003 2000

21 Scenario 2 Result # of detection # of target Detection rate Proposed Method10017158.5% NETAD7018537.8% NETAD Use IP address as white list Overfit learning data Proposed Method Independent of IP address Evaluate only anomaly of traffic

22 Detection Results every Features ( FP )( FC ) ( TS ) 3 ( TS ) & ( FC ) & ( FP ) 40 Flow Payload(FP ) 38 Flow Counting ( FC ) 2737 Time Slot Feature ( TS ) ( FP ) ( FC )( TS ) 5 ( TS ) & ( FC ) & ( FP ) 44 Flow Payload Feature(FP) 613 Flow Counting Feature(FC) 5922Time Slot Feature(TS) Scenario 1 Scenario 2 # of Detection by both TS & FP # of Detection by FP only # of Detection by all Three Features Low detection overlap Each feature detect different characteristic attacks

23 Conclusion For network security Classification attacks into three types Construct three features corresponding to three attack characteristics Detection method with PCA  Learning the three features independently Higher detection accuracy  With samples including attacks

Download ppt "A Statistical Anomaly Detection Technique based on Three Different Network Features Yuji Waizumi Tohoku Univ."

Similar presentations

Applications of one-class classification

Applications of one-class classification
Network Monitoring System In CSTNET Long Chun China Science & Technology Network.

Network Monitoring System In CSTNET Long Chun China Science & Technology Network.
Wenke Lee and Nick Feamster Georgia Tech Botnet and Spam Detection in High-Speed Networks.

Wenke Lee and Nick Feamster Georgia Tech Botnet and Spam Detection in High-Speed Networks.
REFLEX INTRUSION PREVENTION SYSTEM.. OVERVIEW The Reflex Interceptor appliance is an enterprise- level Network Intrusion Prevention System. It is designed.

REFLEX INTRUSION PREVENTION SYSTEM.. OVERVIEW The Reflex Interceptor appliance is an enterprise- level Network Intrusion Prevention System. It is designed.
An Introduction of Botnet Detection – Part 2 Guofei Gu, Wenke Lee (Georiga Tech)

An Introduction of Botnet Detection – Part 2 Guofei Gu, Wenke Lee (Georiga Tech)
CISCO NETWORKING ACADEMY PROGRAM (CNAP)

CISCO NETWORKING ACADEMY PROGRAM (CNAP)
Decision Trees for Server Flow Authentication James P. Early and Carla E. Brodley Purdue University West Lafayette, IN 47907

Decision Trees for Server Flow Authentication James P. Early and Carla E. Brodley Purdue University West Lafayette, IN 47907
Polymorphic blending attacks Prahlad Fogla et al USENIX 2006 Presented By Himanshu Pagey.

Polymorphic blending attacks Prahlad Fogla et al USENIX 2006 Presented By Himanshu Pagey.
INDEX  Ethical Hacking Terminology.  What is Ethical hacking?  Who are Ethical hacker?  How many types of hackers?  White Hats (Ethical hackers)

INDEX  Ethical Hacking Terminology.  What is Ethical hacking?  Who are Ethical hacker?  How many types of hackers?  White Hats (Ethical hackers)
Network Intrusion Detection Systems Presented by Keith Elliott.

Network Intrusion Detection Systems Presented by Keith Elliott.
 Firewalls and Application Level Gateways (ALGs)  Usually configured to protect from at least two types of attack ▪ Control sites which local users.

 Firewalls and Application Level Gateways (ALGs)  Usually configured to protect from at least two types of attack ▪ Control sites which local users.
5/1/2006Sireesha/IDS1 Intrusion Detection Systems (A preliminary study) Sireesha Dasaraju CS526 - Advanced Internet Systems UCCS.

5/1/2006Sireesha/IDS1 Intrusion Detection Systems (A preliminary study) Sireesha Dasaraju CS526 - Advanced Internet Systems UCCS.
Unsupervised Intrusion Detection Using Clustering Approach Muhammet Kabukçu Sefa Kılıç Ferhat Kutlu Teoman Toraman 1/29.

Unsupervised Intrusion Detection Using Clustering Approach Muhammet Kabukçu Sefa Kılıç Ferhat Kutlu Teoman Toraman 1/29.
Statistical based IDS background introduction. Statistical IDS background Why do we do this project Attack introduction IDS architecture Data description.

Statistical based IDS background introduction. Statistical IDS background Why do we do this project Attack introduction IDS architecture Data description.
IDS/IPS Definition and Classification

IDS/IPS Definition and Classification
Mining Behavior Models Wenke Lee College of Computing Georgia Institute of Technology.

Mining Behavior Models Wenke Lee College of Computing Georgia Institute of Technology.
FIREWALLS & NETWORK SECURITY with Intrusion Detection and VPNs, 2 nd ed. 6 Packet Filtering By Whitman, Mattord, & Austin© 2008 Course Technology.

FIREWALLS & NETWORK SECURITY with Intrusion Detection and VPNs, 2 nd ed. 6 Packet Filtering By Whitman, Mattord, & Austin© 2008 Course Technology.
Testing Intrusion Detection Systems: A Critic for the 1998 and 1999 DARPA Intrusion Detection System Evaluations as Performed by Lincoln Laboratory By.

Testing Intrusion Detection Systems: A Critic for the 1998 and 1999 DARPA Intrusion Detection System Evaluations as Performed by Lincoln Laboratory By.
Lecture 11 Intrusion Detection (cont)

Lecture 11 Intrusion Detection (cont)
Using Argus Audit Trails to Enhance IDS Analysis Jed Haile Nitro Data Systems

Using Argus Audit Trails to Enhance IDS Analysis Jed Haile Nitro Data Systems

Similar presentations

Ads by Google