Presentation is loading. Please wait.

Presentation is loading. Please wait.

Boundary Detection in Tokenizing Network Application Payload for Anomaly Detection Rachna Vargiya and Philip Chan Department of Computer Sciences Florida.

Published byAngelica Blair Modified over 8 years ago

Similar presentations

Presentation on theme: "Boundary Detection in Tokenizing Network Application Payload for Anomaly Detection Rachna Vargiya and Philip Chan Department of Computer Sciences Florida."— Presentation transcript:

1 Boundary Detection in Tokenizing Network Application Payload for Anomaly Detection Rachna Vargiya and Philip Chan Department of Computer Sciences Florida Institute of Technology

2 Motivation Existing anomaly detection techniques rely on information derived only from the packet headers More sophisticated attacks involve the application payload Example : Code Red II worm  GET /default.ida?NNNNNNNNN… Parsing the payload is required! Problems in hand-coded parsing:  Large number of application protocols  Frequent introduction of new protocols

3 Problem Statement To parse application payload into tokens without explicit knowledge of the application protocols These tokens are later used as features for anomaly detection

4 Related work Pattern Detection - Important Tokens  Fixed Length: Forrest et al. (1998)  Variable Length: Wespi et al. (2000) Jiang et al.(2002) Boundary Detection – All Tokens  VOTING EXPERTS by Cohen et al. (2002) Boundary Entropy Frequency Binary Votes

5 Approach Boundary Finding Algorithms:  Boundary Entropy  Frequency  Augmented Expected Mutual Information  Minimum Description Length Approach is domain independent (no prior domain knowledge)

6 Combining Boundary Finding Algorithms Combination of all or a subset (E.g. Frequency + Minimum Description Length) of techniques Each algorithm can cast multiple votes, depending on confidence measure

7 Boundary Entropy (Cohen et al) Entropy at the end of each possible window is calculated Itisarainyday X ‘x’ is the byte following the current window High Entropy means more variation w

8 Voting using Boundary Entropy change graph to discrete bars Entropy in meaningful tokens starts with a high value, drops, and peaks at the end Vote for positions with the peak entropy Threshold suppresses votes for low entropy values Threshold = Average BE Itisarainyday

9 Frequency (Cohen et al) Most frequent set of tokens are assumed to be meaningful tokens Frequencies of tokens with length =1, 2, 3…., 6 Shorter tokens are inherently more frequent than longer tokens Normalize frequencies for tokens of the same length using standard deviation Boundaries are assigned at the end of most frequent token in the window arainyday Itis Frequency in window: (1)”I” = 3(2)”It” = 5 (3) “Iti” = 2 (4)”It is” = 3

10 Mutual Information (MI) Mutual Information given by: Gives us the reduction of uncertainty in presence of event ‘b’ given event ‘a’ MI does not incorporate the counter evidence when ‘a’ occurs without ‘b’ and vice versa

11 Augmented Expected Mutual Information (AEMI) AEMI sums the supporting evidence and subtracts the counter evidence For each window, the location with the minimum AEMI value suggests a boundary Itisarainyday ab

12 Minimum Description Length (MDL) Shorter code assigned to frequent tokens to minimize the overall coding length Boundary yielding shortest coding length is assigned votes Coding Length per byte:  Lg P(t i ): no of bits to encode t i  |t i |=length of t i Itisarainyday t left t right

13 Normalize scores of each algorithm Each algorithm produces list of scores Since the number of votes is proportional to the score, the scores must be normalized Each score is replaced by the number of standard deviations that the score is away from the mean value

14 Normalize votes of each algorithm Algorithms produce list of votes depending on the scores Make sure each algorithm votes with the same weight. Number of votes is replaced by the number of standard deviations from the mean value

15 I t I s s1s2s3s4 ns1ns2ns3ns4 v2v3v4v1 I t I s s1s2s3s4 ns1ns2ns3ns4 nv1 v2v3v4v1 nv1 Scores Normalized scores Votes nv1 Normalizing Scores and Votes Combined Normalized Votes

16 Combined Approach with Weighted Voting A list of votes from all the experts is gathered For each boundary, the final votes are summed A boundary is placed at a position if the votes at the position exceed threshold. Threshold = Average number of Votes

17 Evaluation Criteria Evaluation A: % of space separated words retrieved Evaluation B: % of keywords in the protocol specification that were retrieved Evaluation C: entropy of the tokens in output file (lower the better) Evaluation D: number of detected attacks in network traffic A and B only for text based protocols

18 Anomaly Detection Algorithm – LERAD (Mahoney and Chan) LERAD forms rules based on 23 attributes  First 15 attributes: from packet header  Next 8 attributes: from the payload  Example Rule: If port = 80 then word1 = “GET” Original Payload attributes: space separated tokens Our Payload attributes: Boundary separated tokens

19 Experimental Data 1999 DARPA Intrusion Detection Evaluation Data Set Week 3 :attack free (training) data Weeks 4, 5: attack containing (test) data Evaluations A, B, C (Known boundaries) : Week 3  trained: days 1 - 4  tested: days 5 – 7  Prevent gaining knowledge from Weeks 4 and 5 Evaluation D (Detected attacks)  Trained: Week 3  Tested :Weeks 4 and 5

20 Evaluation A: % of Space-Separated Tokens Recovered MethodPort# 25 Port# 80 Port# 21 Port# 79 Avg Freq+MDL5226218145.0 Frequency1516139936.0 BE + AEMI + MDL+ Freq 211451213.0 AEMI5943212.5 MDL6732510.3 BE33194.0

21 Evaluation B: % of Keywords in RFCs Recovered MethodPort#25Port#80Port#21Avg Freq+MDL40365945.0 Frequency31284033.0 BE+AEMI+ MDL+Freq 12132115.3 AEMI9525.3 MDL7614.7 BE3222.3

22 Evaluation C: Entropy of Output (Lower is Better) average across 6 ports MethodAverage Value Frequency5.0 MDL5.03 Freq+MDL5.06 BE5.25 BE + AEMI + Freq + MDL5.56 AEMI6.38

23 Ranking of Algorithms MethodEvaluation AEvaluation BEvaluation C Freq+MDL113 Frequency221 BE+AEMI+ MDL+ Freq 335 AEMI446 MDL552 BE664

24 Detection Rate for Space Separated Vs Boundary Separated (Freq + MDL) Port #10 FP/day Space Boundary 100 FP/day Space Boundary 202245 2114161417 223333 2313141314 251516 793333 8010 1113 1132222 Overall59626368 % Improvement--5 8

25 Summary of Contributions Used payload information, while most IDS concentrate on header information. Proposed AEMI + MDL for boundary detection Combined all and subset of algorithms Used weighted voting to indicate confidence Proposed techniques find boundaries better than spaces Achieved higher detection rates in an anomaly detection system

26 Future Work Further evaluation on other ports Pick more useful tokens instead of first 8 DARPA data set is partially synthetic, further evaluation on real traffic Evaluation with other Anomaly detection algorithms

27 Thank you

28 Experimental Results Table 4.3.4 Results from Additional Ports for Freq + MDL and ALL MethodEvaluation A % Words Found Evaluation B % Keywords Found Evaluation Entropy Frq+ MDL ALLFrq+ MDL ALLFrq+ MDL ALL 23137537.888.08 1154320--4.455.18 5153814--7.667.27

Download ppt "Boundary Detection in Tokenizing Network Application Payload for Anomaly Detection Rachna Vargiya and Philip Chan Department of Computer Sciences Florida."

Similar presentations

Applications of one-class classification

Applications of one-class classification
Learning Rules from System Call Arguments and Sequences for Anomaly Detection Gaurav Tandon and Philip Chan Department of Computer Sciences Florida Institute.

Learning Rules from System Call Arguments and Sequences for Anomaly Detection Gaurav Tandon and Philip Chan Department of Computer Sciences Florida Institute.
Mustafa Cayci INFS 795 An Evaluation on Feature Selection for Text Clustering.

Mustafa Cayci INFS 795 An Evaluation on Feature Selection for Text Clustering.
Lecture 4 (week 2) Source Coding and Compression

Lecture 4 (week 2) Source Coding and Compression
Michael Alves, Patrick Dugan, Robert Daniels, Carlos Vicuna

Michael Alves, Patrick Dugan, Robert Daniels, Carlos Vicuna
Huffman code and ID3 Prof. Sin-Min Lee Department of Computer Science.

Huffman code and ID3 Prof. Sin-Min Lee Department of Computer Science.
Pete Bohman Adam Kunk.  Introduction  Related Work  System Overview  Indexing Scheme  Ranking  Evaluation  Conclusion.

Pete Bohman Adam Kunk.  Introduction  Related Work  System Overview  Indexing Scheme  Ranking  Evaluation  Conclusion.
Network Traffic Anomaly Detection Based on Packet Bytes Matthew V. Mahoney Florida Institute of Technology

Network Traffic Anomaly Detection Based on Packet Bytes Matthew V. Mahoney Florida Institute of Technology
Polymorphic blending attacks Prahlad Fogla et al USENIX 2006 Presented By Himanshu Pagey.

Polymorphic blending attacks Prahlad Fogla et al USENIX 2006 Presented By Himanshu Pagey.
Service Discrimination and Audit File Reduction for Effective Intrusion Detection by Fernando Godínez (ITESM) In collaboration with Dieter Hutter (DFKI)

Service Discrimination and Audit File Reduction for Effective Intrusion Detection by Fernando Godínez (ITESM) In collaboration with Dieter Hutter (DFKI)
A Statistical Model for Domain- Independent Text Segmentation Masao Utiyama and Hitoshi Isahura Presentation by Matthew Waymost.

A Statistical Model for Domain- Independent Text Segmentation Masao Utiyama and Hitoshi Isahura Presentation by Matthew Waymost.
Multiple Criteria for Evaluating Land Cover Classification Algorithms Summary of a paper by R.S. DeFries and Jonathan Cheung-Wai Chan April, 2000 Remote.

Multiple Criteria for Evaluating Land Cover Classification Algorithms Summary of a paper by R.S. DeFries and Jonathan Cheung-Wai Chan April, 2000 Remote.
Huffman Coding: An Application of Binary Trees and Priority Queues

Huffman Coding: An Application of Binary Trees and Priority Queues
Ensemble Learning: An Introduction

Ensemble Learning: An Introduction
1 Information-Theoretic Mass Spectral Library Search Arvind Visvanathan CSCE 990 Seminar in Multi-Dimensional Chromatography Systems, Informatics, and.

1 Information-Theoretic Mass Spectral Library Search Arvind Visvanathan CSCE 990 Seminar in Multi-Dimensional Chromatography Systems, Informatics, and.
2-1 Sample Spaces and Events Conducting an experiment, in day-to-day repetitions of the measurement the results can differ slightly because of small.

2-1 Sample Spaces and Events Conducting an experiment, in day-to-day repetitions of the measurement the results can differ slightly because of small.
Mining Behavior Models Wenke Lee College of Computing Georgia Institute of Technology.

Mining Behavior Models Wenke Lee College of Computing Georgia Institute of Technology.
Fundamentals of Multimedia Chapter 7 Lossless Compression Algorithms Ze-Nian Li and Mark S. Drew 건국대학교 인터넷미디어공학부 임 창 훈.

Fundamentals of Multimedia Chapter 7 Lossless Compression Algorithms Ze-Nian Li and Mark S. Drew 건국대학교 인터넷미디어공학부 임 창 훈.
A Signal Analysis of Network Traffic Anomalies Paul Barford, Jeffrey Kline, David Plonka, and Amos Ron.

A Signal Analysis of Network Traffic Anomalies Paul Barford, Jeffrey Kline, David Plonka, and Amos Ron.
EEE377 Lecture Notes1 EEE436 DIGITAL COMMUNICATION Coding En. Mohd Nazri Mahmud MPhil (Cambridge, UK) BEng (Essex, UK) Room 2.14.

EEE377 Lecture Notes1 EEE436 DIGITAL COMMUNICATION Coding En. Mohd Nazri Mahmud MPhil (Cambridge, UK) BEng (Essex, UK) Room 2.14.

Similar presentations

Ads by Google