Presentation is loading. Please wait.

Presentation is loading. Please wait.

Network Anomaly Detection Using Autonomous System Flow Aggregates Thienne Johnson 1,2 and Loukas Lazos 1 1 Department of Electrical and Computer Engineering.

Published byClaud McDonald Modified over 8 years ago

Similar presentations

Presentation on theme: "Network Anomaly Detection Using Autonomous System Flow Aggregates Thienne Johnson 1,2 and Loukas Lazos 1 1 Department of Electrical and Computer Engineering."— Presentation transcript:

1 Network Anomaly Detection Using Autonomous System Flow Aggregates Thienne Johnson 1,2 and Loukas Lazos 1 1 Department of Electrical and Computer Engineering 2 Department of Computer Science University of Arizona 1 IEEE GLOBECOM 2014December 10, 2014

2 2 Network Anomalies

3 3 Characteristics of Network Anomalies AnomalyCharacteristicsVariations in DDoS(D) DoS against a single victim Number of packets and number of flows AlphaUnusually high rate point to point byte transfer Number of packets and volume ScanScanning a host for a vulnerable port (port scan) Scanning the network for a target port (network scan) Incoming flows to a host:port Incoming flows to a port number Examples

4 Deep packet inspection scalability problem in terms of computational and storage capacity Deep packet inspection scalability problem in terms of computational and storage capacity Anomaly detection Flow aggregation techniques merge multiple flow records with similar properties, and discarding benign flows summarize IP flows to statistical metrics – reduce the amount of state and history information that is maintained At IP flow level: computation and storage requirements for an online NIDS can still be prohibitively large Flow aggregation techniques merge multiple flow records with similar properties, and discarding benign flows summarize IP flows to statistical metrics – reduce the amount of state and history information that is maintained At IP flow level: computation and storage requirements for an online NIDS can still be prohibitively large 4

5 To reduce communication and storage overheads – By exploiting the organization of the IP space to Autonomous Systems (ASes) To detect large-scale network threats that create substantial deviations in network activity compared with benign network conditions To reduce communication and storage overheads – By exploiting the organization of the IP space to Autonomous Systems (ASes) To detect large-scale network threats that create substantial deviations in network activity compared with benign network conditions Our Goals 5

6 Outline System design Case Study Conclusion and future work 6

7 7 AS level anomalies at a monitored network

8 8 Methodology 1 1 3 3 4 4 5 5 2 2

9 9 – IP-to-AS Flow Translation Aggregate IP flows to AS flows Aggregate IP flows to AS flows Each AS flow: -Number of IP flows -Number of IP packets -Volume (Bytes) Each AS flow: -Number of IP flows -Number of IP packets -Volume (Bytes) 1 1

10 10 – Metrics for data aggregation Different anomalies affect different network flow parameters During aggregation period A: 1. Packet count (N): number of packets associated with the AS flow 2. Traffic volume (V): traffic volume associated with the AS flow 3. IP Flow count (IP): number of IP flows associated with the AS flow 4. AS Flow count (F): The number of AS flows that are active.Flows from spoofed IP addresses (network/16) are aggregated as a flow from Fake AS nodes.Flows from ASes not contacted before could be an anomalous event.Flows from spoofed IP addresses (network/16) are aggregated as a flow from Fake AS nodes.Flows from ASes not contacted before could be an anomalous event 2 2

11 11 – Data aggregation Training Phase: intervals I 1,...,I m. Traffic for each of the m intervals is represented by the same model. Training Phase: intervals I 1,...,I m. Traffic for each of the m intervals is represented by the same model. Online Phase: traffic model for the online phase is computed over an epoch, which is shorter than an interval. Collect k samples for each metric using the aggregate values over k aggregation periods Online Phase: traffic model for the online phase is computed over an epoch, which is shorter than an interval. Collect k samples for each metric using the aggregate values over k aggregation periods 2b

12 12 – Statistical Analysis For every AS flow, and every metric: 3 3

13 13 – Statistical Analysis pmf X D Training data Real-time data where (KL(P,Q) if the Kullback-Liebler divergence Jeffrey distance Measure statistical divergence 3b

14 14 – Statistical Analysis Distances are normalized to ensure equal distance scales when multiple metrics are combined to one Value that fall in the 95 th percentile of historical distance for metric i accumulated over moving window W 3c

15 15 – Composite Metrics To capture the multi-dimensional nature of network behaviors, composite metrics combine several basic metrics 4 4 Weights could be adjusted to favor a subset of metrics, depending on the nature of the anomaly to be detected. weighting formula among the different metrics Foreach Epoch Ci > Threshold? Alert abnormal behavior Foreach Epoch Ci > Threshold? Alert abnormal behavior

16 16 - Training data update Moving window mechanism for maintaining the training data 5 5 D(E,W) < Threshold Update D(E,W) < Threshold Update

17 17 Case study MIT LLS DDOS 1.0 intrusion dataset which simulates several DoS attacks and background traffic. Anomaly in AS A Anomaly in AS B

18 18 Volumetric analysis – no AS distinction Anomaly in AS C

19 Example of use with IMap Fowler, J; Johnson, T; Simonetto,P; Lazos, P; Kobourov, S.; Schneider, M. and Acedo, C. IMap: Visualizing Network Activity over Internet Maps, Vizsec 2014. Anomaly scores per AS 19

20 Conclusions & Future work NIDS based on AS flow aggregates. Reduction in storage and computation overhead Basic network anomaly detection metrics are adapted to the AS domain Composite metrics of network activity combine several basic metrics New basic metric that counts the number of AS flows for detecting anomalous events NIDS based on AS flow aggregates. Reduction in storage and computation overhead Basic network anomaly detection metrics are adapted to the AS domain Composite metrics of network activity combine several basic metrics New basic metric that counts the number of AS flows for detecting anomalous events 20 Work supported by Office of Naval Research under Contract N00014-11-D-0033/0002  Formal study on composite metrics targeting known anomalies

21 Thank you! http://www.cs.arizona.edu/~thienne NETVUE website: http://netvue.cs.arizona.edu/ 21 IEEE GLOBECOM 2014December 10, 2014

Download ppt "Network Anomaly Detection Using Autonomous System Flow Aggregates Thienne Johnson 1,2 and Loukas Lazos 1 1 Department of Electrical and Computer Engineering."

Similar presentations

Loss-Sensitive Decision Rules for Intrusion Detection and Response Linda Zhao Statistics Department University of Pennsylvania Joint work with I. Lee,

Loss-Sensitive Decision Rules for Intrusion Detection and Response Linda Zhao Statistics Department University of Pennsylvania Joint work with I. Lee,
New Directions in Traffic Measurement and Accounting Cristian Estan – UCSD George Varghese - UCSD Reviewed by Michela Becchi Discussion Leaders Andrew.

New Directions in Traffic Measurement and Accounting Cristian Estan – UCSD George Varghese - UCSD Reviewed by Michela Becchi Discussion Leaders Andrew.
Detectability of Traffic Anomalies in Two Adjacent Networks Augustin Soule, Haakon Ringberg, Fernando Silveira, Jennifer Rexford, Christophe Diot.

Detectability of Traffic Anomalies in Two Adjacent Networks Augustin Soule, Haakon Ringberg, Fernando Silveira, Jennifer Rexford, Christophe Diot.
Anomaly Detection Steven M. Bellovin https://www.cs.columbia.edu/~smb Matsuzaki ‘maz’ Yoshinobu 1.

Anomaly Detection Steven M. Bellovin Matsuzaki ‘maz’ Yoshinobu 1.
A Game-theoretic Approach to the Design of Self-Protection and Self-Healing Mechanisms in Autonomic Computing Systems Birendra Mishra Anderson School of.

A Game-theoretic Approach to the Design of Self-Protection and Self-Healing Mechanisms in Autonomic Computing Systems Birendra Mishra Anderson School of.
Simulation and Analysis of DDos Attacks Poongothai, M Department of Information Technology,Institute of Road and Transport Technology, Erode Tamilnadu,

Simulation and Analysis of DDos Attacks Poongothai, M Department of Information Technology,Institute of Road and Transport Technology, Erode Tamilnadu,
Detecting P2P Traffic from the P2P Flow Graph Jonghyun Kim Khushboo Shah Stephen Bohacek Electrical and Computer Engineering.

Detecting P2P Traffic from the P2P Flow Graph Jonghyun Kim Khushboo Shah Stephen Bohacek Electrical and Computer Engineering.
BotMiner Guofei Gu, Roberto Perdisci, Junjie Zhang, and Wenke Lee College of Computing, Georgia Institute of Technology.

BotMiner Guofei Gu, Roberto Perdisci, Junjie Zhang, and Wenke Lee College of Computing, Georgia Institute of Technology.
Observed Structure of Addresses in IP Traffic CSCI 780, Fall 2005.

Observed Structure of Addresses in IP Traffic CSCI 780, Fall 2005.
5/1/2006Sireesha/IDS1 Intrusion Detection Systems (A preliminary study) Sireesha Dasaraju CS526 - Advanced Internet Systems UCCS.

5/1/2006Sireesha/IDS1 Intrusion Detection Systems (A preliminary study) Sireesha Dasaraju CS526 - Advanced Internet Systems UCCS.
Unsupervised Intrusion Detection Using Clustering Approach Muhammet Kabukçu Sefa Kılıç Ferhat Kutlu Teoman Toraman 1/29.

Unsupervised Intrusion Detection Using Clustering Approach Muhammet Kabukçu Sefa Kılıç Ferhat Kutlu Teoman Toraman 1/29.
Statistical based IDS background introduction. Statistical IDS background Why do we do this project Attack introduction IDS architecture Data description.

Statistical based IDS background introduction. Statistical IDS background Why do we do this project Attack introduction IDS architecture Data description.
Intrusion detection Anomaly detection models: compare a user’s normal behavior statistically to parameters of the current session, in order to find significant.

Intrusion detection Anomaly detection models: compare a user’s normal behavior statistically to parameters of the current session, in order to find significant.
12/6/2010CS 591 - Andrew Bates - UCCS1 Intrusion Detection and Advanced Persistent Threats CS 591 Andrew Bates University of Colorado at Colorado Springs.

12/6/2010CS Andrew Bates - UCCS1 Intrusion Detection and Advanced Persistent Threats CS 591 Andrew Bates University of Colorado at Colorado Springs.
ANOMALY DETECTION AND CHARACTERIZATION: LEARNING AND EXPERIANCE YAN CHEN – MATT MODAFF – AARON BEACH.

ANOMALY DETECTION AND CHARACTERIZATION: LEARNING AND EXPERIANCE YAN CHEN – MATT MODAFF – AARON BEACH.
Mining Behavior Models Wenke Lee College of Computing Georgia Institute of Technology.

Mining Behavior Models Wenke Lee College of Computing Georgia Institute of Technology.
Inferring Internet Denial-of- Service Activity David Moore, Geoffrey M Voelker, Stefan Savage Presented by Yuemin Yu – CS290F – Winter 2005.

Inferring Internet Denial-of- Service Activity David Moore, Geoffrey M Voelker, Stefan Savage Presented by Yuemin Yu – CS290F – Winter 2005.
Collaborating Against Common Enemies Sachin Katti Balachander Krishnamurthy and Dina Katabi AT&T Labs-Research & MIT CSAIL.

Collaborating Against Common Enemies Sachin Katti Balachander Krishnamurthy and Dina Katabi AT&T Labs-Research & MIT CSAIL.
Modeling/Detecting the Spread of Active Worms Lixin Gao Dept. Of Electrical & Computer Engineering Univ. of Massachusetts

Modeling/Detecting the Spread of Active Worms Lixin Gao Dept. Of Electrical & Computer Engineering Univ. of Massachusetts
A Signal Analysis of Network Traffic Anomalies Paul Barford, Jeffrey Kline, David Plonka, and Amos Ron.

A Signal Analysis of Network Traffic Anomalies Paul Barford, Jeffrey Kline, David Plonka, and Amos Ron.

Similar presentations

Ads by Google