Académique Documents
Professionnel Documents
Culture Documents
to Detecting Attacks
by Identifying Anomalies
in Network Traffic
A Dissertation
by Matthew V. Mahoney
Major Advisor: Philip K. Chan
Overview
Related work in intrusion detection
Approach
Experimental results
Simulated network
Real background traffic
System
SNORT
Bro
Network Protocol
Anomaly Detection
Model
Audit
Logs
User
SPADE
ADAM
eBayes
Anomaly
Firewalls
Host
Method
Data
Network
Signature
Problem Statement
Detect (not prevent) attacks in network traffic
No prior knowledge of attack characteristics
Training no
known attacks
Model of
normal traffic
Alarms
IDS
Approach
1.
2.
3.
4.
5.
How
detected
Category
Teardrop overlapping IP
fragments crashes target
IP
Unusual
fragments feature
Evasion
ARPpoison Forged
replies to ARP-who-has
Victim
symptoms
Interrupted TCP
Time-Based Model
If port = 25 then word1 = HELO or EHLO
Anomaly: any value never seen in training
Score = tn/r
t = time since last anomaly for this rule
n = number of training instances (port = 25)
r = number of allowed values (2)
Example
Training = AAAABBBBAA
Test =
AACCC
C is an anomaly
r/n = average rate of training anomalies =
2/10 (first A and first B)
t = time since last anomaly = 9, 1, 1
Score (C) = tn/r = 45, 5, 5
Word1
Word2
Word3
80
GET
HTTP/1.0
80
GET
/index.html HTTP/1.0
Word1
Word2
Word3
25
HELO
pascal
80
GET
HTTP/1.0
80
GET
/index.html HTTP/1.0
Train
Validate
Test
No validation step
Implementation
Model
Data
Conditions
Validation
Score
PHAD
Packet
headers
None
No
tn/r
ALAD
TCP
streams
Server,
port
No
tn/r
LERAD
TCP
streams
Learned Yes
tn/r
NETAD
Packet
bytes
Protocol Yes
tn/r + ti/fi
IDS
Victims
SunOS
Solaris
Linux
WinNT
Unlikely Detections
Attacks on public servers (web, mail,
DNS) detected by source address
Application server attacks detected by
packet header fields
U2R (user to root) detected by FTP upload
Real
Simulated
Time
Attacks
Internet
(simulated
and real)
IDS
SunOS
Solaris
Linux
WinNT
Results Summary
Original 1999 evaluation: 40-55% detected
at 10 false alarms per day
NETAD (excluding U2R): 75%
Mixed traffic: LERAD + NETAD: 30%
At 50 FA/day: NETAD: 47%
Contributions
1.
2.
3.
4.
5.
Protocol modeling
Time based modeling for bursty traffic
Rule learning
Continuous modeling
Removing simulation artifacts
Limitations
False alarms Unusual data is not always
hostile
Rule learning requires 2 passes (not continuous)
Tests with real traffic are not reproducible
(privacy concerns)
Unlabeled attacks in real traffic
GET /MSADC/root.exe?/c+dir HTTP/1.0
GET /scripts/..%255c%255c../winnt/system32/cmd.exe?/c+dir
Future Work
Modify rule learning for continuous traffic
Add other attributes
User feedback (should this anomaly be
added to the model?)
Test with real attacks
Acknowledgments
Philip K. Chan Directing research
Advisors Ryan Stansifer, Kamel Rekab, James
Whittaker
Ongoing work
Gaurav Tandon Host based detection using LERAD
(system call arguments)
Rachna Vargiya Parsing application payload
Hyoung Rae Kim Payload lexical/semantic analysis
Muhammad Arshad Outlier detection in network
traffic