1 / 21

DETECTING TIME-JITTERING IN A CONNECTION CHAIN

DETECTING TIME-JITTERING IN A CONNECTION CHAIN. Khoa Le Mentor: Dr. Stephen Huang, Yingwei Kuo. M. A. D. Stepping-Stone Intrusion. B. Internet. C. Correlation-Based Approach. Attack. Time Jittering. S 1. ?. Y. Stepping-Stone Correlation. Decision. N. S 2. Normal.

chaka
Download Presentation

DETECTING TIME-JITTERING IN A CONNECTION CHAIN

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. DETECTING TIME-JITTERING IN A CONNECTION CHAIN Khoa Le Mentor: Dr. Stephen Huang, YingweiKuo

  2. M A D Stepping-Stone Intrusion B Internet C

  3. Correlation-Based Approach Attack Time Jittering S1 ? Y Stepping-Stone Correlation Decision N S2 Normal

  4. Detecting Time-Jittering Time-Jiterring Detection Decision Attack S1 N Y Stepping-Stone Correlation Decision N S2 Normal

  5. Inter-arrival time (gaps) • The gaps between packets will change when jittering is applied. • Some gaps contract, while others expand • Resulting in different probability distributions

  6. Hypothesis • The jittered traffic seems to fit lognormal distribution more than the normal traffic

  7. Algorithm Training Data (Non-Chaffed) Testing Data Distribution Parameter Estimation (MLE Algorithm) Distribution Parameter Estimation (MLE Algorithm) Parameters of the Model Parameters of the Model Distribution GOF Test (KS Test or AD Test) Distribution GOF Test (KS Test or AD Test) Test Statistic Test Statistic Profile Building (Threshold Calculation) Threshold Testing Jittered Non-jittered

  8. Parameters Estimation • Input: • A set of observed inter-arrival time {x1, ... , xn }, • The probability density function f(x) of a testing distribution model (Lognormal and Pareto distribution were used) • Least Squares, Maximum Likelihood Estimates, etc • Output: • The estimated parameters of the testing model.

  9. Goodness of Fit (GOF) • Evaluate the “distance” (test statistic) between the data and the testing distribution • Kolmogorov-Smirnov Test, Anderson-Darling Test, etc

  10. Kolmogorov-Smirnov Test D = max(|F(x)-G(x)|)

  11. Profile Building • For every training data set, collect its test statistic. • Have a cluster of test statistics, called it the profile. • Any given traffic that does not have test statistic falling in that cluster is tagged as jittered traffic.

  12. Testing Phase Training Data (Non-Chaffed) Testing Data Distribution Parameter Estimation (MLE Algorithm) Distribution Parameter Estimation (MLE Algorithm) Parameters of the Model Parameters of the Model Distribution GOF Test (KS Test or AD Test) Distribution GOF Test (KS Test or AD Test) Test Statistic Test Statistic Profile Building (Threshold Calculation) Threshold Testing Jittered Non-jittered

  13. Testing Phase • For any given traffic, it goes through all the same procedures • Its test statistic will be tested against the threshold

  14. Detection Rate • False Positive Rate • Falsely raise alarm when no jittering occurs • True Positive Rate • Raise alarm correctly

  15. Detection Rate Example True Negative Rate False Negative Rate False Positive Rate True Positive Rate

  16. Result • Accuracy depends on the following three factors: • The percentage of packets that are being delayed • The mean of the delaying probability distribution • The standard deviation of the distribution

  17. Jittered Rate • For a fixed mean and standard deviation, the accuracy is proportional to the jittered rate

  18. Standard Deviation • For high jittered rate, the accuracy is proportional to the standard deviation.

  19. Mean • For low jittered rate, the accuracy • is proportional to the mean.

  20. Summary of My Work • Implemented the algorithm on time-jittering • Analyzed the result • Drew conclusions about the behavior of the jittering effect

  21. The End

More Related