1 / 72

ecs236 Winter 2007: Intrusion Detection #2: Anomaly Detection

ecs236 Winter 2007: Intrusion Detection #2: Anomaly Detection. Dr. S. Felix Wu Computer Science Department University of California, Davis http://www.cs.ucdavis.edu/~wu/ sfelixwu@gmail.com. Intrusion Detection. Model. Input event sequence. Results. Intrusion Detection.

jknuth
Download Presentation

ecs236 Winter 2007: Intrusion Detection #2: Anomaly Detection

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. ecs236 Winter 2007:Intrusion Detection#2: Anomaly Detection Dr. S. Felix Wu Computer Science Department University of California, Davis http://www.cs.ucdavis.edu/~wu/ sfelixwu@gmail.com ecs236 winter 2007

  2. Intrusion Detection Model Input event sequence Results Intrusion Detection Pattern matching ecs236 winter 2007

  3. Scalability of Detection • Number of signatures, amount of analysis • Unknown exploits/vulnerabilities ecs236 winter 2007

  4. Anomaly vs. Signature • Signature Intrusion (Bad things happen!!) • Misuse produces observable bad effect • Specify and look for bad behaviors • Anomaly Intrusion (Good things did not happen!!) • We know what our normal behavior is • Looking for an deviation from the normal behavior, raise early warning ecs236 winter 2007

  5. Reasons for “AND” • Unknown attacks (insider threat) • Better scalability • AND  target/vulnerabilities • SD  exploits ecs236 winter 2007

  6. Another definition… Convert our limited/partial understanding/modeling about the target system or protocol into detection heuristics (i.e., BUTTERCUP signatures) • Signature-based detection • Predefine the signatures of anomalies • Pattern matching • Statistics-based detection • Build statistics profile for expected behaviors • Compare testing behaviors with expected behaviors • Significant deviation Based on our experience, select a set of “features” that will likely to distinguish expected from unexpected behavior. ecs236 winter 2007

  7. What is “vulnerability”? ecs236 winter 2007

  8. What is “vulnerability”? Signature Detection create “effective/strong/scaleable” signatures Anomaly Detection detect/discover “unknown vulnerabilities” ecs236 winter 2007

  9. AND(ANomaly Detection) • Unknown Vulnerabilities/Exploits • Insider Attacks • Understand How and Why these things happened • Understand the limit of AND from both sides ecs236 winter 2007

  10. What is an anomaly? ecs236 winter 2007

  11. Intrusion Detection Model Input event sequence Results Intrusion Detection Pattern matching ecs236 winter 2007

  12. Anomaly Detection Input event sequence Intrusion Detection Pattern matching ecs236 winter 2007

  13. Input Events For each sample of the statistic measure, X (0, 1] 40% (1, 3] 30% (3, 15] 20% (15, +) 10% SAND ecs236 winter 2007

  14. raw events 0 0 5 10 15 20 25 30 “But, which feature(s) to profile??” functionF long term profile quantify the anomalies threshold control alarm generation ecs236 winter 2007

  15. Statistic-based ANomaly Detection(SAND) • choose a parameter (a random variable hopefully without any assumption about its probabilistic distribution) • record its statistical “long-term” profile • check how much, quantitatively, its short-term behavior deviates from its long term profile • set the right threshold on the deviation to raise alarms ecs236 winter 2007

  16. timer control update decay clean long term profile raw events compute the deviation 0 0 5 10 15 20 25 30 threshold control alarm generation ecs236 winter 2007

  17. False Positive & Negative • Long term profile • Quantitative measure of the deviation between long term and target of detection • Threshold-based control ecs236 winter 2007

  18. Long-term Profile • Category, C-Training • learn the aggregate distribution of a statistic measure • Q Statistics, Q-Training • learn how much deviation is considered normal • Threshold ecs236 winter 2007

  19. Long-term Profile: C-Training For each sample of the statistic measure, X • k bins • Expected Distribution, P1P2 ... Pk , where • Training time: months (0, 50] 20% (50, 75] 30% (75, 90] 40% (90, +) 10% ecs236 winter 2007

  20. Long-term Profile: Q-Training (1) For each sample of the statistic measure, X • k bins, samples fall into bin • samples in total ( ) • Weighted Sum Scheme with the fading factor s (0, 50] 20% (50, 75] 40% (75, 90] 20% (90, +) 20% ecs236 winter 2007

  21. Threshold • Predefined threshold,  • If Prob(Q>q) < , raise alarm ecs236 winter 2007

  22. Long-term Profile: Q-Training (2) • Deviation: • Example: • Qmax • the largest value among all Q values ecs236 winter 2007

  23. Long-term Profile: Q-Training (3) • Q Distribution • [0, Qmax) is equally divided into 31 bins and the last bin is [Qmax, +) • distribute all Q values into the 32 bins ecs236 winter 2007

  24. Q-Measure • Deviation: • Example: • Qmax • the largest value among all Q values ecs236 winter 2007

  25. ecs236 winter 2007

  26. Threshold • Predefined threshold,  • If Prob(Q>q) < , raise alarm False positive ecs236 winter 2007

  27. ecs236 winter 2007

  28. Mathematics • Many other techniques: • Training/learning • detection ecs236 winter 2007

  29. Statistical Profiling • Long-Term profile: • capture long-term behavior of a particular statistic measure • e.g., update once per day • half-life: 30 updates • recent 30: 50% • 31-60: 25% • the newer contributes more ecs236 winter 2007

  30. Statistical Pros and Cons • Slower to detect - averaging window • Very good for unknown attacks - as long as “relevant measures” are chosen • Environment (protocol, user, etc) dependency • Need good choices on statistical measures • Statistical profiles might be hard to build • Thresholds might be hard to set ecs236 winter 2007

  31. timer control update decay clean long term profile raw events compute the deviation 0 0 5 10 15 20 25 30 threshold control alarm generation ecs236 winter 2007

  32. Weighted Sum Scheme • Problems of Sliding Window Scheme • Keep the most recent N pieces of audit records • required resource and computing time are O(N) • Assume • K: number of bins • Yi: count of audit records falls into ith bin • N: total number of audit records • : fading factor • When Ei occurs, update ecs236 winter 2007

  33. FTP Client SHANG FTP Servers Heidelberg NCU SingNet UIUC FTP Severs and Clients ecs236 winter 2007

  34. Dropper Attacks Intentional or Unintentional?? P% Per (K,I,S) Ret (K,S) Ran (K) ecs236 winter 2007

  35. Periodical Packet Dropping • Parameters (K, I, S) • K, the total number of dropped packets in a connection • I, the interval between two consecutive dropped packets • S, the position of the first dropped packet. • Example (5, 10, 4) • 5 packets dropped in total • 1 every 10 packets • start from the 4th packet • The 4th, 14th, 24th, 34th and 44th packet will be dropped ecs236 winter 2007

  36. Retransmission Packet Dropping • Parameters (K, S) • K, the times of dropping the packet's retransmissions • S, the position of the dropped packet • Example (5, 10) • first, drops the 10th packet • then, drops the retransmissions of the 10th packet 5 times ecs236 winter 2007

  37. Random Packet Dropping • Parameters (K) • K, the total number of packets to be dropped in a connection • Example (5) • randomly drops 5 packets in a connection ecs236 winter 2007

  38. Internet Experiment Setting FTP Client FTP Server FTP xyz.zip 5.5M Attack Agent Divert Socket Data Packets ecs236 winter 2007

  39. Impacts of Packet Dropping On Session Delay ecs236 winter 2007

  40. Compare Impacts of Dropping Patterns PerPD: I=4, S=5 RetPD: S=5 ecs236 winter 2007

  41. FTP server fire FTP client FTP data redwing 152.1.75.0 congestion bone 172.16.0.0 UDP flood light 192.168.1.0 TFN target air TFN master TFN agents ecs236 winter 2007

  42. ecs236 winter 2007

  43. FTP Client FTP Server FTP TDSAM xyz.zip 5.5M Attack Agent Divert Socket Data Packets Internet TDSAM Experiment Setting p1, p2, p3, p5, p4 max reordering counting ecs236 winter 2007

  44. ecs236 winter 2007

  45. ecs236 winter 2007

  46. Results: Position Measure ecs236 winter 2007

  47. Results: Delay Measure ecs236 winter 2007

  48. Results: NPR Measure ecs236 winter 2007

  49. Results (good and bad) • False Alarm Rate • less than 10% in most cases, the highest is 17.4% • Detection Rate • Position: good on RetPD and most of PerPD • at NCU, 98.7% for PerPD(20,4,5), but 0% for PerPD(100, 40, 5) in which dropped packets are evenly distributed • Delay: good on those significantly change session delay, e.g., RetPD, PerPD with a large value of K • at SingNet, 100% for RetPD(5,5), but 67.9% for RanPD(10) • NPR: good on those dropping many packets • at Heidelberg, 0% for RanPD(10), but 100% for RanPD(40) ecs236 winter 2007

  50. Performance Analysis • Good sites correspond to a high detection rate. • stable and small session delay or packet reordering • e.g., using Delay Measure for RanPD(10): UIUC (99.5%) > Heidelberg(74.5%) > SingNet (67.9%) > NCU (26.8%) • How to choose the value of nbin is site-specific • e.g., using Position Measure, lowest false alarm rate occurs when nbin= 5 at Heidelberg(4.0%) and NCU(5.4%), 10 at UIUC(4.5%) and 20 at SingNet(1.6%) ecs236 winter 2007

More Related