Carlos Catania

Automatic network intrusion detection: Current techniques and open issues

Automatic network intrusion detection has been an important research topic for the last 20years. In that time, approaches based on signatures describing intrusive behavior have become the de-facto industry standard. Alternatively, other novel techniques have been used for improving automation of the intrusion detection process. In this regard, statistical methods, machine learning and data mining techniques have been proposed arguing higher automation capabilities than signature-based approaches. However, the majority of these novel techniques have never been deployed on real-life scenarios. The fact is that signature-based still is the most widely used strategy for automatic intrusion detection. In the present article we survey the most relevant works in the field of automatic network intrusion detection. In contrast to previous surveys, our analysis considers several features required for truly deploying each one of the reviewed approaches. This wider perspective can help us to identify the possible causes behind the lack of acceptance of novel techniques by network security experts.

An autonomous labeling approach to support vector machines algorithms for network traffic anomaly detection

In the past years, several support vector machines (SVM) novelty detection approaches have been applied on the network intrusion detection field. The main advantage of these approaches is that they can characterize normal traffic even when trained with datasets containing not only normal traffic but also a number of attacks. Unfortunately, these algorithms seem to be accurate only when the normal traffic vastly outnumbers the number of attacks present in the dataset. A situation which can not be always hold. This work presents an approach for autonomous labeling of normal traffic as a way of dealing with situations where class distribution does not present the imbalance required for SVM algorithms. In this case, the autonomous labeling process is made by SNORT, a misuse-based intrusion detection system. Experiments conducted on the 1998 DARPA dataset show that the use of the proposed autonomous labeling approach not only outperforms existing SVM alternatives but also, under some attack distributions, obtains improvements over SNORT itself.

An analysis of Recurrent Neural Networks for Botnet detection behavior

A Botnet can be conceived as a group of compromised computers which can be controlled remotely to execute coordinated attacks or commit fraudulent acts. The fact that Botnets keep continuously evolving means that traditional detection approaches are always one step behind. Recently, the behavior analysis of network traffic has arisen as a way to tackle the Botnet detection problem. The behavioral analysis approach aims to look at the common patterns that Botnets follow across their life cycle, trying to generalize in order to become capable of detecting unseen Botnet traffic. This work provides an analysis of the viability of Recurrent Neural Networks (RNN) to detect the behavior of network traffic by modeling it as a sequence of states that change over time. The recent success applying RNN to sequential data problems makes them a viable candidate on the task of sequence behavior analysis. The performance of a RNN is evaluated considering two main issues, the imbalance of network traffic and the optimal length of sequences. Both issues have a great impact in potentially real-life implementation. Evaluation is performed using a stratified k-fold cross validation and an independent test is conducted on not previously seen traffic belonging to a different Botnet. Preliminary results reveal that the RNN is capable of classifying the traffic with a high attack detection rate and an very small false alarm rate, which makes it a potential candidate for implementation and deployment on real-world scenarios. However, experiments exposed the fact that RNN detection models have problems for dealing with traffic behaviors not easily differentiable as well as some particular cases of imbalanced network traffic.

Visual Exploration of Network Hostile Behavior

This paper presents a graphical interface to identify hostile behavior in network logs. The problem of identifying and labeling hostile behavior is well known in the network security community. There is a lack of labeled datasets, which make it difficult to deploy automated methods or to test the performance of manual ones. We describe the process of searching and identifying hostile behavior with a graphical tool derived from an open source Intrusion Prevention System, which graphically encodes features of network connections from a log-file. A design study with two network security experts illustrates the workflow of searching for patterns descriptive of unwanted behavior and labeling occurrences therewith.

Towards reducing human effort in network intrusion detection

Machine learning have been one of the most considered techniques for achieving automatic intrusion detection. Despite many of these machine learning approaches have achieved the goal of getting high accuracy levels in a more automatic way, the fact is that only a few of them have actually been deployed on real life scenarios. This could be explained if we take into consideration that some of the assumptions in which these techniques rely on, do not easily hold. Moreover, ensuring such assumptions demands a lot of work from security experts which is precisely what they wanted to avoid. It seems that most of current intrusion detection approaches have focused on obtaining high detection accuracy leaving aside the goal of reducing human interaction during intrusion detection process. In this work we propose a prototype for a Network Intrusion Detection System (NIDS) based on machine learning techniques. In opposition to other approaches, we focused on reducing the human effort in the generation of network traffic model and further adjustments, while keeping accuracy within acceptable levels. Prototype relays on a hybrid detection and evolutionary summarizing schemes The viability of the two schemes has been confirmed trough experiments considering different attack distributions and types.

Model Validation of an Open-source Framework for Post-processing INS/GNSS Systems

The development of new approaches in the GIS research community may require the use of a computational tool to post-process GNSS and inertial sensors data in order to get more accurate position, velocity, and orientation angles (attitude) information. An open-source framework for simulating integrated navigation systems (INS/GNSS) called NaveGo has been developed using MATLAB/GNU Octave and is freely available on-line. Although preliminary tests have shown that NaveGo appears to work properly, a deep examination must be carried out to confirm that this framework is an adequate tool for post-processing INS/GNSS information. The main goal of this work is to produce a validation methodology to show that NaveGo mathematical model works within its specifications. Firstly, static measurements from inertial sensors are processed and analysed by NaveGo applying the Allan variance for profiling typical errors. Some details of Allan variance procedure are exhibited. Then, performances of NaveGo and Inertial Explorer, a closed-source commercial package software for INS/GNSS integration, are compared for a real-world trajectory. It is statistically concluded that NaveGo presents close accuracy to Inertial Explorer for attitude and position. Consequently, it is demonstrated that NaveGo is an useful INS/GNSS post-processing framework that can be used in GIS applications.

Detecting DGA malware traffic through behavioral models

Some botnets use special algorithms to generate the domain names they need to connect to their command and control servers. They are refereed as Domain Generation Algorithms. Domain Generation Algorithms generate domain names and tries to resolve their IP addresses. If the domain has an IP address, it is used to connect to that command and control server. Otherwise, the DGA generates a new domain and keeps trying to connect. In both cases it is possible to capture and analyze the special behavior shown by those DNS packets in the network. The behavior of Domain Generation Algorithms is difficult to automatically detect because each domain is usually randomly generated and therefore unpredictable. Hence, it is challenging to separate the DNS traffic generated by malware from the DNS traffic generated by normal computers. In this work we analyze the use of behavioral detection approaches based on Markov Models to differentiate Domain Generation Algorithms traffic from normal DNS traffic. The evaluation methodology of our detection models has focused on a real-time approach based on the use of time windows for reporting the alerts. All the detection models have shown a clear differentiation between normal and malicious DNS traffic and most have also shown a good detection rate. We believe this work is a further step in using behavioral models for network detection and we hope to facilitate the development of more general and better behavioral detection methods of malware traffic.