João B. D. Cabrera

Proactive detection of distributed denial of service attacks using MIB traffic variables-a feasibility study

We propose a methodology for utilizing network management systems for the early detection of distributed denial of service (DDoS) attacks. Although there are quite a large number of events that are prior to an attack (e.g. suspicious log-ons, start of processes, addition of new files, sudden shifts in traffic, etc.), in this work we depend solely on information from MIB (management information base) traffic variables collected from the systems participating in the attack. Three types of DDoS attacks were effected on a research test bed, and MIB variables were recorded. Using these datasets, we show how there are indeed MIB-based precursors of DDoS attacks that render it possible to detect them before the target is shut down. Most importantly, we describe how the relevant MIB variables at the attacker can be extracted automatically using statistical tests for causality. It is shown that statistical tests applied in the time series of MIB traffic at the target and the attacker are effective in extracting the correct variables for monitoring in the attacker machine. Following the extraction of these key variables at the attacker, it is shown that an anomaly detection scheme, based on a simple model of the normal rate of change of the key MIBs can be used to determine statistical signatures of attacking behavior. These observations suggest the possibility of an entirely automated procedure centered on network management systems for detecting precursors of distributed denial of service attacks, and responding to them.

Ensemble methods for anomaly detection and distributed intrusion detection in Mobile Ad-Hoc Networks

This paper examines the problem of distributed intrusion detection in Mobile Ad-Hoc Networks (MANETs), utilizing ensemble methods. A three-level hierarchical system for data collection, processing and transmission is described. Local IDSs (intrusion detection systems) are attached to each node of the MANET, collecting raw data of network operation, and computing a local anomaly index measuring the mismatch between the current node operation and a baseline of normal operation. Anomaly indexes from nodes belonging to a cluster are periodically transmitted to a cluster head, which averages the node indexes producing a cluster-level anomaly index. Cluster heads periodically transmit these cluster-level anomaly indexes to a manager which averages them. On the theoretical side, we show that averaging improves detection rates under very mild conditions concerning the distributions of the anomaly indexes of the normal class and the anomalous class. On the practical side, the paper describes clustering algorithms to update cluster centers and machine learning algorithms for computing the local anomaly indexes. The complete suite of algorithms was implemented and tested, under two types of MANET routing protocols and two types of attacks against the routing infrastructure. Performance evaluation was effected by determining the receiver operating characteristics (ROC) curves and the corresponding area under the ROC curve (AUC) metrics for various operational conditions. The overall results confirm the theoretical developments related with the benefits of averaging with detection accuracy improving as we move up in the node-cluster-manager hierarchy.

Detection and classification of intrusions and faults using sequences of system calls

This paper investigates the use of sequences of system calls for classifying intrusions and faults induced by privileged processes in Unix. Classification is an essential capability for responding to an anomaly (attack or fault), since it gives the ability to associate appropriate responses to each anomaly type. Previous work using the well known dataset from the University of New Mexico (UNM) has demonstrated the usefulness of monitoring sequences of system calls for detecting anomalies induced by processes corresponding to several Unix Programs, such as sendmail, lpr, ftp, etc. Specifically, previous work has shown that the Anomaly Count of a running process, i.e., the number of sequences spawned by the process which are not found in the corresponding dictionary of normal activity for the Program, is a valuable feature for anomaly detection. To achieve Classification, in this paper we introduce the concept of Anomaly Dictionaries, which are the sets of anomalous sequences for each type of anomaly. It is verified that Anomaly Dictionaries for the UNMs sendmail Program have very little overlap, and can be effectively used for Anomaly Classification. The sequences in the Anomalous Dictionary enable a description of Self for the Anomalies, analogous to the definition of Self for Privileged Programs given by the Normal Dictionaries. The dependence of Classification Accuracy with sequence length is also discussed. As a side result, it is also shown that a hybrid scheme, combining the proposed classification strategy with the original Anomaly Counts can lead to a substantial improvement in the overall detection rates for the sendmail dataset. The methodology proposed is rather general, and can be applied to any situation where sequences of symbols provide an effective characterization of a phenomenon.

Proactive Intrusion Detection and Distributed Denial of Service Attacks—A Case Study in Security Management

Little or no integration exists today between Intrusion Detection Systems (IDSs) and SNMP-based Network Management Systems (NMSs), in spite of the extensive monitoring and alarming capabilities offered by commercial NMSs. This difficulty is mainly associated with the distinct data sources used by the two systems: packet traffic and audit records for IDSs and SNMP MIB variables for NMSs. In this paper we propose and evaluate a methodology for utilizing NMSs for the early detection of Distributed Denial of Service attacks (DDoS). A principled approach is described for discovering precursors to DDoS attacks in databases formed by MIB variables recorded from multiple domains in networked information systems. The approach is rooted in time series quantization, and in the application of the Granger Causality Test of classical statistics for selecting variables that are likely to contain precursors. A methodology is proposed for discovering precursor rules from databases containing time series related to different regimes of a system. These precursor rules relate precursor events extracted from input time series with phenomenon events extracted from output time series. Using MIB datasets collected from real experiments involving Distributed Denial of Service Attacks, it is shown that precursor rules relating activities at attacking machines with traffic floods at target machines can be extracted by the methodology. The technology has extensive applications for security management: it enables security analysts to better understand the evolution of complex computer attacks, it can be used to trigger alarms indicating that an attack is imminent, or it can be used to reduce the false alarm rates of conventional IDSs.

Infrastructures and algorithms for distributed anomaly-based intrusion detection in mobile ad-hoc networks

This paper addresses one aspect of the problem of defending mobile ad-hoc networks (MANETs) against computer attacks, namely, the development of a distributed anomaly-based intrusion detection system. In a general sense, the proposed system is a co-located sensor network, in which the monitored variable is the health of the network being monitored. A three level hierarchical system for data collection, processing and transmission is described. Local IDSs (intrusion detection systems) are attached to each node of the MANET, collecting raw data of network operation, and computing a local anomaly index measuring the difference between the current node operation and a baseline of normal operation. Anomaly indexes from nodes belonging to a cluster are periodically transmitted to a cluster head, which fuses the node indexes producing a cluster-level anomaly index. Likewise, cluster heads periodically transmit these cluster-level anomaly indexes to a manager node, which fuses the cluster-level indexes into a network-level anomaly index. Due to network mobility, cluster membership and cluster heads are time varying. The paper describes: (1) clustering algorithms to update cluster centers; (2) machine learning algorithms for computing the local anomaly indexes; (3) a statistical scheme for fusing the anomaly indexes at the cluster heads and at the manager. The statistical scheme is formally shown to increase detection accuracy under idealized assumptions. These algorithms were implemented and tested under the following conditions. Routing schemes: AODV (ad-hoc on demand distance vector routing) and OLSR (optimized link state routing); mobility patterns: random walk mobility model and reference point group mobility at various speeds; types of attacks: traffic flooding denial-of-service and black hole. For performance evaluation we determined the ROC (receiver operating characteristics) for various operational conditions at the nodes, cluster heads and manager. The overall results confirm the effectiveness of the infrastructures and algorithms described in the paper, with detection accuracy generally improving as we move up in the hierarchy, i.e. detection accuracy at the cluster level is higher than at local level, while network-level detection outperforms cluster-level detection

Integrating intrusion detection and network management

The problems of detecting and resolving performance in distributed systems have become increasingly important and challenging due to the tremendous growth in network-based services. There is a need for a predictive and proactive approach so that appropriate and timely actions can be taken before service disruptions escalate and become widespread. A network management system (NMS) is responsible for monitoring the performance of a network. An intrusion detection system (IDS) is responsible for detecting and responding to intrusions. The current practice is that NMS and IDS are independent to each other in a network. There is little integration and information sharing between the two. We outline an approach to integrate NMS and IDS so that the security capabilities of network management can be enhanced and the performance of IDS can be improved.

Stable Topology Control for Mobile Ad-Hoc Networks

Topology control is the problem of adjusting the transmission parameters, chiefly power, of nodes in a Mobile Ad Hoc Network (MANET) to achieve a desired topology. Over the last several years, this problem has received much attention. Despite this work however, the stability of available techniques has not been studied. This paper presents the first control- theoretic investigation of topology control in MANETs. We take a simple representative fully distributed topology control algorithm called LINT and show that it is unstable under certain conditions. We then formulate LINT in a control-theoretic context, and derive a new mechanism called CLINT that is shown to be stable for a wide range of parameter variations. We compare the in- practice performance of LINT and CLINT using comprehensive simulations and show that CLINT provides a higher throughput.

Proactive intrusion detection and SNMP-based security management: new experiments and validation

In our earlier work we have proposed and developed a methodology for the early detection of distributed denial of service (DDoS) attacks. In this paper, we examine the applicability of proactive intrusion detection on a considerably more complex set-up, with hosts associated with three clusters, connected by routers. Background TCP, UDP and ICMP traffic following interrupted Poisson processes are superimposed on the attack traffic. We have examined six types of DDoS attacks. In four of the attacks we have obtained valid MIB-based precursors with no false alarms in all experiments. In the remaining two attacks precursors were obtained, but false alarms were observed. Procedures for eliminating these false alarms are discussed.

Using MIB II Variables for Network Intrusion Detection

Detecting and resolving security and performance problems in distributed systems have become increasingly important and challenging because of the tremendous growth in network-based services. Intrusion detection is an important security technique for networks and systems. In this paper, we propose a methodology for utilizing MIB II objects for network intrusion detection. We establish the normal profiles of network activities based on the information provided by the MIB II variables and use data mining techniques and information-theoretic measures to build an intrusion detection model. We test our MIB II-based intrusion detection model with several Denial of Service (DoS) and probing attacks. The results have shown that the model can detect these attacks effectively.

Optimization and control problems in Real-time Intrusion Detection

Real-time Intrusion Detection Systems attempt to detect and respond to attacks in real time, i.e. while they are unfolding. When the available computation time is scarce, we have a trade-off involving the computation time of the detection rules and: (1) the accuracy of the rules given by their detection and false alarm rates, (2) the likelihood that a given attack is present, which depends on the prior probability of the attacks, and (3) the damage costs and false alarm costs of the attacks. This paper describes a collection of 0/1 Integer Programming Problems that are associated with the selection of appropriate Rule Portfolios for Real Time Intrusion Detection Systems. The problems are shown to have Knapsack and Set Packing constraints. Due to the inherent uncertainty of the parameters in the cost models, a robust version of the problem is also studied, where parametric uncertainties are allowed to be present. The Linear Programming Relaxation of the robust problem is shown to be convex, opening the possibility of concrete utilization of the proposed methodology. Preliminary results on a research testbed are presented.