0day Anomaly Detection Made Possible Thanks to Machine Learning

Owezarski, Philippe; Mazel, Johan; Labit, Yann

doi:10.1007/978-3-642-13315-2_27

Cited by 9 publications

(3 citation statements)

References 14 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…Examples of models to represent the network behavior can use neural networks, statistical analysis techniques, and probability theory. The main advantage of this type of detection is that it also detects previously unknown flows [7]. However, there may be instances where flows may be different from the expected normality but not necessarily malicious, resulting in false positive alarms.…”

Section: B Port Scanningmentioning

confidence: 99%

Lightweight IPS for port scan in OpenFlow SDN networks

Neu

Tatsch

Lunardi

et al. 2018

NOMS 2018 - 2018 IEEE/IFIP Network Operations and Management Symposium

View full text Add to dashboard Cite

Security has been one of the major concerns for the computer network community due to resource abuse and malicious flows intrusion. Before a network or a system is attacked, a port scan is typically performed to discover vulnerabilities, like open ports, which may be used to access and control them. Several studies have addressed Intrusion Detection Systems (IDS) and Intrusion Prevention Systems (IPS) methods for detecting malicious activities, based on received flows or packet data analysis. However, those methods lead to an increase in switching latency, due to the need to analyze flows or packets before routing them. This may also increase network overhead when flows or packets are duplicated to be parsed by an external IDS. On the one hand, an IDS/IPS may be a bottleneck on the network and may not be useful. On the other hand, the new paradigm called Software Defined Networking (SDN) and the OpenFlow protocol provide some statistical information about the network that may be used for detecting malicious activities. Hence, this work presents a new port scan IPS for SDN based on the OpenFlow switch counters data. A non-intrusive and lightweight method was developed and implemented, with low network overhead, and low memory and processing power consumption. The results showed that our method is effective on detecting and preventing port scan attacks.

show abstract

Section: B Port Scanningmentioning

confidence: 99%

Lightweight IPS for port scan in OpenFlow SDN networks

Neu

Tatsch

Lunardi

et al. 2018

NOMS 2018 - 2018 IEEE/IFIP Network Operations and Management Symposium

View full text Add to dashboard Cite

show abstract

“…Examples of suitable techniques for the creation of a behavioral model are neural networks, statistical analysis techniques and Markov models, as surveyed in the works of Patcha et al [115] and Estevez-Tapiador et al [45]. The main advantage of an anomaly-based IDS is that it can potentially detect also attacks that have never been seen before [114]. Note however that, while an attack is often an anomaly, there exist cases in which events that deviate from the model of normality are not necessarily malicious.…”

Section: Intrusion Detectionmentioning

confidence: 99%

Flow-based intrusion detection

Sperotto

Pras

2011

12th IFIP/IEEE International Symposium on Integrated Network Management (IM 2011) and Workshops

View full text Add to dashboard Cite

The spread of 1-10Gbps technology has in recent years paved the way to a flourishing landscape of new, high-bandwidth Internet services. As users, we depend on the Internet in our daily life for simple tasks such as checking emails, but also for managing private and financial information. However, entrusting such information to the Internet also means that the network has become an alluring place for hackers. To this threat, the research community has answered with an increased interest in intrusion detection. With the number of attacks almost exponentially increasing, and the attackers' motivations moving from ideological to economical, the researchers' attention is focused on developing new techniques to timely detect intruders and prevent damage. Our studies in the field of intrusion detection, however, made us realize that additional research is needed, in particular: the creation of shared data sets to validate Intrusion Detection Systems (IDSs) and the development of automatic procedures to tune the parameters of IDSs.The contribution of this thesis is that it develops a structured approach to intrusion detection that focuses on (i) shared ground-truth data sets and (ii) automatic parameter tuning. We develop our approach by focusing on network flows. Flows offer an aggregated view of network traffic, by reporting on the amount of packets and bytes exchanged over the network. Therefore, flows drastically reduce the amount of data to be analyzed. In this thesis, we aim at detecting anomalies in flow-based time series, describing how the number of flows, packets and bytes changes over time.Ground truth data sets are fundamental in the development phase, for validation purposes and, if publicly available, for comparison between different IDSs. We attack the problem of ground truth generation in two complementary manners.First, we obtain ground truth information for flow-based intrusion detection by manually creating it. We do so by means of a honeypot-based data collection and monitoring setup, specifically tuned to (i) offer an attracting platform for attackers, and (ii) include enhanced logging capabilities to support the vi labeling of the collected data. The outcome of our research has been a publicly released flow-based labeled data set. To the best of our knowledge, no such data set already exists.Second, we generate ground truth information in an automatic manner. We do this by generating artificial flow, packet and byte time series for benign and attack traffic. In this thesis, we rely upon Hidden Markov Models (HMMs), which allow for probabilistic and compact representations of flow-based time series and can be used for generation purposes.Finally, we approach the problem of automatic tuning of IDSs. The performance of an IDS is governed by the trade-off between detecting all anomalies (at the expense of raising alarms too often), and missing anomalies (but not issuing many false alarms). We developed an optimization procedure that aims to mathematically treat such trade-off in a systematic m...

show abstract

“…The concept behind this idea is to make the network responsive enough to adapt to newer scenario (closed-loop control) instead of requiring manual intervention for the configuration of each steps implied by the observationanalysis-decision-execution sequence. Different kinds of applications that would benefit of machine learning have been studied over the past few years like traffic anomaly detection and intrusion detection [12], as well as traffic-informed rerouting [16], [17].…”

Section: Introductionmentioning

confidence: 99%

SRLG identification from time series analysis of link state data

Das

Papadimitriou²,

Puype

et al. 2011

2011 Third International Conference on Communication Systems and Networks (COMSNETS 2011)

View full text Add to dashboard Cite

Abstract-Failing to account for the set of links affected by a simultaneous dependent failure during the re-computation of the routing table entries leads to traffic losses until all failed links have been accounted in the re-computation of these entries. Instead, if the router learns about the existence of Shared Risk Link Groups (SRLGs) from the arriving pattern link state routing information, then decisions regarding SRLG failure can be taken promptly to avoid successive re-computations of alternate shortest paths across the updated topology. In this paper, we propose a mechanism to improve the router recovery time upon occurrence of topological link failures by detecting and identifying the existence of SRLGs from link state routing information exchanged in the routing domain. The proposed model first groups into events individual Link State Advertisements (LSAs) issued by different network nodes (routers) upon link state change; then, it combines this information to find temporal dependence among members of event groups. It further introduces a physical model interpretation derived from the application of the Weibull distribution, to determine the error on the joint probabilities of events resulting from the finite observation sample. This association allows binding the dependence of the identified groups comprising one or more events (associated to SRLG) on the corresponding estimated failure rate. Our simulation results show that the proposed technique to locally detect and identify SRLGs performs sufficiently well to trigger with enough confidence simultaneous routing table updates from the arrival of a reduced set of LSAs (ideally one).

show abstract

0day Anomaly Detection Made Possible Thanks to Machine Learning

Cited by 9 publications

References 14 publications

Lightweight IPS for port scan in OpenFlow SDN networks

Lightweight IPS for port scan in OpenFlow SDN networks

Flow-based intrusion detection

SRLG identification from time series analysis of link state data

Contact Info

Product

Resources

About