1. Detection of Anomalies Using the Real Attack Traces
Detection results of our composite approach with respect to 7-day KREONet2 traces are shown in Fig. 11. Fig. 11(a) illustrates a weighted correlation signal of IP addresses that is used for wavelet transform with real attacks. Fig. 11(b) is the wavelet-transformed and reconstructed signal in postmortem and its detection results. The actual attacks assail between the vertical lines, and the detection signal is shown with dots at the bottom of the second sub-picture.
A sampling interval is 2 minutes and a sampling duration is 60 seconds. That is to say, we sampled for 1 minute and paused for 1 minute for reducing the processing requirements. A 7-day wide DWT window and a 20-minute wide DET window are used for analysis and detection. To evaluate the reconstructed signal we use ± 4.0σ as statistical threshold in Fig 11(b). Overall, our results show that our approach may provide a good detector of attacks. Let’s discuss the detection results in detail.
First 2 attacks attempted to attack a web-server with sequential source port numbers and targeted for port #80. A single source machine sent 48 byte-sized packets to (semi) single destination IP addresses in /24 address which preserved first 3 bytes of IP and randomly changed the last 1 byte. These attacks continued for about 2 to 4 hours. Through traffic engineering, we can identify that many of these attacks finally targeted European hosts via American Abilene networks.
The last attack is the SQL slammer worm attack which generated random IP addresses at a specific port number. A few compromised machines sent a large number
of 404 byte-sized packets to randomly generated destination IP addresses using #1434 UDP port. This attack persisted for about 3 hours.
Fig. 11(c) and (d) show the traffic volume such as byte counts and packet counts. As the picture shows, except the first attack, the remaining 2 attacks didn’t set off any distinguishable variance in volume. It shows that the approach using simply traffic volume itself is hard to appropriately detect the bandwidth attacks.
Fig 12 shows another postmortem result with respect to the USC traces. The left sub- picture illustrates a correlation signal of IP addresses used for wavelet transform, and the right sub-picture is the wavelet- transformed and reconstructed signal in postmortem and Fig. 11. IP address-based detection results using KREONet2 real attack traces in postmortem.
its detection results. Through further analysis, we can identify that many internal compromised machines continued to attack a few external destinations.
2. Detection of Anomalies Using the Simulated Attack Traces
Detection results on Auckland-IV traces included simulated attacks are shown in Fig. 13. Fig. 13(a) illustrates a weighted correlation signal of IP addresses that is used for wavelet transform with attacks. Fig. 13(b) is the wavelet-transformed and reconstructed signal in postmortem and its detection results.
We employ 3-day traces of addresses collected over a campus access link for these experiments. The sampling interval is 1 minute and the sampling duration is 30 seconds. That is to say, we sampled for 30 seconds and paused for 30 seconds. The simulated 9 attacks are staged between the vertical lines, shown in the figure. A 3-day wide DWT window and a 20-minute wide DET window are used for analysis and detection.
The postmortem analysis uses whole 3-day correlation data all at once. To evaluate the reconstructed signal we use ±3.0σ as statistical threshold in second sub-picture of Fig 13. The reconstructed signals of first 3 attacks (*,I,*) show an oscillatory fashion Fig. 12. IP address-based detection results using USC real attack traces in postmortem.
because of their intermittent attack patterns, while the remaining six attacks, namely (*,P,*), give a shape of a hill and a dale at attack times due to persistence.
The attacks on a single machine, especially the 1st attack among every 3 attacks described in (*,*,SD), reveal the high valued correlation which means the current traffic is concentrated on a (aggregated) single destination. Detection signals in the form of dots show that these typed attacks can be detected effectively. On the other hand, the semi- random typed attacks, that is (*,*,SR), and random styled attacks, namely (*,*,R), illustrate low correlations which means traffic is behaving in inconsistent pattern. These attacks can be also captured across attack time. Consecutive detection signals indicate the length of attacks and also imply the strength of anomalies.
Moreover, the detections in the early points of every day, sampling points near 1450 and 2900, turned out to be regular flash crowds included in the original traces.
3. Effect of DWT
In order to evaluate the effectiveness of employing DWT, we compare the detection results of our scheme employing DWT with a scheme that directly employs statistical analysis of the IP address weighted correlation signal. The anomaly detection results are shown in Table 5. At low confidence levels (below 90%), DWT doesn’t offer any advantage. However, when confidence levels of most interest (90% ~ 99.7%) are considered, DWT provides significantly better detection results than the simpler statistical analysis. This clearly shows that DWT offers significant improvement in the detection of anomalies.
conf.
level DWT 1 2 3 4 5 6 7 8 9 positive false e negativefalse
1.0σ 68 % IPa .c . . . . . . . . 5 0 DWTb . . . . . . . . . 6 0 1.5σ 86 % IP . . . 4 0 DWT . . . 5 0 2.0σ 95.5 % IP . xd . . . . . . . 3 1 DWT . . . 3 0 2.5σ 98.5 % IP . x x . x . . x . 1 4 DWT . . . 2 0 3.0σ 99.7 % IP . x x . x . . x x 0 5 DWT . . . 0 0 3.5σ 99.95 % IP x x x . x x . x x 0 7 DWT . . x . . . . x . 0 2 4.0σ 99.99 % IP x x x x x x x x x 0 9 DWT . x x . x . . x . 0 4
a. IP means the original IP address weighted correlation signal without applying the DWT
b. DWT means the DWT transformed signal
c. . means a detection
d. x means a non-detection
e. False positive is counted a series of relevant signal as 1
TABLE 5