1. Individual Reconstruction in DWT
In real-time analysis, the administrator may not have the luxury to selectively analyze the traffic at different timescales since anomalies need to be detected as they occur. Due to this lack of a priori knowledge of timescales of attacks or anomalies, real- time analysis requires analysis of data at all the time scales. Because of these two needs of analyzing data at all timescales, and the need to have lower latencies of attack/anomaly detection, real-time analysis is much more challenging. In order to complete the analysis in a short time (between two sampling intervals), real-time analysis can only focus on small recent data sets. Because the number of the transformable samples is closely connected with the size of DWT window, the maximum allowable levels are restricted at log2n, where n is the number of samples. If we want to investigate a specific level j, it requires 2j samples for reconstruction at least. In our analysis here, we employed the most recent 2-hour data of traffic. Detecting anomalies through all individual levels will have a number of advantages: (i) By setting a high threshold at each level, anomalies can be detected with high confidence, (ii) Depending on network administrator’s filtering criteria, he/she can adjust the threshold between accuracy and flexibility as shown in Table 6, and (iii) the attributes of attacks, such as the frequency and pattern, can be straightforwardly determined.
a. Thresholds Setting Through Statistical Analysis
We establish a statistical baseline for ambient traffic as a means for deriving thresholds for anomaly detection. We classify each level of DWT decomposition of the ambient trace and reconstruct the signal based on each level. The statistical parameters
of reconstructed signal at each level are independently calculated. These parameters are updated on an appropriate period with current values and old parameters. When we set - 3.0σ < X < 3.0σ confidence interval at each level as Fig. 15, it corresponds to the 99.7% confidence level and error rate of 0.3%.
2. Detection of Anomalies Using the Real Attack Traces
The reconstructed signal of each level is used for detecting anomalies. As explained earlier, because the real-time detection requires small data sets and quicker identification, a 2-hour wide DWT window and a 10-minute wide DET window are used for analysis and detection. A sampling interval of 2 minutes and a sampling duration of 60 seconds are employed. Through the following approach, we accommodate swifter detection while diminishing the false positives.
First, at each sampling instance, DWT of the samples over the last 2-hour window (60 samples with a 2-minute sampling interval) is computed. We carry out a statistical analysis of each level of the DWT signal separately to analyze the signal over all timescales. At each level of the DWT signal, we employ a 10-minute detection window. Second, the detection mechanism is employed in two dimensions: horizontal and vertical. The horizontal dimension checks for anomaly detection in successive time-samples at the same wavelet signal level. The vertical dimension checks for anomaly detection at multiple wavelet signal levels at the same time. When a specific attack continues in regular pattern, it has a strong probability of being captured in specific level. On the other hand, the vertical one represents how many possible attacks at the specific sampling instant are distributed in different timescales. When a certain attack continues in irregular period, it would be captured over various levels simultaneously.
The combination of the horizontal and the vertical evaluation is used for attack detection. The number of the probable attack detectors is counted using the 2-
dimensional detection window consisting of the horizontal and vertical components. An attack is detected when the number of detectors exceeds a threshold in the 2-dimensional window. We employed a 2-hour DWT window in 2-minute sampling interval. It can be decomposed up to level 6. The results of our real-time analysis with respect to KREONet2 traces are shown in Fig. 14. The intermediate detection results at each level are shown in upper sub-pictures and the final detection result using 2-dimensional Fig. 14. Address-based detection results using real attack traces in real-time.
The signal S(n) of the top-most sub-picture is input into 2-dimensional real-time detection window. The cD1 through cD6 show the intermediate horizontal detection results at each DWT coefficient level. The real-time indicator in the bottom-most sub- picture shows the final detection results and latencies using the vertical as well as horizontal.
window is shown in the bottom-most sub-picture. Our detector achieves acceptable attack detection performance in on-line analysis as well as in off-line analysis.
3. Detection of Anomalies Using the Simulated Attack Traces
We employed a 2-hour DWT window in 1-minute sampling interval. It can be decomposed up to level 7. The results of our real-time analysis are shown in Fig. 15. The DWT signal at each timescales is shown along with the horizontal detector (an anomaly detected over successive samples at the same level). The bottom most picture in Fig. 15 Fig. 15. Address-based detection results using simulated attack traces in real-time. The real-time indicator in the bottom-most detects the originally contained anomalies as well as all kinds of simulated attacks.
shows the composite detector that employs two-dimensional mechanism discussed earlier. The results indicate that the real-time analysis detects all the attacks along with a few anomalies present in the base signal.
Table 6 shows the overall timing relationship between detection latency and the setting of the confidence level of our attacks in real-time mode. Because the entire DWTed signal is also influence by the latest (attacked) sample, attacks can be detected in low latency such as ‘0’ minute regardless of majority vote. As we expect, the higher the confidence level, the higher the detection latency. When the confidence level is low, many false alarms are incurred because of imprudence of detection; on the other hand, almost all of the attacks can be detected without false negatives. As the threshold is increased, the false acceptance is diminished; however, the false rejection is induced sometimes. According to the network administrator’s security standard, the appropriate confidence level could be established. Even though, our real-time analysis results are promising that attacks may be detected in a few sampling instances, recent studies [2] indicate that worm propagation control measures need to react even faster to be effective. In the future, we plan to develop techniques for swifter identification of these attacks through an interlaced window scheme and multidimensional indicators.
TABLE 6
THE RELATION BETWEEN LATENCIES AND CONFIDENCE LEVELS IN NINE KINDS OF ATTACKS IN REAL-TIME MODE
confidence level
1
(2,I,SD) (2,I,SR) 2 (2,I,R)3 (2,P,SD)4 (2,P,SR)5 (2,P,R)6 (1,P,SD)7 (1,P,SR) 8 (1,P,R) 9 falsepos. falseneg.
1.0 σ 68 % 0a 0 0 0 0 0 0 0 0 11 0 1.5 σ 86 % 0 0 0 0 0 0 0 0 0 7 0 2.0 σ 95.5 % 0 0 0 0 0 0 0 0 0 5 0 2.5 σ 98.5 % 0 0 0 0 0 1 0 0 0 3 0 3.0 σ 99.7 % 0 0 0 0 0 2 0 2 0 2 0 3.5 σ 99.95 % 0 0 1 0 20 9 0 3 2 2 0 4.0 σ 99.99 % 1 0 1 0 Xb 11 0 5 3 1 1 a. Latency is measured by minute unit