User Session Modeling using Unified Log for Application Intrusion Detection
6.7 Issues in Implementation
6.7 Issues in Implementation
Experimental results show that our approach based on conditional random fields can be used to build effective application intrusion detection systems. However, before deployment, it is critical to resolve issues such as the availability of the training data and suitability of our approach for a variety of applications. We now discuss various methods which can be employed to resolve such issues.
6.7.1 Availability of Training Data
Though our system is application independent and can be used to detect malicious data access in a variety of applications, it must be trained before the system can be deployed online to detect attacks. This requires training data which is specific to the application. To obtain such data may be difficult. However, training data can be made available as early as during the application testing phase when the application is tested to identify errors. Logs generated during the application test-ing phase can be used for traintest-ing the intrusion detection system. However, this requires security aware software engineering practices which must ensure that necessary measures are taken to pro-vide training data during the application development phase, which can be used to train effective application intrusion detection systems.
6.7.2 Suitability of Our Approach for a Variety of Applications
As we already discussed, our framework is generic and can be deployed for a variety of applica-tions. It is particularly suited to applications which follow the three tier architecture which have application and data independence. Furthermore, our framework can be easily extended and de-ployed in the Service Oriented Architecture [133]. This is because as part of the business solution, the service oriented architecture defines numerous services each of which provides specific func-tionality and which have the capability to interact among themselves. Our proposed framework can be considered as a special case for the service oriented architecture which defines only one service. Nonetheless, it can be easily extended to the general service oriented architecture by se-lecting many services. This would, however, require some domain specific knowledge in order to identify the correlated services (applications). The challenge is to identify such correlations automatically and this provides an interesting direction for future work.
6.8 Conclusions
In this chapter, we implemented user session modeling using a moving window of events in our unified logging framework to build application intrusion detection systems which can detect ap-plication level attacks effectively and efficiently. Experimental results confirm that conditional random fields can be effectively used in our framework and perform better when compared with other methods. In our framework, we considered a sequence of events in a session, rather than analyzing the events individually which improves the attack detection accuracy. Our system based on conditional random fields can detect attacks at smaller values of ‘S’ resulting in early attack detection. We also showed that unified log not only helps to improve the attack detection accu-racy but also to improve system’s performance since we can use summary statistics rather than analyzing every data access. Our experimental results with multiple data sets show similar trends and confirm that our framework is application independent and can be used for a variety of appli-cations. Another advantage of our system is that it models user-application and application-data interaction which does not vary overtime as compared to modeling user profiles which change frequently. Application and data interaction vary only in case of an attack which is detected by our system. We also showed that our system using conditional random fields is robust and is able to detect disguised attacks effectively.
Finally, following better security aware software engineering practices and taking care of log-ging mechanism during application development would not only help in application testing and related areas but would also provide necessary framework for building better and efficient appli-cation intrusion detection systems, such as those discussed in this chapter.
Chapter 7
Conclusions
I
N this thesis, we explored the suitability of conditional random fields for building robust and efficient intrusion detection systems which can operate, both, at the network and at the application level. In particular, we introduced novel frameworks and developed models which address three critical issues that severely affect the large scale deployment of present anomaly and hybrid intrusion detection systems in high speed networks. The three issues are:1. Limited attack detection coverage 2. Large number of false alarms and 3. Inefficiency in operation
Other issues such as the scalability and ease of system customization, robustness of the system to noise in the training data, availability of training data, and the ability of the system to detect disguised attacks were also addressed. As a result of this research, we conclude that:
1. Layered framework can be used to build efficient intrusion detection systems. In addition, the framework offers ease of scalability for detecting different variety of attacks as well as ease of customization by incorporating domain specific knowledge. The framework also identifies the type of attack and, hence, specific intrusion response mechanism can be initiated which helps to minimize the impact of the attack.
2. Conditional random fields are a strong candidate for building robust and efficient intru-sion detection systems. Integrating the layered framework with the conditional random fields can be used to build effective and efficient network intrusion detection systems. Us-ing conditional random fields as intrusion detectors result in very few false alarms and, thus, the attacks can be detected with very high accuracy.
125
3. Unified logging framework can capture user-application and application-data interactions which are significant to detect application level attacks. The framework is application independent and can be used for a variety of applications.
4. User session modeling using the unified log must be performed in order to detect applica-tion level attacks with high accuracy. Condiapplica-tional random fields can be effectively used in this framework to model a sequence of events in a user session. Using conditional random fields’ attacks can be detected at smaller window widths, thereby, resulting in an efficient system. Additionally, the system is robust and can effectively detect disguised attacks.
We performed a range of experiments which show that, in order to detect intrusions effectively, it is critical to model the correlations between multiple features in an observation. Assuming var-ious features to be independent, though, makes a model simple and efficient; it affects its attack detection capability. Conditional random fields can easily model such correlations by defining specific feature functions which make them a strong candidate for building effective intrusion detectors. Further, we introduced the layered framework which helps to improve overall system performance. Our framework is highly scalable, easily customizable and can be used to build effi-cient network intrusion detection systems which can detect a wide variety of attacks. Experimental results on the benchmark KDD 1999 intrusion data set [12] and comparison with other well known methods for intrusion detection such as decision trees, naive Bayes, support vector machines and the winners of the KDD 1999 cup, show that our approach, based on layered conditional random fields, outperform these methods; in terms of, both, accuracy of attack detection and efficiency of system operation. The impressive part of our results is the percentage improvement in attack de-tection accuracy, particularly, for User to Root (U2R) attacks (34.8% improvement) and Remote to Local (R2L) attacks (34.5% improvement). Statistical tests also demonstrate higher confidence in detection accuracy with layered conditional random fields. We also showed that our system is robust and can detect attacks with higher accuracy, when compared with other methods, even when trained with noisy data. Finally, our system is not based on attack signatures and, hence, capable of detecting novel attacks.
We also performed experiments which show that, in order to effectively detect application level attacks, it is critical to model the sequence of events. This is because, very often, an attacker must perform a number of sequential operations in order to launch a successful attack. Additionally,