Stochastic Protocol Modeling for Anomaly-Based Network Intrusion Detection

(1)

Stochastic Protocol Modeling for Anomaly-Based

Network Intrusion Detection

2003 IEEE International Workshop on Information Assurance

March 24th, 2003 – Darmstadt, Germany

Juan M. Estévez-Tapiador ([email protected]) Pedro García-Teodoro ([email protected])

Jesús E. Díaz-Verdejo ([email protected])

Signals, Telematics and Communications Group

Department of Electronics and Computer Technology University of Granada

(2)

J. M. Estévez-Tapiad o r, P. García-Teodoro, J. E. Díaz-Ve rdejo STC Grou p – University of Granada (Spai n )

1 Introduction

 Context of the work: Network Intrusion Detection • Anomaly Detection (for intrusion detection)

• Protocol-Specific Anomaly Detection: • Monitor a given protocol

• Look for deviations from its “normal” usage  Justification:

• A large amount of network attacks are founded on protocol usages that: 1) fall out of the official protocol description, and 2) are uncommon

(3)

o r, P. García-Teodoro, J. E. Díaz-Ve rdejo p – University of Granada (Spai n )

2 Protocol Modeling with Markov Chains

 Approach: modeling packet arrival as a stochastic process

2.1 Overview

System

(4)

Idea: to associate one symbol with each TCP segment

In TCP, most of the information related to signaling is located in the fields known as flags

Simple quantization scheme:

To consider the flags configuration of each TCP segment as its signature

(64-valued quantization dictionary)

F U R P R S b w S i i i p =

∑

⋅ = + ⋅ + ⋅ + ⋅ + ⋅ + ⋅ = 32 16 8 4 2 6 1

3 Application to TCP

(5)

After this step: each session is represented as a temporal sequence of symbols

Of course, others quantization

approaches are allowed. For example, considering each segment (packet) as a vector and performing clustering techniques in order to obtain a few prototypes.

3.1 Parameterization & Quantization (II)

(6)

Traffic recorded for different services: FTP, SSH, HTTP Each session constitutes a training instance

151142 241 ssh.7 41329 117 http.7 133615 156 ftp.7 122355 218 ssh.6 21310 62 http.6 51345 78 ftp.6 63252 143 ssh.5 50462 98 http.5 27753 69 ftp.5 7069 24 ssh.4 19343 57 http.4 18101 32 ftp.4 3766 12 ssh.3 28107 102 http.3 6862 18 ftp.3 3294 9 ssh.2 13862 41 http.2 3762 9 ftp.2 3349 11 ssh.1 8975 29 http.1 5207 14 ftp.1 Total Size No. of sessions Trace Total Size No. of sessions Trace Total Size No. of sessions Trace Service SSH Service HTTP Service FTP

3.2 Data sets

3 Application to TCP

(7)

3.3 Model Construction

 Estimation of the model using data sets (training)

One TCP-model for each specific service (FTP, HTTP, SSH)

(8)

Evaluation: estimate P[Observation | Model]

Measure: MAP (Maximum A-posteriori Probability)

Problems with MAP:

1) Converges quickly to zero Æ LogMAP 2) Events with null probability Æ smoothing Detection Principle:

• anomalies are low probability events

• low probabilities induce changes of slope in LogMAP

3.4 Evaluation (I)

3 Application to TCP

∏

− = + = 1 1 1 1· ) , ( T t O O O a _t _t O MAP λ π

(9)

3.4 Evaluation (II)

3 Application to TCP

Detector = Aproximation of discrete derivative + Threshold

∑ = − − = Wm i m m W LogMAPt i W t LogMAP t D 1 ) ( 1 ) ( ) (

(10)

3.4 Evaluation (III)

More examples:  Anomalous behavior • Session 2 • Session 3  Normal behavior • Session 1 • Session 4

3 Application to TCP

(11)

4 Discussion: Global Model

4.1 Approach & Model Construction

Use all data sets to train the model, without a previous filtering according to the destination port.

The tranining procedure is the same. Model obtained:

 Mean of the previous ones More general

(12)

4 Discussion: Global Model

4.2 Evaluation

Ranges of the detection signal have changed Æ Less accurate

(13)

5. Conclusions and Future Work

Consider network traffic as a stochastic process:

Markov chains as models (although others are allowed)  Evaluation by means of: LogMAP(t), D_W(t).

Protocol Anomaly Detection: use in conjunction with other anomaly/signature-based methods.

(14)

6. Comments and Questions

Thank you very much for your attention

Comments

Questions

Etc...

(15)

∏

− =

π

T 1

λ

[

] [

P q = i,q = j

]

System which evolves through states Γ = {S₁, S₂, ..., S_N} Discrete time: t = 1, 2, ... , n, ...

q_t = state at time ‘t’

Satisfying Markov hypothesis  Markov chain: λ = (A, Π)

 A = Matrix of transition probabilities

Π ={π_i} = Vector of initial probabilities: π_i=P[q₁=i]

Estimation of A (Π is analogous) _Evaluation

Stochastic Protocol Modeling for Anomaly-Based Network Intrusion Detection