ACTIDS: an active strategy for detecting and localizing network attacks

In this work we investigate a new approach for detecting attacks which aim to degrade the network's Quality of Service (QoS). To this end, a new network-based intrusion detection system (NIDS) is proposed. Most contemporary NIDSs take a passive approach by solely monitoring the network's production traffic. This paper explores a complementary approach in which distributed agents actively send out periodic probes. The probes are continuously monitored to detect anomalous behavior of the network. The proposed approach takes away much of the variability of the network's production traffic that makes it so difficult to classify. This enables the NIDS to detect more subtle attacks which would not be detected using the passive approach alone. Furthermore, the active probing approach allows the NIDS to be effectively trained using only examples of the network's normal states, hence enabling an effective detection of zero day attacks. Using realistic experiments, we show that an NIDS which also leverages the active approach is considerably more effective in detecting attacks which aim to degrade the network's QoS when compared to an NIDS which relies solely on the passive approach.

[1]  Raouf Boutaba,et al.  Efficient Active Probing for Fault Diagnosis in Large Scale and Noisy Networks , 2010, 2010 Proceedings IEEE INFOCOM.

[2]  Ian H. Witten,et al.  Data mining: practical machine learning tools and techniques, 3rd Edition , 1999 .

[3]  Alfred O. Hero,et al.  Sensor management using an active sensing approach , 2005, Signal Process..

[4]  Lior Rokach,et al.  Combining one-class classifiers via meta learning , 2011, CIKM.

[5]  Paul Barford,et al.  Network Performance Anomaly Detection and Localization , 2009, IEEE INFOCOM 2009.

[6]  Salvatore J. Stolfo,et al.  Real time data mining-based intrusion detection , 2001, Proceedings DARPA Information Survivability Conference and Exposition II. DISCEX'01.

[7]  Kotagiri Ramamohanarao,et al.  Layered Approach Using Conditional Random Fields for Intrusion Detection , 2010, IEEE Transactions on Dependable and Secure Computing.

[8]  Walter Willinger,et al.  On the self-similar nature of Ethernet traffic , 1993, SIGCOMM '93.

[9]  Feiyi Wang,et al.  Design and implementation of a scalable intrusion detection system for the protection of network infrastructure , 2000, Proceedings DARPA Information Survivability Conference and Exposition. DISCEX'00.

[10]  Osman Salem,et al.  A scalable, efficient and informative approach for anomaly‐based intrusion detection systems: theory and practice , 2010, Int. J. Netw. Manag..

[11]  Jean Goubault-Larrecq,et al.  The Orchids Intrusion Detection Tool , 2005, CAV.

[12]  Mark Crovella,et al.  Mining anomalies using traffic feature distributions , 2005, SIGCOMM '05.

[13]  Rajeev Rastogi,et al.  Robust Monitoring of Link Delays and Faults in IP Networks , 2003, IEEE/ACM Transactions on Networking.

[14]  Fabio Roli,et al.  Intrusion detection in computer networks by a modular ensemble of one-class classifiers , 2008, Inf. Fusion.

[15]  Danny Hendler,et al.  Metric Anomaly Detection via Asymmetric Risk Minimization , 2011, SIMBAD.

[16]  Raymond T. Ng,et al.  A Unified Notion of Outliers: Properties and Computation , 1997, KDD.

[17]  Bernard Cousin,et al.  Joint optimization of monitor location and network anomaly detection , 2010, IEEE Local Computer Network Conference.

[18]  András Varga,et al.  An overview of the OMNeT++ simulation environment , 2008, SimuTools.

[19]  Robert P. W. Duin,et al.  Combining One-Class Classifiers to Classify Missing Data , 2004, Multiple Classifier Systems.

[20]  Martin May,et al.  Impact of packet sampling on anomaly detection metrics , 2006, IMC '06.

[21]  อนิรุธ สืบสิงห์,et al.  Data Mining Practical Machine Learning Tools and Techniques , 2014 .

[22]  Vern Paxson,et al.  Outside the Closed World: On Using Machine Learning for Network Intrusion Detection , 2010, 2010 IEEE Symposium on Security and Privacy.

[23]  Makoto Yokoo,et al.  Taming Decentralized POMDPs: Towards Efficient Policy Computation for Multiagent Settings , 2003, IJCAI.

[24]  Ratul Mahajan,et al.  Measuring ISP topologies with Rocketfuel , 2004, IEEE/ACM Transactions on Networking.

[25]  François Charpillet,et al.  A heuristic approach for solving decentralized-POMDP: assessment on the pursuit problem , 2002, SAC '02.

[26]  D. Clark Untangling Attribution , 2010 .

[27]  Santosh Biswas,et al.  Layered Higher Order N-grams for Hardening Payload Based Anomaly Intrusion Detection , 2010, 2010 International Conference on Availability, Reliability and Security.

[28]  Cui-Mei Bao Intrusion Detection Based on One-class SVM and SNMP MIB Data , 2009, 2009 Fifth International Conference on Information Assurance and Security.

[29]  Lior Rokach,et al.  Troika - An improved stacking schema for classification tasks , 2009, Inf. Sci..

[30]  Robert P. W. Duin,et al.  Combining One-Class Classifiers , 2001, Multiple Classifier Systems.

[31]  Henning Schulzrinne,et al.  DYSWIS: An architecture for automated diagnosis of networks , 2008, NOMS 2008 - 2008 IEEE Network Operations and Management Symposium.

[32]  Kang G. Shin,et al.  Change-point monitoring for the detection of DoS attacks , 2004, IEEE Transactions on Dependable and Secure Computing.

[33]  Jacek Kowalski,et al.  Modelling Traffic Demand Between Nodes in a Telecommunications Network , 1995 .

[34]  Robin Sommer,et al.  Bro: An Open Source Network Intrusion Detection System , 2003, DFN-Arbeitstagung über Kommunikationsnetze.

[35]  Shlomo Zilberstein,et al.  Optimizing Memory-Bounded Controllers for Decentralized POMDPs , 2007, UAI.

[36]  David Simplot-Ryl,et al.  Energy-efficient area monitoring for sensor networks , 2004, Computer.

[37]  Lior Rokach,et al.  Securing Your Transactions: Detecting Anomalous Patterns In XML Documents , 2012, ArXiv.

[38]  Santosh Biswas,et al.  An active DES based IDS for ARP spoofing , 2011, 2011 IEEE International Conference on Systems, Man, and Cybernetics.

[39]  Salvatore J. Stolfo,et al.  Anomalous Payload-Based Network Intrusion Detection , 2004, RAID.

[40]  R. Schapire The Strength of Weak Learnability , 1990, Machine Learning.

[41]  Ian Witten,et al.  Data Mining , 2000 .

[42]  Alexei Makarenko,et al.  Decentralised Data Fusion And Control In Active Sensor Networks , 2004 .

[43]  Stelvio Cimato,et al.  A Distributed and Privacy-Preserving Method for Network Intrusion Detection , 2010, OTM Conferences.

[44]  Radu State,et al.  A Framework for Monitoring SIP Enterprise Networks , 2010, 2010 Fourth International Conference on Network and System Security.

[45]  Ying Chen,et al.  Hybrid Intrusion Detection with Weighted Signature Generation over Anomalous Internet Episodes , 2007, IEEE Transactions on Dependable and Secure Computing.

[46]  Bernhard Schölkopf,et al.  Estimating the Support of a High-Dimensional Distribution , 2001, Neural Computation.

[47]  Neil Immerman,et al.  The Complexity of Decentralized Control of Markov Decision Processes , 2000, UAI.

[48]  R. Rastogi,et al.  Robust Monitoring of Link Delays and Faults , 2006 .