Anomalies Detection of Routers Based on Multiple Information Learning

Routers are important devices in the networks that carry the burden of transmitting information among the communication devices on the Internet. If a malicious adversary wants to intercept the information or paralyze the network, it can directly attack the routers and then achieve the suspicious goals. Thus, preventing router security is of great importance. However, router systems are notoriously difficult to understand or diagnose for their inaccessibility and heterogeneity. The common way of gaining access to the router system and detecting the anomaly behaviors is to inspect the router syslogs or monitor the packets of information flowing to the routers. These approaches just diagnose the routers from one aspect but do not consider them from multiple views. In this paper, we propose an approach to detect the anomalies and faults of the routers with multiple information learning. We try to use the routers' information not from the developer's view but from the user' $s$ view, which does not need any expert knowledge. First, we do the offline learning to transform the benign or corrupted user actions into the syslogs. Then, we try to decide whether the input routers' conditions are poor or not with clustering. During the detection phase, we use the distance between the event and the cluster to decide if it is the anomaly event and we can provide the corresponding solutions. We have applied our approach in a university network which contains Cisco, Huawei and Dlink routers for three months. We aligned our experiment with former work as a baseline for comparison. Our approach can gain 89.6% accuracy in detecting the attacks which is 5.1% higher than the former work. The results show that our approach performs in limited time as well as memory usages and has high detection and low false positives.

[1]  Michael I. Jordan,et al.  Detecting large-scale system problems by mining console logs , 2009, SOSP '09.

[2]  Bart Baesens,et al.  Data Mining Techniques for Software Effort Estimation: A Comparative Study , 2012, IEEE Transactions on Software Engineering.

[3]  Maurizio Dusi,et al.  Quantifying the accuracy of the ground truth associated with Internet traffic traces , 2011, Comput. Networks.

[4]  Youngseok Lee,et al.  An Internet traffic analysis method with MapReduce , 2010, 2010 IEEE/IFIP Network Operations and Management Symposium Workshops.

[5]  Haoyu Tan,et al.  MR-DBSCAN: a scalable MapReduce-based DBSCAN algorithm for heavily skewed data , 2013, Frontiers of Computer Science.

[6]  H. Abdi,et al.  Principal component analysis , 2010 .

[7]  Thomas Moyer,et al.  Towards Scalable Cluster Auditing through Grammatical Inference over Provenance Graphs , 2018, NDSS.

[8]  Christopher Krügel,et al.  Automatic Network Protocol Analysis , 2008, NDSS.

[9]  Jianfeng Ma,et al.  Dlog: diagnosing router events with syslogs for anomaly detection , 2017, The Journal of Supercomputing.

[10]  Farnam Jahanian,et al.  Internet inter-domain traffic , 2010, SIGCOMM '10.

[11]  Cong Sun,et al.  NetPro: detecting attacks in MANET routing with provenance and verification , 2016, Science China Information Sciences.

[12]  Yuriy Brun,et al.  Inferring models of concurrent systems from logs of their behavior with CSight , 2014, ICSE.

[13]  Xuxian Jiang,et al.  Automatic Protocol Format Reverse Engineering through Context-Aware Monitored Execution , 2008, NDSS.

[14]  Cristina L. Abad,et al.  Log correlation for intrusion detection: a proof of concept , 2003, 19th Annual Computer Security Applications Conference, 2003. Proceedings..

[15]  Yu Luo,et al.  lprof: A Non-intrusive Request Flow Profiler for Distributed Systems , 2014, OSDI.

[16]  Feifei Li,et al.  DeepLog: Anomaly Detection and Diagnosis from System Logs through Deep Learning , 2017, CCS.

[17]  Dan Pei,et al.  What happened in my network: mining network events from router syslogs , 2010, IMC '10.