Universal Anomaly Detection: Algorithms and Applications

Modern computer threats are far more complicated than those seen in the past. They are constantly evolving, altering their appearance, perpetually changing disguise. Under such circumstances, detecting known threats, a fortiori zero-day attacks, requires new tools, which are able to capture the essence of their behavior, rather than some fixed signatures. In this work, we propose novel universal anomaly detection algorithms, which are able to learn the normal behavior of systems and alert for abnormalities, without any prior knowledge on the system model, nor any knowledge on the characteristics of the attack. The suggested method utilizes the Lempel-Ziv universal compression algorithm in order to optimally give probability assignments for normal behavior (during learning), then estimate the likelihood of new data (during operation) and classify it accordingly. The suggested technique is generic, and can be applied to different scenarios. Indeed, we apply it to key problems in computer security. The first is detecting Botnets Command and Control (C&C) channels. A Botnet is a logical network of compromised machines which are remotely controlled by an attacker using a C&C infrastructure, in order to perform malicious activities. We derive a detection algorithm based on timing data, which can be collected without deep inspection, from open as well as encrypted flows. We evaluate the algorithm on real-world network traces, showing how a universal, low complexity C&C identification system can be built, with high detection rates and low false-alarm probabilities. Further applications include malicious tools detection via system calls monitoring and data leakage identification.

[1]  Guofei Gu,et al.  A Large-Scale Empirical Study of Conficker , 2012, IEEE Transactions on Information Forensics and Security.

[2]  Ali A. Ghorbani,et al.  BotCop: An Online Botnet Traffic Classifier , 2009, 2009 Seventh Annual Communication Networks and Services Research Conference.

[3]  Guofei Gu,et al.  BotSniffer: Detecting Botnet Command and Control Channels in Network Traffic , 2008, NDSS.

[4]  Radu State,et al.  BotCloud: Detecting botnets using MapReduce , 2011, 2011 IEEE International Workshop on Information Forensics and Security.

[5]  Abraham Lempel,et al.  Compression of individual sequences via variable-rate coding , 1978, IEEE Trans. Inf. Theory.

[6]  N. Merhav,et al.  On universal simulation of information sources using training data , 2002, Proceedings IEEE International Symposium on Information Theory,.

[7]  Ran El-Yaniv,et al.  On Prediction Using Variable Order Markov Models , 2004, J. Artif. Intell. Res..

[8]  Wanlei Zhou,et al.  Low-Rate DDoS Attacks Detection and Traceback by Using New Information Metrics , 2011, IEEE Transactions on Information Forensics and Security.

[9]  Thomas M. Cover,et al.  Elements of Information Theory , 2005 .

[10]  Henk J. Sips,et al.  Towards Detection of Botnet Communication through Social Media by Monitoring User Activity , 2011, ICISS.

[11]  E. S. Pearson,et al.  On the Problem of the Most Efficient Tests of Statistical Hypotheses , 1933 .

[12]  Chao Chen,et al.  On the Characteristics of the Worm Infection Family Tree , 2012, IEEE Transactions on Information Forensics and Security.

[13]  Christopher Krügel,et al.  BotFinder: finding bots in network traffic without deep packet inspection , 2012, CoNEXT '12.

[14]  Guofei Gu,et al.  BotMiner: Clustering Analysis of Network Traffic for Protocol- and Structure-Independent Botnet Detection , 2008, USENIX Security Symposium.

[15]  Ronaldo M. Salles,et al.  Botnets: A survey , 2013, Comput. Networks.

[16]  W. Timothy Strayer,et al.  Botnet Detection Based on Network Behavior , 2008, Botnet Detection.

[17]  Ran El-Yaniv,et al.  Towards Behaviometric Security Systems: Learning to Identify a Typist , 2003, PKDD.

[18]  Mehmet Celenk,et al.  Predictive Network Anomaly Detection and Visualization , 2010, IEEE Transactions on Information Forensics and Security.

[19]  Shanchieh Jay Yang,et al.  Projecting Cyberattacks Through Variable-Length Markov Models , 2008, IEEE Transactions on Information Forensics and Security.

[20]  Dongbing Gu,et al.  A Method for Detecting Abnormal Program Behavior on Embedded Devices , 2015, IEEE Transactions on Information Forensics and Security.

[21]  Carlo Sansone,et al.  Anomaly-Based Detection of IRC Botnets by Means of One-Class Support Vector Classifiers , 2009, ICIAP.

[22]  Su Chang,et al.  P2P botnet detection using behavior clustering & statistical tests , 2009, AISec '09.

[23]  Jae-Seo Lee,et al.  Detecting P2P Botnets Using a Multi-phased Flow Model , 2009, 2009 Third International Conference on Digital Society.

[24]  Aun Haider,et al.  Classification of malicious network streams using honeynets , 2012, 2012 IEEE Global Communications Conference (GLOBECOM).

[25]  Luca Salgarelli,et al.  Support Vector Machines for TCP traffic classification , 2009, Comput. Networks.

[26]  R. Villamarin-Salomon,et al.  Identifying Botnets Using Anomaly Detection Techniques Applied to DNS Traffic , 2008, 2008 5th IEEE Consumer Communications and Networking Conference.

[27]  José M. F. Moura,et al.  Detecting Botnets Using Command and Control Traffic , 2009, 2009 Eighth IEEE International Symposium on Network Computing and Applications.

[28]  Shachar Siboni,et al.  Botnet identification via universal anomaly detection , 2014, 2014 IEEE International Workshop on Information Forensics and Security (WIFS).

[29]  Shmuel Tomi Klein,et al.  Parallel Lempel Ziv coding , 2001, Discret. Appl. Math..

[30]  VARUN CHANDOLA,et al.  Anomaly detection: A survey , 2009, CSUR.

[31]  Chao Yang,et al.  Active User-Side Evil Twin Access Point Detection Using Statistical Techniques , 2012, IEEE Transactions on Information Forensics and Security.

[32]  Amos Lapidoth,et al.  A Foundation In Digital Communication: Index , 2009 .

[33]  Neri Merhav,et al.  Universal prediction of individual sequences , 1992, IEEE Trans. Inf. Theory.