Conversation exchange dynamics for real-time network monitoring and anomaly detection

We present a model for real-time network monitoring and anomaly detection that provides a holistic view of network conversation exchanges. We argue that monitoring and anomaly detection are necessary mechanisms for ensuring secure and dependable network computing infrastructure. The model for network traffic exchange is based on a modified Ehrenfest urn model. The motivation for the model is heavily influenced by the success of statistical physics to provide macrostate descriptions of physical systems when the exact microstate parameters of each element in the system precludes understanding from first principles. The conversation exchange dynamics model for real-time network monitoring and anomaly detection is formally described. The model induces a unique real-time visualization capability for network monitoring and detection of anomalous events. An implementation of the model and visualization capability is presented along with laboratory tests and successful detection of real world events, including a Code Red worm attack.

[1]  S. C. Evans,et al.  Network security through conservation of complexity , 2002, MILCOM 2002. Proceedings.

[2]  Robert K. Cunningham,et al.  Detecting Low-Profile Probes and Novel Denial-of-Service Attacks , 2001 .

[3]  W. R. Howard The Nature of Mathematical Modeling , 2006 .

[4]  H. D. Miller Combinatorial methods in the theory of stochastic processes , 1968, Comput. J..

[5]  Tuomas Aura,et al.  Using conservation of flow as a security mechanism in network protocols , 2000, Proceeding 2000 IEEE Symposium on Security and Privacy. S&P 2000.

[6]  R. Lindsay,et al.  The Conceptual Foundations of the Statistical Approach in Mechanics , 1959 .

[7]  Burgess Thermal, nonequilibrium phase space for networked computers , 2000, Physical review. E, Statistical physics, plasmas, fluids, and related interdisciplinary topics.

[8]  Mark Handley,et al.  Network Intrusion Detection: Evasion, Traffic Normalization, and End-to-End Protocol Semantics , 2001, USENIX Security Symposium.

[9]  Ludwig Boltzmann,et al.  Lectures on Gas Theory , 1964 .

[10]  Aviel D. Rubin White-Hat Security Arsenal: Tackling the Threats , 2001 .

[11]  Vern Paxson,et al.  Active mapping: resisting NIDS evasion without altering traffic , 2003, 2003 Symposium on Security and Privacy, 2003..

[12]  David Moore,et al.  Code-Red: a case study on the spread and victims of an internet worm , 2002, IMW '02.

[13]  David Moore,et al.  Internet quarantine: requirements for containing self-propagating code , 2003, IEEE INFOCOM 2003. Twenty-second Annual Joint Conference of the IEEE Computer and Communications Societies (IEEE Cat. No.03CH37428).

[14]  Stefan Savage,et al.  The Spread of the Sapphire/Slammer Worm , 2003 .

[15]  Vern Paxson,et al.  Bro: a system for detecting network intruders in real-time , 1998, Comput. Networks.

[16]  Christopher Krügel,et al.  Service specific anomaly detection for network intrusion detection , 2002, SAC '02.

[17]  John McEachen,et al.  Therminator 2: a thermodynamics-based method for real-time patternless intrusion detection , 2002, MILCOM 2002. Proceedings.

[18]  Vern Paxson,et al.  Enhancing byte-level network intrusion detection signatures with context , 2003, CCS '03.

[19]  Thomas Henry Ptacek,et al.  Insertion, Evasion, and Denial of Service: Eluding Network Intrusion Detection , 1998 .