New Trends in Network Anomaly Detection

Computer networks are complex interacting systems composed of individual entities such as various devices, workstations and servers. Nowadays, Internet Protocol (IP) is used as a dominant layer 3 protocol. The evolving nature of IP networks makes it difficult to fully understand the dynamics of the systems and networks. To obtain a basic understanding of the performance and behavior of these complex networks, large amount of information need to be collected and processed. Often, network performance information is not directly available, and the information obtained must be synthesized to obtain an understanding of the ensemble behavior. Traditional signature-based intrusion detection techniques use patterns of well-known attacks to match and identify known intrusions. The main drawback of theses techniques is inability to detect the newly invented attacks. To obtain sufficient information about complex network traffic and compensate for the weaknesses of traditional Intrusion Detection Systems (IDS), Anomaly Detection Algorithms (ADA) are used [G.Maselli & L.Deri, 2003; K. Hwang et al., 2004; A. Lazarevic et al., 2003]. Theses algorithms can be employed as a useful mechanism to analyze network anomalies and detect misbehaviors issued by users, or even unknown signature viruses and worms. There are two main approaches to study or characterize the ensemble behavior of the network [M. Thottan & C. Ji, 2003]: the first is inference of the overall network behavior and the second is to analyze behavior of the individual entities or nodes. The approaches used to address the anomaly detection problem depend on the nature of the data that is available for the analysis. Network data can be obtained at multiple levels of granularity such as network-level or end-user-level. The methods presented in this chpater are host-based ADA's and are categorized in the latter approach. In this chapter, we present some ADA's developed based on some classification methods. The goal of this chapter is to classify each user's behavior as anomalous or normal actions in an unsupervised fashion. Four different algorithms are disccusd and compared based on some defined measures. The experiments are performed on a real evaluation network test bed. Instances are captured in eight consecutive weeks, three weeks of training and five weeks of testing. Some

[1]  Evangelos Kranakis,et al.  Detecting intra-enterprise scanning worms based on address resolution , 2005, 21st Annual Computer Security Applications Conference (ACSAC'05).

[2]  Harold S. Javitz,et al.  The SRI IDES statistical anomaly detector , 1991, Proceedings. 1991 IEEE Computer Society Symposium on Research in Security and Privacy.

[3]  Eugene H. Spafford,et al.  A PATTERN MATCHING MODEL FOR MISUSE INTRUSION DETECTION , 1994 .

[4]  Marina Thottan,et al.  Anomaly detection in IP networks , 2003, IEEE Trans. Signal Process..

[5]  Zheng Zhang,et al.  HIDE : a Hierarchical Network Intrusion Detection System Using Statistical Preprocessing and Neural Network Classification , 2001 .

[6]  Christopher Krügel,et al.  Anomaly detection of web-based attacks , 2003, CCS '03.

[7]  David G. Stork,et al.  Pattern Classification , 1973 .

[8]  Gaia Maselli Design and Implementation of an Anomaly Detection System: an Empirical Approach , 2003 .

[9]  S. T. Sarasamma,et al.  Hierarchical Kohonenen net for anomaly detection in network security , 2005, IEEE Transactions on Systems, Man, and Cybernetics, Part B (Cybernetics).

[10]  Ludmila I. Kuncheva,et al.  Switching between selection and fusion in combining classifiers: an experiment , 2002, IEEE Trans. Syst. Man Cybern. Part B.

[11]  Salim Hariri,et al.  A new dependency and correlation analysis for features , 2005, IEEE Transactions on Knowledge and Data Engineering.

[12]  Ying Chen,et al.  Cooperative Anomaly and Intrusion Detection for Alert Correlation in Networked Computing Systems , 2004 .

[13]  Itzhak Levin,et al.  KDD-99 classifier learning contest LLSoft's results overview , 2000, SKDD.

[14]  Jonatan Gómez,et al.  Evolving Fuzzy Classifiers for Intrusion Detection , 2002 .

[15]  Kumpati S. Narendra,et al.  Learning automata - an introduction , 1989 .

[16]  Asok Ray,et al.  Symbolic dynamic analysis of complex systems for anomaly detection , 2004, Signal Process..

[17]  Christopher Krügel,et al.  Anomalous system call detection , 2006, TSEC.

[18]  Antanas Verikas,et al.  Soft combination of neural classifiers: A comparative study , 1999, Pattern Recognit. Lett..

[19]  Gísli Hjálmtýsson,et al.  Controlling the effects of anomalous ARP behaviour on ethernet networks , 2005, CoNEXT '05.

[20]  Dit-Yan Yeung,et al.  Parzen-window network intrusion detectors , 2002, Object recognition supported by user interaction for service robots.

[21]  Ramesh C. Agarwal,et al.  PNrule: A New Framework for Learning Classifier Models in Data Mining (A Case-Study in Network Intrusion Detection) , 2001, SDM.

[22]  E. Kranakis,et al.  ARP-based Detection of Scanning Worms Within an Enterprise Network , 2005 .

[23]  Connie M. Borror,et al.  Robustness of the Markov-chain model for cyber-attack detection , 2004, IEEE Transactions on Reliability.

[24]  Qiang Chen,et al.  Multivariate Statistical Analysis of Audit Trails for Host-Based Intrusion Detection , 2002, IEEE Trans. Computers.

[25]  Jiri Matas,et al.  On Combining Classifiers , 1998, IEEE Trans. Pattern Anal. Mach. Intell..

[26]  Jaideep Srivastava,et al.  A Comparative Study of Anomaly Detection Schemes in Network Intrusion Detection , 2003, SDM.

[27]  Vir V. Phoha,et al.  K-Means+ID3: A Novel Method for Supervised Anomaly Detection by Cascading K-Means Clustering and ID3 Decision Tree Learning Methods , 2007, IEEE Transactions on Knowledge and Data Engineering.