Extracting Ambiguous Sessions from Real Traffic with Intrusion Prevention Systems

False Positives (FP) and False Negatives (FN) are common in every Intrusion Prevention System (IPS). None of the systems could judge better than others all the time. This work proposes a system of Ambiguous Session Extraction (ASE) to create a pool of ambiguous traffic traces. Traffic traces or sessions are called “ambiguous”, meaning they cause potential FNs (abbreviated as P-FNs) and potential FPs (abbreviated as P-FPs) to IPSes. IPS developers can use these ambiguous traffic traces to improve the accuracy of their products. The key objective here is to design the ASE system to extract the traces as complete and pure as possible, which gives IPS developers resources for further analysis. First, the ASE captures real traffic and replays captured traffic traces to multiple IPSes. By comparing the logs of IPSes, we might find that some sessions are logged or not logged only at a certain IPS. The former is P-FPs, while the latter is P-FNs to that IPS. The ASE then starts to extract ambiguous traffic from replayed traffic traces. IPS developers can further analyse the extracted traffic traces and confirm that some are FNs or FPs. To completely and purely extract an ambiguous session, the ASE uses an association mechanism based on anchor packets, five tuples and time, and similarity for the first packet, first connection, and whole session, respectively. It calculates the degree of similarity among packets to extract an ambiguous session containing multiple connections. We define variation and completeness/purity as the indexes to evaluate the ASE. The experiments demonstrate that 95% of extracted sessions have low variation, and the average completeness/purity is around 80%. We also present two case studies, one is a P-FN and the other is a P-FP, found by the ASE and confirmed by the IPS developers to be an FN and an FP, respectively.

[1]  Weider D. Yu,et al.  Software Vulnerability Analysis for Web Services Software Systems , 2006, 11th IEEE Symposium on Computers and Communications (ISCC'06).

[2]  Markus G. Kuhn,et al.  Analysis of a denial of service attack on TCP , 1997, Proceedings. 1997 IEEE Symposium on Security and Privacy (Cat. No.97CB36097).

[3]  Donghui Guo,et al.  Agent-based Intrusion Detection For Network-based Application , 2009, Int. J. Netw. Secur..

[4]  Niels Provos,et al.  The Ghost in the Browser: Analysis of Web-based Malware , 2007, HotBots.

[5]  Abdulmotaleb El-Saddik,et al.  Detecting and Preventing IP-spoofed Distributed DoS Attacks , 2008, Int. J. Netw. Secur..

[6]  Tarun Bhaskar,et al.  A Hybrid Model for Network Security Systems: Integrating Intrusion Detection System with Survivability , 2008, Int. J. Netw. Secur..

[7]  Thiagarajan Hamsapriya,et al.  Statistical Segregation Method to Minimize the False Detections During DDoS Attacks , 2011, Int. J. Netw. Secur..

[8]  Michael S. Greenberg,et al.  Network Forensics Analysis , 2002, IEEE Internet Comput..

[9]  Li Wang,et al.  Automatic multi-step attack pattern discovering , 2008 .

[10]  Ali A. Ghorbani,et al.  A Rule-based Temporal Alert Correlation System , 2007, Int. J. Netw. Secur..

[11]  Martin Roesch,et al.  Snort - Lightweight Intrusion Detection for Networks , 1999 .

[12]  A. Nur Zincir-Heywood,et al.  Using Intrusion Detection Systems with a Firewall : Evaluation on DARPA 99 Dataset , .

[13]  Yijun He,et al.  Towards Improving an Algebraic Marking Scheme for Tracing DDoS Attacks , 2009, Int. J. Netw. Secur..

[14]  David Watson,et al.  The Blaster worm: then and now , 2005, IEEE Security & Privacy Magazine.

[15]  Vinod Yegneswaran,et al.  BotHunter: Detecting Malware Infection Through IDS-Driven Dialog Correlation , 2007, USENIX Security Symposium.

[16]  Vern Paxson,et al.  An analysis of using reflectors for distributed denial-of-service attacks , 2001, CCRV.

[17]  Xin-She Yang,et al.  Introduction to Algorithms , 2021, Nature-Inspired Optimization Algorithms.