User Intention-Based Traffic Dependence Analysis for Anomaly Detection

This paper describes an approach to enforce dependencies between network traffic and user activities for anomaly detection. We present a framework and algorithms that analyze user actions and network events on a host according to their dependencies. Discovering these relations is useful in identifying anomalous events on a host that are caused by software flaws or malicious code. To demonstrate the feasibility of user intention-based traffic dependence analysis, we implement a prototype called CR-Miner and perform extensive experimental evaluation of the accuracy, security, and efficiency of our algorithm. The results show that our algorithm can identify user intention-based traffic dependence with high accuracy (average 99:6% for 20 users) and low false alarms. Our prototype can successfully detect several pieces of HTTP-based real-world spy ware. Our dependence analysis is fast with a minimal storage requirement. We give a thorough analysis on the security and robustness of the user intention-based traffic dependence approach.

[1]  Shiuh-Pyng Shieh,et al.  On a Pattern-Oriented Model for Intrusion Detection , 1997, IEEE Trans. Knowl. Data Eng..

[2]  Naren Ramakrishnan,et al.  Algorithms for Storytelling , 2006, IEEE Transactions on Knowledge and Data Engineering.

[3]  Hari Balakrishnan,et al.  Not-a-Bot: Improving Service Availability in the Face of Botnet Attacks , 2009, NSDI.

[4]  Jelena Mirkovic,et al.  A Semantic Framework for Data Analysis in Networked Systems , 2011, NSDI.

[5]  David Evans,et al.  The user is not the enemy: fighting malware by tracking user intentions , 2008, NSPW '08.

[6]  R. Sunitha,et al.  DATA-PROVENANCE VERIFICATION FOR SECURE HOSTS , 2013 .

[7]  Dorothy E. Denning,et al.  An Intrusion-Detection Model , 1987, IEEE Transactions on Software Engineering.

[8]  Somesh Jha,et al.  Mining specifications of malicious behavior , 2008, ISEC '08.

[9]  Nick Cercone,et al.  Privacy intrusion detection using dynamic Bayesian networks , 2006, ICEC '06.

[10]  Biswanath Mukherjee,et al.  A system for distributed intrusion detection , 1991, COMPCON Spring '91 Digest of Papers.

[11]  VARUN CHANDOLA,et al.  Anomaly detection: A survey , 2009, CSUR.

[12]  Jean Goubault-Larrecq,et al.  A Logical Framework for Evaluating Network Resilience Against Faults and Attacks , 2007, ASIAN.

[13]  Biswanath Mukherjee,et al.  A network security monitor , 1990, Proceedings. 1990 IEEE Computer Society Symposium on Research in Security and Privacy.

[14]  Marianne Winslett,et al.  Preventing history forgery with secure provenance , 2009, TOS.

[15]  David Wetherall,et al.  Privacy oracle: a system for finding application leaks with black box differential testing , 2008, CCS.

[16]  Naren Ramakrishnan,et al.  Discovering excitatory relationships using dynamic Bayesian networks , 2011, Knowledge and Information Systems.

[17]  Kevin Borders,et al.  Web tap: detecting covert web traffic , 2004, CCS '04.

[18]  Qiang Ma,et al.  Detecting infection onset with behavior-based policies , 2011, 2011 5th International Conference on Network and System Security.

[19]  Naren Ramakrishnan,et al.  Reasoning about sets using redescription mining , 2005, KDD '05.

[20]  Abhinav Srivastava,et al.  Automatic Discovery of Parasitic Malware , 2010, RAID.

[21]  Randy H. Katz,et al.  BINDER: An Extrusion-Based Break-In Detector for Personal Computers , 2005, USENIX Annual Technical Conference, General Track.

[22]  Kevin Borders,et al.  Quantifying Information Leaks in Outbound Web Traffic , 2009, 2009 30th IEEE Symposium on Security and Privacy.

[23]  Dennis G. Kafura,et al.  Identifying native applications with high assurance , 2012, CODASPY '12.

[24]  Fred B. Schneider,et al.  Enforceable security policies , 2000, TSEC.

[25]  H. S. Teng,et al.  Adaptive real-time anomaly detection using inductively generated sequential patterns , 1990, Proceedings. 1990 IEEE Computer Society Symposium on Research in Security and Privacy.

[26]  Chris Hanson,et al.  Using Dependency Tracking to Provide Explanations for Policy Management , 2008, 2008 IEEE Workshop on Policies for Distributed Systems and Networks.