Abstract
We consider systems that use PCA-based detectors obtained from a comprehensive view of the network's traffic to identify anomalies in backbone networks. To assess these detectors' susceptibility to adversaries wishing to evade detection, we present and evaluate short-term and long-term data poisoning schemes that trade-off between poisoning duration and the volume of traffic injected for poisoning. Stealthy Boiling Frog attacks significantly reduce chaff volume,while only moderately increasing poisoning duration. ROC curves provide a comprehensive analysis of PCA-based detection on contaminated data, and show that even small attacks can undermine this otherwise successful anomaly detector.
- M. Barreno, B. Nelson, R. Sears, A.D. Joseph, and J.D. Tygar. "Can machine learning be secure?". In Proc. ASIACCS'06, 2006. Google ScholarDigital Library
- A. Lakhina, M. Crovella, and C. Diot. "Diagnosing network-wide traffic anomalies". In Proc. SIGCOMM'04, pages 219--230, 2004. Google ScholarDigital Library
- T. Oetiker. The Multi Router Traffic Grapher. http://oss.oetiker.ch/mrtg/, 2008.Google Scholar
- H. Ringberg, A. Soule, J. Rexford, and C. Diot. "Sensitivity of PCA for traffic anomaly detection". Proc. SIGMETRICS 07, 35(1):109--120, 2007. Google ScholarDigital Library
- B.I.P. Rubinstein, B. Nelson, L. Huang, A.D. Joseph, S. Lau, N. Taft, and D. Tygar. "Compromising PCA-based anomaly detectors for network-wide traffic". Technical Report No. UCB/EECS-2008-73, EECS Department, University of California, Berkeley, 2008.Google Scholar
- B.I.P. Rubinstein, B. Nelson, L. Huang, A.D. Joseph, S. Lau, N. Taft, and J.D. Tygar. "Evading anomaly detection through variance injection attacks on PCA" (extended abstract). In Recent Advances in Intrusion Detection, volume 5230/2008 of Lecture Notes in Computer Science, pages 394--395, 2008. Google ScholarDigital Library
- Y. Zhang, Z. Ge, A. Greenberg, and M. Roughan. "Network anomography". In Proc. IMC 05, pages 1--14, NY, NY, USA, 2005. Google ScholarDigital Library
Index Terms
- Stealthy poisoning attacks on PCA-based anomaly detectors
Recommendations
ANTIDOTE: understanding and defending against poisoning of anomaly detectors
IMC '09: Proceedings of the 9th ACM SIGCOMM conference on Internet measurementStatistical machine learning techniques have recently garnered increased popularity as a means to improve network design and security. For intrusion detection, such methods build a model for normal behavior from training data and detect attacks as ...
Defending against adversarial machine learning attacks using hierarchical learning: A case study on network traffic attack classification
AbstractMachine learning is key for automated detection of malicious network activity to ensure that computer networks and organizations are protected against cyber security attacks. Recently, there has been growing interest in the domain of ...
Sensitivity of PCA for traffic anomaly detection
SIGMETRICS '07 Conference ProceedingsDetecting anomalous traffic is a crucial part of managing IP networks. In recent years, network-wide anomaly detection based on Principal Component Analysis (PCA) has emerged as a powerful method for detecting a wide variety of anomalies. We show that ...
Comments