Matthew V. Mahoney
ABSTRACT
Traditional intrusion detection systems (IDS) detect attacks by comparing current behavior to signatures of known attacks. One main drawback is the inability of detecting new attacks which do not have known signatures. In this paper we propose a learning algorithm that constructs models of normal behavior from attack-free network traffic. Behavior that deviates from the learned normal model signals possible novel attacks. Our IDS is unique in two respects. First, it is nonstationary, modeling probabilities based on the time since the last event rather than on average rate. This prevents alarm floods. Second, the IDS learns protocol vocabularies (at the data link through application layers) in order to detect unknown attacks that attempt to exploit implementation errors in poorly tested features of the target software. On the 1999 DARPA IDS evaluation data set [9], we detect 70 of 180 attacks (with 100 false alarms), about evenly divided between user behavioral anomalies (IP addresses and ports, as modeled by most other systems) and protocol anomalies. Because our methods are unconventional there is a significant non-overlap of our IDS with the original DARPA participants, which implies that they could be combined to increase coverage.
- Anderson, Debra, Teresa F. Lunt, Harold Javitz, Ann Tamaru, Alfonso Valdes, "Detecting unusual program behavior using the statistical component of the Next-generation Intrusion Detection Expert System (NIDES)", Computer Science Laboratory SRI-CSL 95--06 May 1995. http://www.srl.sfi.com/papers/5/s/5sri/5sri.pdf]]Google Scholar
- Bell, Timothy, Ian H. Witten, John G. Cleary, "Modeling for Text Compression", ACM Computing Surveys (21)4, pp. 557--591, Dec. 1989.]] Google ScholarDigital Library
- Barbará, D., N. Wu, S. Jajodia, "Detecting Novel Network Intrusions using Bayes Estimators", First SIAM International Conference on Data Mining, 2001, http://www.siam.org/meetings/sdm01/pdf/sdm01_29.pdf]]Google Scholar
- Floyd, S. and V. Paxson, "Difficulties in Simulating the Internet." IEEE/ACM Transactions on Networking Vol. 9, no. 4, pp. 392--403, Aug. 2001. http://www.icir.org/vern/papers.html]] Google ScholarDigital Library
- Forrest, S., S. A. Hofmeyr, A. Somayaji, and T. A. Longstaff, "A Sense of Self for Unix Processes", Proceedings of 1996 IEEE Symposium on Computer Security and Privacy. ftp://ftp.cs.unm.edu/pub/forrest/ieee-sp-96-unix.pdf]] Google ScholarDigital Library
- Ghosh, A.K., A. Schwartzbard, M. Schatz, "Learning Program Behavior Profiles for Intrusion Detection", Proceedings of the 1st USENIX Workshop on Intrusion Detection and Network Monitoring, April 9--12, 1999, Santa Clara, CA. http://www.cigital.com/~anup/usenix_id99.pdf]] Google ScholarDigital Library
- M. Handley, C. Kreibich and V. Paxson, "Network Intrusion Detection: Evasion, Traffic Normalization, and End-to-End Protocol Semantics", Proc. USENIX Security Symposium, 2001.]] Google ScholarDigital Library
- Kendall, Kristopher, "A Database of Computer Attacks for the Evaluation of Intrusion Detection Systems", Masters Thesis, MIT, 1999.]]Google Scholar
- Lippmann, R., et al., "The 1999 DARPA Off-Line Intrusion Detection Evaluation", Computer Networks 34(4) 579--595, 2000.]] Google ScholarDigital Library
- Mahoney, M., P. K. Chan, "PHAD: Packet Header Anomaly Detection for Identifying Hostile Network Traffic", Florida Tech. technical report 2001--04, http://cs.fit.edu/~tr/]]Google Scholar
- Neumann, P., and P. Porras, "Experience with EMERALD to DATE", Proceedings 1st USENIX Workshop on Intrusion Detection and Network Monitoring, Santa Clara, California, April 1999, 73--80, http://www.csl.sri.com/neumann/det99.html]] Google ScholarDigital Library
- Paxson, Vern, "Bro: A System for Detecting Network Intruders in Real-Time", Lawrence Berkeley National Laboratory Proceedings, 7'th USENIX Security Symposium, Jan. 26--29, 1998, San Antonio TX, http://www.usenix.org/publications/library/proceedings/sec98/paxson.html]] Google ScholarDigital Library
- Paxson, Vern, and Sally Floyd, "The Failure of Poisson Modeling", IEEE/ACM Transactions on Networking (3) 226--244, 1995.]] Google ScholarDigital Library
- Ptacek, Thomas H., and Timothy N. Newsham, "Insertion, Evasion, and Denial of Service: Eluding Network Intrusion Detection", January, 1998, http://www.robertgraham.com/mirror/Ptacek-Newsham-Evasion-98.html]]Google Scholar
- Roesch, Martin, "Snort - Lightweight Intrusion Detection for Networks", Proc. USENIX Lisa '99, Seattle: Nov. 7--12, 1999.]] Google ScholarDigital Library
- Sasha/Beetle, "A Strict Anomaly Detection Model for IDS", Phrack 56(11), 2000, http://www.phrack.org]]Google Scholar
- Sekar, R., M. Bendre, D. Dhurjati, P. Bollineni, "A Fast Automaton-based Method for Detecting Anomalous Program Behaviors". Proceedings of the 2001 IEEE Symposium on Security and Privacy.]] Google ScholarDigital Library
- SPADE, Silicon Defense, http://www.silicondefense.com/software/spice/]]Google Scholar
Index Terms
- Learning nonstationary models of normal network traffic for detecting novel attacks
Recommendations
Detecting botnet by anomalous traffic
Botnets can cause significant security threat and huge loss to organizations, and are difficult to discover their existence. Therefore they have become one of the most severe threats on the Internet. The core component of botnets is their command and ...
Detecting and Defending against Worm Attacks Using Bot-honeynet
ISECS '09: Proceedings of the 2009 Second International Symposium on Electronic Commerce and Security - Volume 01We proposed a worm detection and defense system named bot-honeynet in this paper, which combines the best features of honeynet, anomaly detection and botnet. The combination of honeynet and anomaly detection system offers a tradeoff between false ...
Detecting novel network attacks with a data field
WISI'06: Proceedings of the 2006 international conference on Intelligence and Security InformaticsWith the increased usage of computer networks, network intrusions have greatly threatened the Internet infrastructures. Traditional signature-based intrusion detection often suffers from an ineffectivity to those previously “unseen” attacks. In this ...
Comments