Context-based profiling for anomaly intrusion detection with ... - Supelec

Context-based profiling for anomaly intrusion detection with diagnosis Karim TABIA CRIL-CNRS UMR8188 Artois University FRANCE

1

Context-based profiling for anomaly intrusion detection with diagnosis

Intrusion detection systems
Misuse-based

IDSs : based on known attack signatures
Anomaly-based IDSs : based on deviations from normal profile
Hybrid approaches : serial/parallel combination of anomaly and misuse approaches

2

Context-based profiling for anomaly intrusion detection with diagnosis

Profile-based anomaly IDSs






Create profiles for traffic, users, hosts… Evaluate current activity’s deviation from learnt profiles Trigger alerts if a threshold is exceeded

Problems: Bad trade-off detection rare/false alarm rate No diagnosis about generated alerts

1. 2. 3

Context-based profiling for anomaly intrusion detection with diagnosis

Our contribution 1.

Context-based profiles: more realistic and more effective
Global profiles: One profile represents normal activities relative to entities of interest (ex. A single profile to represent all network services)
Context-based profiles: Create profiles to represent activities of “similar” entities (ex. Create a separate profile for each network service: http, ssh, DNS…)

2.

Diagnosis: Use profiles to determine attack categories of anomalous events
Create attacks profiles as we create normal activity profiles

4

Context-based profiling for anomaly intrusion detection with diagnosis

Profiling network traffic for anomaly detection
Build

normal profile on normal traffic (attack-free data)
Compute local deviations between audit event features and normal profile
Compute global deviation by aggregating local deviations

5

Context-based profiling for anomaly intrusion detection with diagnosis

Normal profile

6

Context-based profiling for anomaly intrusion detection with diagnosis

Computing local anomaly scores 

Numeric features



Boolean/symbolic features

New/rare/deviating values cause utmost deviations => anomalies 7

Context-based profiling for anomaly intrusion detection with diagnosis

Aggregating local anomaly scores 

Sum of individual attributes’ distances



Fixing anomaly threshold

8

Context-based profiling for anomaly intrusion detection with diagnosis

Darpa’99 data set Training data: normal traffic and attacks (R2L, U2R, Data, DoS, Probing)
Testing data: normal traffic, old & new attacks
Each connection is described by basic features, content features, time based traffic features (computed using a two seconds time window) and host based traffic features (computed using a 100connections window)


9

Context-based profiling for anomaly intrusion detection with diagnosis

Global profiling


10

All network data (all services, protocols, …) are represented by a single profile

Context-based profiling for anomaly intrusion detection with diagnosis

Global profiling All traffic relative to all protocols (TCP, UDP and ICMP) and services (http, ssh, DNS, …) is represented by a single profile
Computing deviation: a given audit event (say http connection) is compared to the global profile


11

Context-based profiling for anomaly intrusion detection with diagnosis

Context-based profiling


Motivation: When computing deviations, compare audit event only with normal traffic involving same service, user, host, subnet…




Methods: Create separate profile for each important service, user, host, subnet…

12

Context-based profiling for anomaly intrusion detection with diagnosis

Service-based profiling


13

Each important service is represented by its own profile

Context-based profiling for anomaly intrusion detection with diagnosis

Host-based profiling
Each

important host is represented by its own profile

14

Context-based profiling for anomaly intrusion detection with diagnosis

Anomaly detection with diagnosis
Anomaly

detection only flags events as normal or anomalous
There is need to analyze alerts: time&work consuming since anomaly detection triggers high (false) alarms rates
Solution: Use profiles to evaluate similarities of anomalous events with known attacks

15

Context-based profiling for anomaly intrusion detection with diagnosis

Attack profiling














Like normal traffic, attacks are represented by attack profiles If an event is flagged anomalous by anomaly - based IDS, then it is compared with different attacks profiles Use same distance measures and aggregating function, thresholding Global attack profiling: Each attack category is represented by a single profile Context-based attack profiling: each attack is represented by a specific profile. 16

Context-based profiling for anomaly intrusion detection with diagnosis

Diagnosing attacks


17

Global attack profiling: each attack category is represented by a global profile built on training attacks

Context-based profiling for anomaly intrusion detection with diagnosis

Diagnosing attacks


18

Context- based attack profiling: group similar attacks in specific profiles built on training attacks

Context-based profiling for anomaly intrusion detection with diagnosis

Conclusion
Global profiling is simple but ineffective
Alternatives: service-based, host-based, …
Context-based profiling performs better than global profiling
Service-based profiling performs better than host-based profiling
Possibility of anomaly diagnosis by attack profiling

19

Context-based profiling for anomaly intrusion detection with diagnosis

End. Question? 20

Context-based profiling for anomaly intrusion detection with diagnosis