Utilizing Threat Partitioning for More Practical Network Anomaly Detection
Pages 83 - 91
Abstract
Anomaly-based network intrusion detection would appear on the surface to be ideal for detection of zero-day network threats. Yet in practice, their often unacceptably high false positive rates keep them on the sideline in favor of signature-based methods, which typically detect known threats. We argue that an anomaly-based network intrusion detection system should not only be specialized to a specific class of related threats, but characteristics of the threat class itself should be utilized when designing both the detection system and structuring the network data to use with the system. To this end, we take two common network threat classes, DDoS-as-a-Smokescreen (DaaSS) and SYN flood, and analyze their characteristics for structure that we can use to specialize anomaly detection. We partition these threat classes into known behavior and unknown behavior, leaving the latter open-ended. Through experimentation on multiple datasets, we show that our proposed detection system based on this threat partitioning approach is capable of detecting DaaSS attacks and zero-day SYN flood variants with very low false positive rates, even in the face of concept drift, and can do so without having to collect large amounts of benign network traffic for training.
References
[1]
David Arthur and Sergei Vassilvitskii. 2007. K-Means: The Advantages of Careful Seeding. In Proceedings of the Eighteenth Annual ACM-SIAM Symposium on Discrete Algorithms (New Orleans, Louisiana) (SODA '07). Society for Industrial and Applied Mathematics, USA, 1027--1035.
[2]
Johnathan Azaria. 2020. DDoS Attacks Grow More Sophisticated as Imperva Mitigates Largest Attack. https://www.imperva.com/blog/ddos-attacks-growmore-sophisticated-as-imperva-mitigates-largest-attack/
[3]
David M. Blei and Michael I. Jordan. 2006. Variational inference for Dirichlet process mixtures. Bayesian Analysis 1, 1 (2006), 121--143.
[4]
Fuyuan Cao, Jiye Liang, and Liang Bai. 2009. A New Initialization Method for Categorical Data Clustering. Expert Syst. Appl. 36, 7 (Sept. 2009), 10223--10228.
[5]
D. E. Denning. 1987. An Intrusion-Detection Model. IEEE Transactions on Software Engineering SE-13, 2 (Feb 1987), 222--232.
[6]
Devendra Singh Dhami, Siwen Yan, Gautam Kunapuli, and Sriraam Natarajan. 2022. Non-parametric Learning of Embeddings for Relational Data Using Gaifman Locality Theorem. In Inductive Logic Programming, Nikos Katzouris and Alexander Artikis (Eds.). Springer International Publishing, Cham, 95--110.
[7]
Christian J. Dietrich, Christian Rossow, and Norbert Pohlmann. 2013. CoCoSpot: Clustering and Recognizing Botnet Command and Control Channels Using Traffic Analysis. Comput. Netw. 57, 2 (Feb. 2013), 475--486.
[8]
Yebo Feng, Jun Li, Lei Jiao, and Xintao Wu. 2019. BotFlowMon: Learning-based, Content-Agnostic Identification of Social Bot Traffic Flows. In 2019 IEEE Conference on Communications and Network Security (CNS). IEEE, Washington, D.C., 169--177.
[9]
Sebastian Garcia, Martin Grill, Jan Stiborek, and Alejandro Zunino. 2014. An Empirical Comparison of Botnet Detection Methods. Computers & Security 45 (2014), 100--123.
[10]
Rick Hofstede, Pavel "eleda, Brian Trammell, Idilio Drago, Ramin Sadre, Anna Sperotto, and Aiko Pras. 2014. Flow Monitoring Explained: From Packet Capture to Data Analysis With NetFlow and IPFIX. IEEE Communications Surveys Tutorials 16, 4 (2014), 2037--2064.
[11]
Zhexue Huang. 1997. Clustering Large Data Sets with Mixed Numeric and Categorical Values. In The First Pacific-Asia Conference on Knowledge Discovery and Data Mining. World Scientific, Singapore, 21--34.
[12]
Scott Ikeda. 2022. 3.7 Million FlexBooker Accounts Leaked to Hacker Forum After DDoS Attack. CPO Magazine (2022). https://www.cpomagazine.com/cybersecurity/3-7-million-flexbooker-accounts-leaked-to-hacker-forum-after-ddosattack/
[13]
Mohammad Karami and Damon McCoy. 2013. Understanding the emerging threat of DDoS-As-a-service. In Proceedings of the 6th USENIX Conference on Large-Scale Exploits and Emergent Threats (Washington, D.C.) (LEET'13). USENIX Association, USA, 8.
[14]
Kaspersky Lab. 2016. Corporate IT Security Risks Survey. Technical Report. Kaspersky Lab.
[15]
Tushar Khot, Sriraam Natarajan, and Jude Shavlik. 2014. Relational one-class classification: a non-parametric approach. In Proceedings of the Twenty-Eighth AAAI Conference on Artificial Intelligence (AAAI'14). AAAI Press, Québec City, Québec, Canada, 2453--2459.
[16]
Jan Larsen, Lars Kai Hansen, Anna Szymkowiak Have, Torben Christiansen, and Thomas Kolenda. 2002. Webmining: Learning from theWorld WideWeb. Comput. Stat. Data Anal. 38, 4 (feb 2002), 517--532.
[17]
Rodney A. Martin. 2007. Unsupervised Anomaly Detection and Diagnosis for Liquid Rocket Engine Propulsion. In 2007 IEEE Aerospace Conference. IEEE, Big Sky, MT, USA, 1--15.
[18]
Mohammad Masud, Jing Gao, Latifur Khan, Jiawei Han, and Bhavani M. Thuraisingham. 2011. Classification and Novel Class Detection in Concept-Drifting Data Streams Under Time Constraints. IEEE Trans. on Knowl. and Data Eng. 23, 6 (June 2011), 859--874.
[19]
Sriraam Natarajan, Tushar Khot, Kristian Kersting, Bernd Gutmann, and Jude Shavlik. 2012. Gradient-Based Boosting for Statistical Relational Learning: The Relational Dependency Network Case. Machine Learning 86, 1 (01 Jan 2012), 25--56.
[20]
Vern Paxson. 1999. Bro: A System for Detecting Network Intruders in Real-Time. Comput. Netw. 31, 23--24 (Dec 1999), 2435--2463.
[21]
J. Postel. 1981. Transmission Control Protocol. RFC 793. https://www.rfceditor.org/info/rfc793
[22]
Brian Ricks, Patrick Tague, and Bhavani Thuraisingham. 2018. Large-Scale Realistic Network Data Generation on a Budget. In 19th International Conference on Information Reuse and Integration (IRI). IEEE, Salt Lake City, Utah, USA, 23--30.
[23]
Brian Ricks, Patrick Tague, and Bhavani Thuraisingham. 2021. DDoS-as-a-Smokescreen: Leveraging Netflow Concurrency and Segmentation for Faster Detection. In 2021 Third IEEE International Conference on Trust, Privacy and Security in Intelligent Systems and Applications (TPS-ISA). IEEE, Los Alamitos, CA, USA, 217--224.
[24]
Brian Ricks, Bhavani Thuraisingham, and Patrick Tague. 2018. Lifting the Smokescreen: Detecting Underlying Anomalies During a DDoS Attack. In 2018 IEEE International Conference on Intelligence and Security Informatics (ISI). IEEE, Miami, FL, USA, 130--135.
[25]
Martin Roesch. 1999. Snort - Lightweight Intrusion Detection for Networks. In Proceedings of the 13th USENIX Conference on System Administration (Seattle, Washington) (LISA '99). USENIX Association, USA, 229--238.
[26]
Ali Shiravi, Hadi Shiravi, Mahbod Tavallaee, and Ali A. Ghorbani. 2012. Toward developing a systematic approach to generate benchmark datasets for intrusion detection. Computers & Security 31, 3 (2012), 357--374.
[27]
Robin Sommer and Vern Paxson. 2010. Outside the Closed World: On Using Machine Learning for Network Intrusion Detection. In Proceedings of the 2010 IEEE Symposium on Security and Privacy (SP '10). IEEE Computer Society, Washington, DC, USA, 305--316.
[28]
Storm Wall. 2023. H1 2023 in Review: DDoS Attacks Report by Storm Wall. https://stormwall.network/ddos-report-stormwall-h1-2023
[29]
Chih-Fong Tsai, Yu-Feng Hsu, Chia-Ying Lin, and Wei-Yang Lin. 2009. Intrusion Detection by Machine Learning: A Review. Expert Systems with Applications 36, 10 (2009), 11994--12000.
[30]
Paul Wagenseil. 2011. Sony Blames Anonymous for PlayStation Network Attack. http://www.nbcnews.com/id/42909386/ns/technology_and_sciencesecurity/t/sony-blames-anonymous-playstation-network-attack/.
Index Terms
- Utilizing Threat Partitioning for More Practical Network Anomaly Detection
Recommendations
McPAD: A multiple classifier system for accurate payload-based anomaly detection
Anomaly-based network intrusion detection systems (IDS) are valuable tools for the defense-in-depth of computer networks. Unsupervised or unlabeled learning approaches for network anomaly detection have been recently proposed. Such anomaly-based network ...
Towards proactive detection of advanced persistent threat (APT) attacks using honeypots
SIN '15: Proceedings of the 8th International Conference on Security of Information and NetworksThe Advanced Persistent Threat (APT) attacks are special kind of slow moving attacks that are designed to defeat security controls using unique attack vectors and malware specifically developed for the target organization. Aim behind APT attacks is not ...
Unknown Attacks Detection Using Feature Extraction from Anomaly-Based IDS Alerts
SAINT '12: Proceedings of the 2012 IEEE/IPSJ 12th International Symposium on Applications and the InternetIntrusion Detection Systems (IDSs) play an important role detecting various kinds of attacks and defend our computer systems from them. There are basically two main types of detection techniques: signature-based and anomaly-based. A signature-based IDS ...
Comments
Please enable JavaScript to view thecomments powered by Disqus.Information & Contributors
Information
Published In
June 2024
205 pages
Copyright © 2024 Owner/Author.
This work is licensed under a Creative Commons Attribution International 4.0 License.
Sponsors
Publisher
Association for Computing Machinery
New York, NY, United States
Publication History
Published: 25 June 2024
Check for updates
Author Tags
Qualifiers
- Short-paper
Funding Sources
Conference
SACMAT 2024
Sponsor:
SACMAT 2024: The 29th ACM Symposium on Access Control Models and Technologies
May 15 - 17, 2024
TX, San Antonio, USA
Acceptance Rates
Overall Acceptance Rate 177 of 597 submissions, 30%
Contributors
Other Metrics
Bibliometrics & Citations
Bibliometrics
Article Metrics
- 0Total Citations
- 123Total Downloads
- Downloads (Last 12 months)123
- Downloads (Last 6 weeks)42
Reflects downloads up to 03 Nov 2024
Other Metrics
Citations
View Options
Get Access
Login options
Check if you have access through your login credentials or your institution to get full access on this article.
Sign in