anomaly detection final
DESCRIPTION
TRANSCRIPT
ANOMALY DETECTIONANALYSIS AND EMULATION WITH
DETERLAB
MAJOR PROJECT 2013-14
SWATI JAIN - 10503851PUJA AGRAWAL - 10503857
AKSHAY BANSAL - 10503878BATCH - B11
PROBLEM STATEMENT
• This research-based project attempts to :• analyze and emulate anomaly detection techniques.• Use as Case study : low-rate (pulsating) TCP -
targeted Denial of Service attacks due to their ease of launch, stealthy and damaging nature.
• Use DETER test-bed to emulate such attacks.• Plans to design an extensive anomaly checkpoint
detection methodology for the same.
BACKGROUND STUDY
• DeterLab :• Acronym for cyber Defense Technology Experimental Research network lab.
• DeterLab provides an open, remotely accessible, shared network research lab.
• Facilities include networking and computing resources, and an expanding set of tools for using them to construct and operate experiments.
• An emulation test-bed that allows researchers to evaluate Internet security technologies.
BACKGROUND STUDY
• Changepoint Detection: • Study of techniques to detect a change (“disorder”) in
the state of a time process, usually from “normal” to “abnormal”.
• Time instance at which the state of the process changes is referred to as the changepoint.
• Challenge : changepoint not known in advance.
NOVELTY
• This algorithm implemented on the DoS attacks (Feb, 2013), till now, has not been tested on the case of Low - rate Denial of Service attacks.
• We had to modify the algorithm in keeping with the case study of the LDoS attack.
• The likelihood ratio based Shiryaev–Roberts procedure has appealing optimality properties.
• DeterLab is used to simulate, analyze and emulate the whole project, compared to network simulator – based analysis of such attacks.
• This project has attempted to test the algorithm results in a real - time scenario.
NEW TOOLS
• Deterlab: • We use the resources and networking facilities provided
by DeterLab to simulate, analyze and emulate the attack. The network topology is created in DeterLab, and the required attack simulated on end - nodes.
• SEER : • The SEER workbench contains a packet flooder module
which allows the user to manually introduce attack traffic into a running experiment
NEW TOOLS
• PuTTY : • PuTTY is a free and open-source terminal emulator, serial
console and network file transfer application. • We use this software to ssh login to the
users.isi.deterlab.net , so as to access the tcpdump (log) file of the victim's traffic.
• This way we analyze the ingress and egress traffic of the target victim node.
• PSCP : • PSCP is a freeware SCP (Secure CoPy) program for the
Windows command line processor. • We use this software to secure copy from
users.deterlab.net to our local system.
NEW TOOLS
• Iperf : • This tools is used to measure network performance. Iperf was
originally developed by NLANR/DAST as a modern alternative for measuring TCP and UDP bandwidth performance.
• Iperf is a tool to measure maximum TCP bandwidth, allowing the tuning of various parameters and UDP characteristics. Iperf reports bandwidth and datagram loss.
• Cwnd_track :• This tool is loosely based on tmeas(tool that records a number
of system level statistics). The purpose of the tool is pretty limited in its current form. The main goal is to poll TCP congestion window (Cwnd) values for a given IP. If there is no connection to the provided IP address, the tool waits and logs nothing. Once the connection appears, the tool logs the value along with the time stamp.
NEW TOOLS
• TCPDump : • Tcpdump, a powerful command-line packet analyzer; and
libpcap, a portable C/C++ library for network traffic capture.
• Tcpdump prints out a description of the contents of packets on a network interface that match the boolean expression. It can also be run with the -w flag, which causes it to save the packet data to a file for later analysis, and/or with the -r flag, which causes it to read from a saved packet file rather than to read packets from a network interface. It can also be run with the -V flag, which causes it to read a list of saved packet files. In all cases, only packets that match expression will be processed by tcpdump.
PROPOSED ALGORITHM
• Divide traffic into groups of random observations such that X1, X2,....., Xn, each distributed according to a known probability density function (pdf) f• with pdf .
• : data changes statistical profile at time instance v = k.
• : Null Hypothesis : No attack ever occurs.
PROPOSED ALGORITHM
MODIFIED ALGORITHM
• Likelihood Statistic :
• Detection statistic :
• Log-likelihood ratio :
• Stopping Rule :
min
MODIFIED ALGORITHM
• There may be points, where the observed data appears to be normal, but the detection statistic shows it to be an anomaly, which surpasses the threshold set for this test. This is an indication of a false alarm, since no changepoint has been detected in the observed data prior to this false alarm.• If the corresponding detection statistic graph
shows a peak after the checkpoint, which surpasses the threshold, it confirms the presence of an anomaly in the network flow. This time of detection, it calls as the Detection Point.
RESULT - DETECTION STATISTIC IN CASE OF LEGIT TRAFFIC
RESULT - CONGESTION WINDOW IN CASE OF LEGIT TRAFFIC
RESULT - DETECTION STATISTIC IN CASE OF ATTACK TRAFFIC
RESULT - CONGESTION WINDOW IN CASE OF LEGIT TRAFFIC
Fig. General flow diagram of Project Modules.
Fig. sequence diagram
Fig. Overall design/architecture
RISK AND MITIGATION
RISK AND MITIGATION
Figure: The Interrelationship Graph (IG)
RISK AND MITIGATION
Table : Risk Area Wise Total Weighting Factor:
TESTING
TESTING
CURRENT/OPEN PROBLEMS
• Detection delay time : To detect changes in the statistical profile of network traffic as rapidly as possible, while maintaining a tolerable level of the risk of making a false detection.• Our aim is to detect that the observations’
common distribution has changed. The challenge is to do so with as few observations as possible following the changepoint.
CURRENT/OPEN PROBLEMS
• For a successful sequential analysis of anomalies in a network traffic sample, we must :• minimize the detection time given fixed false alarm and
misdetection rates• balance the tradeoff between these three quantities
(false alarm, misdetection rate, detection time) effectively.
REFERENCES
1. Chertov ,R. Fahmy, S. Shroff, N. B. and Purdue University, Fidelity of Network Simulation and Emulation: A Case Study of TCP - Targeted Denial of Service Attacks, Journal ACM Transactions on Modeling and Computer Simulation Volume 19 Issue 1 Article No. 4, December 2008.
2. Tartakovsky,A.G. Senior Member, IEEE, Polunchenko, A.S and Sokolov. G. Efficient Computer Network Anomaly Detection by Changepoint Detection Methods, IEEE journal of selected topics in signal processing, vol. 7, no. 1, 2013.
3. Chertov ,R. Fahmy, S. Shroff, N. B. High Fidelity Denial of Service (DoS) Experimentation, Proceedings of the DETER Community Workshop on Cyber Security Experimentation, 2006.
4. Tan, Z. Jamdagni, A. He, X. Nanda, P. and Liu, R.P. Triangle-Area-Based Multivariate Correlation Analysis for Effective Denial-of-Service Attack Detection, IEEE 11th International Conference on Trust, Security and Privacy in Computing and Communications ISBN: 978-0-7695-4745-9, 2012.
5. Tamilarasan,A. Mukkamala, S. and Sung, A.H. Yendrapalli, K. Feature Ranking and Selection for Intrusion Detection Using Artificial Neural Networks and Statistical Methods, Proceeding CCNC'09 Proceedings of the 6th IEEE Conference on Consumer Communications and Networking Conference Pages 1066-1073 ISBN: 978-1-4244-2308-8, 2006.
REFERENCES
6. Mathew, R. and Katkar,V. Survey of Low Rate DoS Attack Detection Mechanisms, ICWET '11 Proceedings of the International Conference & Workshop on Emerging Trends in Technology Pages 955-958 ISBN: 978-1-4503-0449-8, 2011.
7. Kuzmanovic, A. and Knightly, E.W. Senior Member, IEEE, Low-Rate TCP-Targeted Denial of Service Attacks and Counter Strategies, IEEE/ACM TRANSACTIONS ON NETWORKING, VOL. 14, NO. 4, 2006.
8. Ektefa, M. Memar, S. and Sidi, F. Affendey, L. S. Intrusion Detection Using Data Mining Techniques , Information Retrieval & Knowledge Management, (CAMP), 2010 International Conference on 17-18 March 2010 Page(s):200 – 203 Print ISBN: 978-1-4244-5650-5, 2010.
9. Liu, Z. and Guan, L. Attack simulation and signature extraction of low-rate DoS , Intelligent Information Technology and Security Informatics (IITSI), 2010 Third International Symposium on 2-4 April 2010 Page(s):544 – 548 Print ISBN: 978-1-4244-6730-3, 2010.
10.Efstathopoulos, P. Practical Study of a Defense Against Low-Rate TCP-Targeted DoS Attack, Internet Technology and Secured Transactions, 2009. ICITST 2009. International Conference form 9-12 Nov. 2009 Page(s):1 – 6 Print ISBN:978-1-4244-5647-5, 2009.
REFERENCES
11.Thatte, G. Mitra, U. and Heidemann, J. Detection of Low-Rate Attacks in Computer Networks, INFOCOM Workshops 2008, IEEE from 13-18 April 2008 Page(s): 1 – 6 Print ISBN:978-1-4244-2219-7 , 2008.
12.TSUNODA, H. KARA, A. Waizumi, Y. Ansari N. and NEMOTO, Y. Detecting Pulsing Denial-of-Service Attacks Based on the Bandwidth Usage Condition, Communications, 2008. ICC '08. IEEE International Conference on 19-23 May 2008 Page(s):1670 – 1674 Print ISBN 978-1-4244-2075-9, 2008.
13. Yu, Y. A Survey of anomaly intrusion detection techniques, Journal of Computing Sciences in Colleges archive Volume 28 Issue 1, October 2012 Pages 9-17, 2012.
14.Mathew, R. and Katkar, V. Survey of Low Rate DoS Attack Detection Mechanisms, ICWET '11 Proceedings of the International Conference & Workshop on Emerging Trends in Technology Pages 955-958 ISBN: 978-1-4503-0449-8, 2011.
REFERENCES
15. SEER & DeterLab • http://seer.deterlab.net/v1.6/• https://www.isi.deterlab.net/showosid_list.php• https://education.deterlab.net/DETERintro/DETERintro.html• https://trac.deterlab.net/wiki/Tutorial
16. TcpDump file• http://seer.deterlab.net/v1.6/user/analysis.html
17. PUTTY• http://en.wikipedia.org/wiki/Secure_Shell#File_transfer_protocols_using_SSH• http://www-scf.usc.edu/~csci530l/instructions/lab-deter-winconnect.htm
18. SSH Logging• https://education.deterlab.net/DETERintro/ssh.html• https://trac.deterlab.net/wiki/DETERSSH
19. PSCP• http://en.wikipedia.org/wiki/Network_File_System_%28protocol%29