ABSTRACT
A reasonable definition of intrusion is: entering a community to which one does not belong. This suggests that in a network, intrusion attempts may be detected by looking for communication that does not respect community boundaries. In this paper, we examine the utility of this concept for identifying malicious network sources. In particular, our goal is to explore whether this concept allows a core-network operator using flow data to augment signature-based systems located at network edges. We show that simple measures of communities can be defined for flow data that allow a remarkably effective level of intrusion detection simply by looking for flows that do not respect those communities. We validate our approach using labeled intrusion attempt data collected at a large number of edge networks. Our results suggest that community-based methods can offer an important additional dimension for intrusion detection systems.
Supplemental Material
- M. Bailey, E. Cooke, F. Jahanian, J. Nazario, and D. Watson. The Internet Motion Sensor: A Distributed Blackhole Monitoring System. In Proceedings of the Network And Distributed Security Symposium, San Diego, CA, January 2005.Google Scholar
- P. Barford, R. Nowak, R. Willett, and V. Yegneswaran. Toward a Model for Sources of Internet Background Radiation. In Proceedings of the Passive and Active Measurement Conference, Adelaide, Australia, March 2006.Google Scholar
- S. Cheung, R. Crawford, M. Dilger, J. Frank, J. Hoagland, K. Levitt, J. Rowe, S. Staniford-Chen, R. Yip, and D. Zerkle. The Design of GrIDS: A Graph-Based Intrusion Detection System. UC Davis Technical Report CSE-99--2, 1999.Google Scholar
- A. Clauset, MEJ Newman, and C. Moore. Finding community structure in very large networks. Physical Review E, 70(6):66111, 2004.Google ScholarCross Ref
- G. Cormode, F. Korn, S. Muthukrishnan, and Y. Wu. On signatures for communications graphs. In Proceedings of ICDE, Cancun, Mexico, April 2008. Google ScholarDigital Library
- W. de Nooy, A. Mrvar, and V. Batagelj. Exploratory Social Network Analysis with Pajek. Cambridge University Press, New York, 2005. Google ScholarDigital Library
- Benjamin H. Good, Yves A. de Montjoye, and Aaron Clauset. Performance of modularity maximization in practical contexts. Physical Review E, 81(4):046106, April 2010.Google ScholarCross Ref
- Y. Jin, E. Sharafuddin, and Z. Zhang. Unveiling core network-wide communication patterns through application traffic activity graph decomposition. In Proceedings of ACM SIGMETRICS, Seattle, WA, June 2009. Google ScholarDigital Library
- Yu Jin, Jin Cao, Aiyou Chen, Tian Bu, and Zhi-Li Zhang. Identifying high cardinality Internet hosts. In Proceedings of IEEE INFOCOM, Rio de Janeiro, Brazil, April 2009.Google Scholar
- J. Jung, V. Paxson, A. Berger, and H. Balakrishnan. Fast Portscan Detection Using Sequential Hypothesis Testing. In IEEE Symposium on Security and Privacy 2004, Oakland, CA, May 2004.Google Scholar
- N. Kamiyama, T. Mori, and R. Kawahara. Simple and adaptive identification of superspreaders by flow sampling. In Proceedings of IEEE INFOCOM, Anchorage, AK, April 2007.Google ScholarDigital Library
- KDD Cup data. http://kdd.ics.uci.edu/databases/kddcup99/kddcup99.html, August 1999.Google Scholar
- Eric D. Kolaczyk. Statistical Analysis of Network Data: Methods and Models. Springer, New York, 2009. Google ScholarDigital Library
- P. McDaniel, S. Sen, O. Spatscheck, J. van der Merwe, B. Aiello, and C. Kalmanek. Enterprise security: A community of interest based approach. In Proceedings of NDSS, San Diego, CA, February 2006.Google Scholar
- C. Noble and D. Cook. Graph-based anomaly detection. In Proceedings of SIGKDD, Washington, DC, August 2003. Google ScholarDigital Library
- V. Paxson. Bro: A system for detecting network intruders in real-time. Computer Networks, (Special Issue on Intrusion Detection), 31(23--24):2435--2463, December 1999. Google ScholarDigital Library
- H. Ringberg, A. Soule, J. Rexford, and C. Diot. Sensitivity of pca for traffic anomaly detection. In Proceedings of ACM SIGMETRICS, San Diego, CA, June 2007. Google ScholarDigital Library
- M. Roesch. Snort -- lightweight intrusion detection for networks. In Proceedings of the Usenix LISA Conference, Seattle, WA, November 1999. Google ScholarDigital Library
- S. Rubin, S. Jha, and B. Miller. Automatic generation and analysis of nids attacks. In Proceedings of Annual Computer Security Applications Conference (ACSAC), Tucson, AZ, December 2004. Google ScholarDigital Library
- J. Sun, H. Qu, D. Chakrabarti, and C. Faloutsos. Relevance search and anomaly detection in bipartite graphs. Proceedings of SIGKDD Explorations Special Issue on Link Mining, 7(2), 2005. Google ScholarDigital Library
- J. Tolle and O. Niggemann. Supporting Intrusion Detection by Graph Clustering and Graph Drawing. In Proceedings of the Symposium on Recent Advances in Intrusion Detection, Toulouse, France, October 2000.Google Scholar
- J. Ullrich. The Dshield Project. http://www.sans.org, 2010.Google Scholar
- V. Yegneswaran, P. Barford, and J. Ullrich. Internet Intrusions: Global Characteristics and Prevalence. In Proceedings of ACM SIGMETRICS, San Diego, CA, June 2003. Google ScholarDigital Library
Index Terms
- Intrusion as (anti)social communication: characterization and detection
Recommendations
Rule generalisation in intrusion detection systems using SNORT
Intrusion Detection Systems (IDSs) provide an important layer of security for computer systems and networks. An IDS's responsibility is to detect suspicious or unacceptable system and network activity and to alert a systems administrator to this ...
Network Intrusion Detection: Automated and Manual Methods Prone to Attack and Evasion
In this article, the authors describe common intrusion detection techniques, NIDS evasion methods, and how NIDSs detect intrusions. Additionally, we introduce new evasion methods, present test results for confirming attack outcomes based on server ...
Syntax vs. semantics: competing approaches to dynamic network intrusion detection
Malicious network traffic, including widespread worm activity, is a growing threat to internet-connected networks and hosts. In this paper, we consider both syntax and semantics based approaches for dynamic network intrusion detection. The semantics-...
Comments