research-article

Intrusion as (anti)social communication: characterization and detection

Authors:
Qi Ding

Boston University, Boston, MA, USA

Boston University, Boston, MA, USA
View Profile

,
Natallia Katenka

Boston University, Boston, MA, USA

Boston University, Boston, MA, USA
View Profile

,
Paul Barford

University of Wisconsin - Madison, Madison, WI, USA

University of Wisconsin - Madison, Madison, WI, USA
View Profile

,
Eric Kolaczyk

Boston University, Boston, MA, USA

Boston University, Boston, MA, USA
View Profile

,
Mark Crovella

Boston University, Boston, MA, USA

Boston University, Boston, MA, USA
View Profile

KDD '12: Proceedings of the 18th ACM SIGKDD international conference on Knowledge discovery and data miningAugust 2012Pages 886–894https://doi.org/10.1145/2339530.2339670

Published:12 August 2012Publication History

KDD '12: Proceedings of the 18th ACM SIGKDD international conference on Knowledge discovery and data mining

Pages 886–894

ABSTRACT

A reasonable definition of intrusion is: entering a community to which one does not belong. This suggests that in a network, intrusion attempts may be detected by looking for communication that does not respect community boundaries. In this paper, we examine the utility of this concept for identifying malicious network sources. In particular, our goal is to explore whether this concept allows a core-network operator using flow data to augment signature-based systems located at network edges. We show that simple measures of communities can be defined for flow data that allow a remarkably effective level of intrusion detection simply by looking for flows that do not respect those communities. We validate our approach using labeled intrusion attempt data collected at a large number of edge networks. Our results suggest that community-based methods can offer an important additional dimension for intrusion detection systems.

Supplemental Material

best_paper_3.mp4

mp4

375.7 MB

Download

References

M. Bailey, E. Cooke, F. Jahanian, J. Nazario, and D. Watson. The Internet Motion Sensor: A Distributed Blackhole Monitoring System. In Proceedings of the Network And Distributed Security Symposium, San Diego, CA, January 2005.Google Scholar
P. Barford, R. Nowak, R. Willett, and V. Yegneswaran. Toward a Model for Sources of Internet Background Radiation. In Proceedings of the Passive and Active Measurement Conference, Adelaide, Australia, March 2006.Google Scholar
S. Cheung, R. Crawford, M. Dilger, J. Frank, J. Hoagland, K. Levitt, J. Rowe, S. Staniford-Chen, R. Yip, and D. Zerkle. The Design of GrIDS: A Graph-Based Intrusion Detection System. UC Davis Technical Report CSE-99--2, 1999.Google Scholar
A. Clauset, MEJ Newman, and C. Moore. Finding community structure in very large networks. Physical Review E, 70(6):66111, 2004.Google ScholarCross Ref
G. Cormode, F. Korn, S. Muthukrishnan, and Y. Wu. On signatures for communications graphs. In Proceedings of ICDE, Cancun, Mexico, April 2008. Google ScholarDigital Library
W. de Nooy, A. Mrvar, and V. Batagelj. Exploratory Social Network Analysis with Pajek. Cambridge University Press, New York, 2005. Google ScholarDigital Library
Benjamin H. Good, Yves A. de Montjoye, and Aaron Clauset. Performance of modularity maximization in practical contexts. Physical Review E, 81(4):046106, April 2010.Google ScholarCross Ref
Y. Jin, E. Sharafuddin, and Z. Zhang. Unveiling core network-wide communication patterns through application traffic activity graph decomposition. In Proceedings of ACM SIGMETRICS, Seattle, WA, June 2009. Google ScholarDigital Library
Yu Jin, Jin Cao, Aiyou Chen, Tian Bu, and Zhi-Li Zhang. Identifying high cardinality Internet hosts. In Proceedings of IEEE INFOCOM, Rio de Janeiro, Brazil, April 2009.Google Scholar
J. Jung, V. Paxson, A. Berger, and H. Balakrishnan. Fast Portscan Detection Using Sequential Hypothesis Testing. In IEEE Symposium on Security and Privacy 2004, Oakland, CA, May 2004.Google Scholar
N. Kamiyama, T. Mori, and R. Kawahara. Simple and adaptive identification of superspreaders by flow sampling. In Proceedings of IEEE INFOCOM, Anchorage, AK, April 2007.Google ScholarDigital Library
KDD Cup data. http://kdd.ics.uci.edu/databases/kddcup99/kddcup99.html, August 1999.Google Scholar
Eric D. Kolaczyk. Statistical Analysis of Network Data: Methods and Models. Springer, New York, 2009. Google ScholarDigital Library
P. McDaniel, S. Sen, O. Spatscheck, J. van der Merwe, B. Aiello, and C. Kalmanek. Enterprise security: A community of interest based approach. In Proceedings of NDSS, San Diego, CA, February 2006.Google Scholar
C. Noble and D. Cook. Graph-based anomaly detection. In Proceedings of SIGKDD, Washington, DC, August 2003. Google ScholarDigital Library
V. Paxson. Bro: A system for detecting network intruders in real-time. Computer Networks, (Special Issue on Intrusion Detection), 31(23--24):2435--2463, December 1999. Google ScholarDigital Library
H. Ringberg, A. Soule, J. Rexford, and C. Diot. Sensitivity of pca for traffic anomaly detection. In Proceedings of ACM SIGMETRICS, San Diego, CA, June 2007. Google ScholarDigital Library
M. Roesch. Snort -- lightweight intrusion detection for networks. In Proceedings of the Usenix LISA Conference, Seattle, WA, November 1999. Google ScholarDigital Library
S. Rubin, S. Jha, and B. Miller. Automatic generation and analysis of nids attacks. In Proceedings of Annual Computer Security Applications Conference (ACSAC), Tucson, AZ, December 2004. Google ScholarDigital Library
J. Sun, H. Qu, D. Chakrabarti, and C. Faloutsos. Relevance search and anomaly detection in bipartite graphs. Proceedings of SIGKDD Explorations Special Issue on Link Mining, 7(2), 2005. Google ScholarDigital Library
J. Tolle and O. Niggemann. Supporting Intrusion Detection by Graph Clustering and Graph Drawing. In Proceedings of the Symposium on Recent Advances in Intrusion Detection, Toulouse, France, October 2000.Google Scholar
J. Ullrich. The Dshield Project. http://www.sans.org, 2010.Google Scholar
V. Yegneswaran, P. Barford, and J. Ullrich. Internet Intrusions: Global Characteristics and Prevalence. In Proceedings of ACM SIGMETRICS, San Diego, CA, June 2003. Google ScholarDigital Library

Index Terms

Intrusion as (anti)social communication: characterization and detection
1. Computing methodologies
  1. Modeling and simulation
    1. Model development and analysis
      1. Modeling methodologies
2. Networks
  1. Network services
    1. Network monitoring

Recommendations

Rule generalisation in intrusion detection systems using SNORT

Intrusion Detection Systems (IDSs) provide an important layer of security for computer systems and networks. An IDS's responsibility is to detect suspicious or unacceptable system and network activity and to alert a systems administrator to this ...
Read More
Network Intrusion Detection: Automated and Manual Methods Prone to Attack and Evasion

In this article, the authors describe common intrusion detection techniques, NIDS evasion methods, and how NIDSs detect intrusions. Additionally, we introduce new evasion methods, present test results for confirming attack outcomes based on server ...
Read More
Syntax vs. semantics: competing approaches to dynamic network intrusion detection

Malicious network traffic, including widespread worm activity, is a growing threat to internet-connected networks and hosts. In this paper, we consider both syntax and semantics based approaches for dynamic network intrusion detection. The semantics-...
Read More

Comments

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

Published in
KDD '12: Proceedings of the 18th ACM SIGKDD international conference on Knowledge discovery and data mining
August 2012
1616 pages
ISBN:9781450314626
DOI:10.1145/2339530
General Chair:
Qiang Yang
Hong Kong University of Science and Technology
,
Program Chairs:
Deepak Agarwal
LinkedIn
,
Jian Pei
Simon Fraser University
Copyright © 2012 ACM
Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]
Sponsors
In-Cooperation
Publisher
Association for Computing Machinery
New York, NY, United States
Publication History
- Published: 12 August 2012
Permissions
Request permissions about this article.
Request Permissions

Check for updates
Author Tags
intrusion detection
social graphs
Qualifiers
- research-article
Conference

Acceptance Rates
Overall Acceptance Rate1,133of8,635submissions,13%
Upcoming Conference
KDD '24

Sponsor:

sigkdd

sigkdd

The 30th ACM SIGKDD Conference on Knowledge Discovery and Data Mining

August 25 - 29, 2024

Barcelona , Spain
Funding Sources
Other Metrics
View Article Metrics

Article Metrics
- 73
  Total Citations
  View Citations
- 837
  Total Downloads
- Downloads (Last 12 months)13
- Downloads (Last 6 weeks)0
Other Metrics
View Author Metrics
Cited By
View all

PDF Format

View or Download as a PDF file.

PDF

eReader

View online with eReader.

eReader

Intrusion as (anti)social communication: characterization and detection

KDD '12: Proceedings of the 18th ACM SIGKDD international conference on Knowledge discovery and data mining

ABSTRACT

Supplemental Material

References

Cited By

Index Terms

Recommendations

Rule generalisation in intrusion detection systems using SNORT

Network Intrusion Detection: Automated and Manual Methods Prone to Attack and Evasion

Syntax vs. semantics: competing approaches to dynamic network intrusion detection