As computer networks scale up in size and tra c volume, detecting slow suspicious activity, deliberately designed to stay beneath the threshold, becomes ever more di cult. Simply storing all packet captures for analysis is not feasible due to computational constraints. Detecting such activity depends on maintaining tra c history over extended periods of time, and using it to distinguish between suspicious and innocent nodes. The doctoral work presented here aims to adopt a Bayesian approach to address this problem, and to examine the e ectiveness of such an approach under di erent network conditions: multiple attackers, tra c volume, subnet con guration and tra c sampling. We provide a theoretical account of our approach and very early experimental results.
We are particularly interested in studying subnet size and tra c volume, and how that may e ect our ability to distinguish such activity. We will draw from this network design principles for more e ective monitoring. 3. How do we e ectively detect the target of such activity?
We acknowledge that the use of botnets and distributed sources makes it very di cult to attribute attacks. Of further interest is to determine the target of such activity. We will investigate methods to pro le such nodes. Such methods need to be e ective for scalable networks. 4. What e ect does using sampling techniques has as a logging method?
Tra c volumes will continue to increase. This makes it ever more di cult to process and e ectively monitor slow activity. Since we are not detecting for strict tra c signatures, we wish to investigate tra c sampling methods and evaluate their suitability for security monitoring of slow attacks. 3
We look at the problem as two sub problems: pro ling and analysis. Pro ling is the method for evidence fusion across space and accumulation across time, which updates the normal node pro les dynamically based on changes in evidence. Analysis is the method for distinguishing between anomalous and normal pro les using statistical normality. We propose to use elements of network ow data as input to our pro ling method. Flow data contains network and port addresses, protocols, date and time, and amount of data exchanged during a session. We use a multivariate approach to analyse such records. So for example suspicious port scanning activity may have the following characteristics: a single source address, one or more destination addresses, and target port numbers increasing incrementally. When ngerprinting such tra c, we examine multiple elements and develop a hypothesis for the cause of behaviour on that basis. We use a Bayesion approach to achieve this. 3.1
Building the hypothesis The posterior probability of the hypothesis Hk given that E, is given by the well known Bayes' formula:
Let Hk : hypothesis that kth node is an attacker, Ei is a ow record element and E =fE1=e1, E2=e2, E3=e3,...,Em=emg is the set of all suspicious evidence observed against node k during time t from m di erent independent observation spaces. Here P (E) is the probability of producing suspicious events by node k, but on its own is di cult to calculate. This can be avoided by using the law of total probability. For independent observations, the joint posterior probability distribution can be obtained from (1) as: (1) (2)
To calculate the posterior probability of node k being an attacker p(Hk=E), it is necessary to estimate: 1. the likelihood of the event E given the hypothesis Hi, p(E=Hi) and, 2. the prior probability p(Hi), where n i > 0.
Assuming that prior and likelihoods are known, (2) facilitates to combine evidence from multiple sources (all Eis) to a single value (posterior probability) which describes our belief, during a short observation period, that node k is an attacker given E. Aggregating short period estimations over time helps to accumulate relatively weak evidence for long periods. This accumulated probability term, P p(Hk=E) t (t is time) known as pro le value hereafter, can be used as a measurement of the level of suspicion for node k at any given time. These scores are converted into Z-scores for analysis.
A series of experiments have been conducted in a simulated environment to test the proposed approach. We use NS3 [NS311] to simulate our network and generate tra c patterns of interest, assuming a poison p(Hk=E) = p (E=Hk) :p(Hk)
p(E) Q p(ej =Hi):p(Hk) j p(Hk=E) = P Q p(ej =Hi):p(Hi)
i j arrival model. Each simulation is run for a reasonable period of time to ensure that enough tra c is generated (over one million events). If s, n are mean rates of generating suspicious events (where we only generate a subset of ow data elements including source and destination address and port numbers, and where suspicious activity is judged by unexpected port numbers) by suspicion and normal nodes respectively, we ensure maintaining s = ( n 3p n) and n( 0:1) su ciently smaller for all our experiments to characterise slow suspicious activities which aim at staying beneath the threshold of detection and hiding behind the background noise. 3.2
Early Results Early results of our work are promising: our approach is able to distinguish multiple suspicious nodes from a given set of network nodes as shown in Figure 1.
We model detection potential D as a function of subnet size S and tra c volume V , where D = 1 k:( bVS ) 2 , and where k is a constant, which demonstrates the e ect of varying the subnet size over ability to detect e ective monitoring. This e ect is demonstrated in Figure 2. The e ects of total tra c volume on detection potential are also demonstrated in Figure 3. Relevant details for these results could be found in [KSZJ12].
reo 2 c S − Z 4 0
Our work aims to address the stated research goals by demonstrating how e ective monitoring could be deployed in more realistic network topologies. We plan to continue with our experimental approach, and consolidate results towards the end to ensure a coherent and consistent picture emerges that is of practical value. 4
This research aims to address a di cult problem. Monitoring infrastructures are overloaded both with data and tools. The question is: what do we with it? The di culty is due to the increasing scale of networks, the diversity of user access provision to systems, the nature of suspicious activity and the corresponding need to monitor for serious attacks, and ultimately being able to e ectively manage detection of intrusions.
100 200 300 400
500 Subnet size Traffic volume 6 7
Our ultimate goal is to o er a set of design principles and heuristics allowing for e ective collection and analysis of data on networks. The rst two research questions from Section 2 allow us to build defensible networks, where any source of suspicious activity could be detected e ectively and quickly. This is about both better data analysis and network design. The third research question is inspired by related work investigating exposure maps [DOE06] and darkports [WvOK07], where we adapt our algorithm to pro le target nodes for possible slow and suspicious activity. The underlying principle remains the same: we trade in state for computation. Ever increasing processing capacity increasingly makes this feasible. But tra c volumes indeed also pose a big challenge, and hence our nal question is an attempt assess the feasibility of sampling tra c for analysis. This is also evidenced as feasible by some other work [BR12,PRTV10], and we propose to build on it.
Our aim is to remain domain agnostic. This allows for research to be applied at various levels, including better detection software, monitoring tools, and network design and con guration management solutions.