Abstracts
-----------------------------------------------------------------------------------------------
Intrusion Detection at ONR
W. Martinez, ONR chair
1." Mining the Structure of Information Networks"
Jon Kleinberg.
Cornell
ABSTRACT
Recent work
in the analysis and mining of large networks has proceeded together with an
increasing awareness of the structural regularities that these networks exhibit.
We are beginning to discover that complex networks have a characteristic `geography';
they share a number of fundamental properties that presumably reflect the
forces driving their growth and evolution. Our research in this area has focused
on both models and algorithms, exploring the use of random graphs to model
networks with small-world and power-law properties;
developing techniques for mining the link topology of the Web and extracting
networked communities by link analysis; and improving the performance of decentralized
search algorithms in networks.
2." A Novel Approach to Detection of Denial-of-Service Attacks Via Adaptive Sequential and Batch-Sequential Change-Point Detection Methods"
Rudolf B Blazek, Hongjoong Kim, Boris Rozovskii, and Alexander Tartakovsky
USC
ABSTRACT
In computer networks, large scale attacks in their final stages can readily be identified by observing very abrupt changes in the network traffic, but in the early stage of an attack, these changes are hard to detect and difficult to distinguish from usual traffic fluctuations. In this paper, we develop efficient adaptive sequential and batch-sequential methods for an early detection of attacks from the class of denial-of-service These methods employ statistical analysis of data from multiple layers of the network protocol for detection of very subtle traffic changes, which are typical for these kinds of attacks. Both the sequential and batch-sequential algorithms utilize thresholding of test statistics to achieve a fixed rate of false alarms. The algorithms are developed on the basis of the change-point detection theory. As a result, the algorithms allow us to detect changes in statistical models as soon as possible, while controlling the rate of false alarms. There are three attractive features of the proposed approach. First, the developed algorithms are self-learning, which enables them to adapt to various network loads and usage patterns. Second, they allow for the detection of attacks with small average delay for a given false alarm rate. Third, they are computationally simple, and hence, can be implemented on-line. Theoretical frameworks for detection procedures, as well as results of the experimental study with the use of a network simulator testbed, are presented.
---------------------------------------------------------------------
S. Scott, USC, chair
1."A Hierarchical Model for Network Intrusion Data"
Steven L. Scott
USC
ABSTRACT
Computer, financial, and telecommunications networks have a nested structure where individual transactions are nested within accounts, which are nested within the network itself. Statisticians have developed a general theory of hierarchical models for just such a nested data structure.
Hierarchical models allow modelers to focus on describing data at one stage of the hierarchy while ``borrowing strength'' from another. This talk shows how a Markov modulated Poisson process (MMPP) can be used as the prior distribution in a hierarchical model allowing nearby transactions to share information about a criminal's possible presence or absence.
2." Detecting Network Attacks Through Traffic Modeling"
Khushboo Shah, Edmond Jonckheere, Stephan Bohacek
USC
ABSTRACT
Computer network traffic is analyzed via (i) linear and nonlinear state-space modeling, (ii) statistical techniques such as linear and nonlinear canonical correlation analysis, and (iii) mutual information. A baseline traffic model and statistical signature are identified. A significant change in either the model or the signature is an indication of an ongoing network anomaly. Simulations show the utility of these techniques for detecting UDP flooding attacks, ping attacks and SYN DoS attacks. Our approach is topology independent an our findings are tested on different sized parking lot topologies as well as the standard single bottleneck topology. Furthermore, this detection technique has been tested for various levels of background traffic, consisting of different mixtures of HTTP, FTP and attack traffic.
A wide array of modeling approaches is followed including linear and nonlinear state-space, linear AR, nonlinear AR and ACE (alternating conditional expectation). Comparison of models clearly illustrates the presence of nonlinearity in the normal and attack traffic. This work indicates that the nonlinear state-space model and the mutual information are powerful tools for the detection of attacks as well as for monitoring and understanding normal traffic.
3. "Network Tomography: Detecting and Locating Anomalous Behavior Using End-to-End Measurements"
R. Castro, M. Coates, R. Nowak and Y.Tsang
McGill
ABSTRACT
In large-scale
networks, end-systems cannot rely on the network itself to cooperate in characterizing
its own behavior. This has prompted several groups to investigate methods
for inferring internal network behavior based on end-to-end network measurements.
Such
problems are often referred to as network tomography because of similarities
with medical tomography. In this paper, we review our recently developed strategy
for determining the (logical) routing topology and describe a method for constructing
a map of network
traffic intensity that is dynamically updated in real-time. These methods
require no special cooperation from internal routers; in particular there
is no reliance upon a response to ICMP packets.
Our current work is exploring the application of network tomography to the detection of anomalous behavior. We believe that correlated changes in traffic behavior, even in statistics such as mean delay, can help to provide an early warning of incipient distributed denial-of-service attacks. In a large-scale network, there is a prohibitive expense associated with the placement of measurement devices at a sufficient number of routers to make the real-time detection of such correlations possible. Tomographic techniques enable time-varying maps of network activity to be constructed using measurements made solely at the accessible network edge. We are also researching methods for detecting unusual traffic patterns from measurements made by a limited number of sensors.
---------------------------------------------------------------------
Visualization of Network Data
J. Solka, NSWC, chair
Mr. Joe Garcia
NSWC
ABSTRACT:
This paper describes the development of the Color-Coded Spreadsheet (CCS), a visualization tool that displays packet header data as a series of color-coded columns with various colored squares along the extent of an individual column representing the values of corresponding packet header fields. A moving display feature permits scrolling over a large data set. The motivation is to highlight anomalous (and possibly malicious) traffic for a first-order IDS analyst. In the CCS, for given traffic, fields changing from one packet to the next are seen as moving horizontal streaks of distinct color patterns. Having some knowledge of "normal" network traffic behavior, anomalies are made clearly visible at the point where color patterns change. Traffic data can be displayed in the order it arrives, as a reconstructed session, or sorted according to a user defined field ordering criteria. Coding details and examples of CCS processed network traffic are discussed.
2. " Review of Information Visualization Research in Networking"
Stefano Foresti
University of Utah
ABSTRACT
Information Visualization (InfoVis) is an emerging field addressing visual
representations of abstract information. Because of the overabundance of data
in every corner of our society, information visualization is researched in
many fields, but the projects tend to be scattered and lack synergy from application
to another.
This presentation
will distinguish two different objectives of informationvisualization:
- visual design of data structures, for improved decision making
- visual data exploration, to search for insight in unstructured data
and will overview some general techniques, trends and needs in information
visualization as well as some relevant projects in visualization of networking
and intrusion detection.
3 "Multiplicative Cascades for Non-Stationary Computer Network Traffic"
Dr. Pat Carter
NSWC
ABSTRACT
Network traffic analysis is the study of the flow of packets across a network. Two measurements of the aggregate flow at a choke point are the interarrival process (the times between the successive arrivals of packets) and the packet rate process (the number of packets arriving per unit time). One objective of analysis is to characterize the state of network traffic by modeling the aggregate interarrival or packet rate processes. A second is to produce a visualization of that state that adds to the understanding of the traffic flow.
The packet rate process is naturally thought of as a (coarse-grained) probability density or measure. Its observed high degree of burstiness across many (time) scales suggests a multifractal model. The multiplicative cascade is one method of generating a multifractal measure. The use of two explicit cascade models for stationary network traffic, the semi-random multiplicative cascade model (Gilbert, Willinger and Feldman) and the multifractal wavelet model (Riedi, Crouse, Ribeiro and Baraniuk) will be explored. The computation of both analysis and synthesis steps will be described, and the modeling results on a set of real network traffic data analyzed. The parameters computed from data can be incorporated into a graphical visualization - giving a picture of the scaling behavior over time. The stationarity of the cascade model is determined by the symmetry required of the distributions of the model parameters. Distributions not having this symmetry can be used. The results of the application of the cascade models with these distributions to non-stationary network traffic will be evaluated with respect to the enhancement of information in a visualization using the parameters computed from real network traffic data.
---------------------------------------------------------------------
Visualization of intrusion data
E. Wegman, GMU, chair
1."Distance Metrics in the Internet"
Brad Huffacker,
CAIDA
ABSTRACT
We consider
and compare four Internet distance metrics and analyze the predictive power
of these metrics in selecting, from a given source, the lowest latency destination
from among a candidate set. The four metrics are: IP path length; autonomous
system (AS) path length; great circle geographic distance; and previously
measured round trip time (RTT). We describe general properties of these four
metrics and, using an unprecedented volume of real Internet macroscopic topology
and RTT data, compare their correlation with actual RTT to the destination.
The new methodology we propose for testing different metrics is suitable for
evaluating new distance estimation techniques as they become available.
2."Applications of Statistical Visualization to Computer Security"
Jeff Solka,
NSWC
This talk will examine the application of statistical visualization to computer security. Numerous examples are provided that illustrate the use of standard statistical visualization tools for the analysis of computer network data. It is the intent of the talk to suggest ideas that might prove fruitful upon additional investigation. Application areas discussed will include network utilization profiling and backscatter analysis.Statistical graphics used will include dendrograms, parallel coordinate plots,scatter plots, and other "hand crafted" examples.
3. "Visualization Techniques for Intrusion Detection"
Steve Johnston ,
Bill Wright
Communications Security Establishment
ABSTRACT
This paper reports on the experiences of using interactive animated 2D and 3D graphics in an Intrusion Detection (ID) Analysts Workbench prototype. Visualization techniques allow people to see and comprehend large amounts of complex data. Graphics are used to assist with the ID investigation and reporting process by helping the analyst identify significant incidents and reduce false conditions (positives, negatives and alarms).
Visualization is then used in reporting incidents to a broader senior level
audience. Complex patterns are clearly displayed over time in an easy to understand
and compelling manner. Initial evaluations of the prototype have been positive,
and a second development stage has been initiated.
---------------------------------------------------------------------
T. Goldring, NSA, chair
1. "User Modeling Through Symbolic Learning:The LUS Method and Initial Results"
Guido Cervone, Ken Kaufman, and Ryszard S. Michalski
GMU
ABSTRACT
A method, called LUS ("Learning User Signatures"), is presented that learns user models from n-grams characterizing streams of data from computer users using a machine learning program. The learning process employs AQ-type learning to generate user descriptions in the form of attributional rules.
An important advantage of the LUS method is that created models can be easily interpreted by human experts. This feature makes it possible to get an insight into the user behavior and to verify and modify the models manually.
Datasets
used in the experiments were obtained from Tom Goldring's group, and characterize
users' activities captured in system process tables. The datasets were transformed
into n-grams of the "mode" attribute, and supplied as inputes to
the learning program. Initial experiments have shown that the learning process
is quite efficient despite large volumes of data (in some experiments there
were about 4 million training examples), and produced user models that had
high predictive accuracy and were easy to interpret.
2. "Recent Experiences with User Profiling for Windows NT"
Tom Goldring
NSA
ABSTRACT
Since January
2001, we have been running a User Profiling experiment on a Windows NT testbed.
About 22 users are monitored on a daily basis, and the results are periodically
sent back for analysis. The basic problem is to automatically learn user models
from things like
what applications the person uses (order important) and the associated timing
information, then compare a new session with these models to identify and
authenticate the user. At least in theory, whatever methods work for this
problem could be used to learn "hacker profiles"
as well.
A previous
experiment with four Solaris users produced outstanding results, however in
the present experiment we saw misclassification rates of 20-30%. It's obvious
that with 22 users instead of four there will be a higher probability of two
people looking alike, nevertheless we think there is more going on. In this
talk we'll give a live demo of data collection, explain what's in the raw
data, then discuss data reduction, scoring algorithms, and plans for future
work.
3. "Integrated Approach to User Profiling"
Alfonso Valdes
SRI International
ABSTRACT
Masquerader attacks, concern of the insider threat, and exfiltration attacks motivate a renewed interest in user profiling. While many concepts and techniques from earlier profiling approaches are applicable, a new integrated approach is required. User profiling has long been used to detect masquerader attacks and insider abuse, but with modest success. Profiling attempts to learn normal activity for users with respect to key observed or derived features, such as resource usage and temporal patterns. More generally, profiling can be applied to any process under observation, such as the system call stream from programs, and invites analogy to process control. The basic paradigm is to alert when the process under observation exhibits behavior that is extremely unusual with respect to learned norms.
In order to avoid excessive false alarms, such systems consider a moving window of event sequences or some time-decayed anomaly score of recent events, and do not alarm on single events. Both of these approaches can be considered forms of signal integration. A fundamental question is the degree to which pure anomaly detection is adequate to detecting attacks and intrusions. The optimistic view is that attacks manifest as some highly anomalous set of events. Continuing with the signal processing analogy, pure anomaly detection assumes some signal will stand out in such cases with appropriate signal integration, even though minimal assumptions are made about the signal itself. This contrasts with signature based systems, which search for well-known signals. Anomaly detection is attractive because of its potential to detect novel attacks, but this has been demonstrated in practice only to a limited extent. Critics of anomaly detection argue that anomalies are not necessarily intrusions, and intrusions are not necessarily anomalous.
We feel the masquerader and insider abuse pose fundamentally different problems. The masquerader may be detected by stylistic differences, while the insider can train his profile so that the eventual exploit appears normal. The difficulty is exacerbated by the problem of a hit and run attack, where the exploit is one event in an otherwise normal stream.
Validation of profiling systems is problematic, and usually relies on some variant of cross profiling, wherein data for one subject is played through the trained profile of another. Typical measures of effectiveness include time to detection and probability of detection for, say, a window of commands. Unfortunately, this approach cannot be used to make strong claims about effectiveness against malicious use, but rather about discrimination between examples of use that are, to the best of the analyst=92s knowledge, legitimate.
Reporting extremely unusual activity is important, but it is not enough. In addition, one promising approach is to describe classes of misuse probabilistically, so that much of the generalization potential of anomaly detection is retained but with improved sensitivity and specificity. Finally, signature detection is required for attacks manifest in single events or buried in a mostly normal stream (so that signal integration will not make it stand out sufficiently). We propose an innovative approach based on hybrid systems integrating anomaly detection (model-free inference), Bayes (probabilistic, model based) and policy-based signature systems. We further present a framework where such an integrated system is implemented as a Bayes network with special nodes.
J. Wierman, JHU, chair
1. "Probabilistic Analysis of a Computer Virus Epidemic Model"
John
Wierman
JHU
ABSTRACT
We discuss
a stochastic epidemic model for the spread of computer viruses. The classical
susceptible-infected-susceptible (SIS) model is modified to include a reintroduction
or reinfection parameter, which models the re-release of a computer virus
or the introduction of a new virus. We analyze the resulting birth-and-death
process and find approximations to the limiting distribution. Theresults are
compared to previous research and simulations.
2." Fluid Dynamics in Porous Media as a Model for Propagation of Viruses".
Hongjoong Kim & Boris Rozovskii
USC
ABSTRACT
A novel approach to analysis of new viruses will be presented. Our technology allows us to analyze certain characteristics of viruses, e.g. the propagation speed, patterns of propagation, etc. The approach is based on methodologies developed in the modeling of porous media fluid flows and Bayesian analysis. We will discuss both, the theoretical framework and the experimental results.
3." Dynamics of Email Worms and Guidelines for Worm Defenses"
Stephan Bohacek
USC
ABSTRACT
The dynamics of email worms spreading over computer networks are investigated. It will be shown that the behavior of the worm growth is strongly dependent on the graph over which the worm spreads. Typically, the end-users' email address books define this graph. It will be shown that a critical characteristic of the graph is the distribution of the degree of the nodes. Specifically, if the tail of the distribution of the degree decays slowly (i.e., heavy-tailed degree), the spread of the worm is quite different from the spread over a graph that does not have heavy-tailed degree. The reason for this behavior is that graphs with heavy-tailed degree have a peculiar clustering property. Examples of heavy tailed degree graphs found in nature include the world-wide-web graph (web pages are nodes and hot link are arcs) and the graph of routers in the Internet (routers are nodes and links are arcs). Heavy-tailed degree graphs have also been found in some social networks. It is believed that the degree of the email graph is heavy tailed. In this case, graph models such as "small world" graphs are not appropriate for investigating email worms.
Using extensive simulations on several heavy-tailed degree graphs, three classes of worm defenses are investigated. The first class only relies on local information. An example of such a local defense is a technique that relies on the relationship between the receiver of the email and the sender. Another example is a defense that counts the number of similar emails received. Semi-local defenses are also investigated. Specifically, defenses that use information available to a mail server are discussed. The third class investigated are global defenses that solely reside on the set "critical" nodes are investigated. Of these defenses, it is shown that the third is most promising. One interesting conclusion from this work is that it may be possible to defend a large network by fortifying just a small fraction of the nodes. Another conclusion is that mail server based defenses are far harder to make effective than is commonly believed. Specifically, our study indicates that a mail server defense with an acceptable false alarm rate will not stop the spread of a worm.
------------------------------------------------------------------------------------------------
D. Marchette, NSWC, chair
Judy Novak, Vern Stark, David Heinbuch
Johns Hopkins University Applied Physics Laboratory
ABSTRACT
This paper analyzes some recent traffic that was received on a sensor residing outside our site's perimeter firewall. This sensor is running the network intrusion detection software Shadow. The activity drew attention because of the volume involved and the uniqueness compared to previous activity witnessed. Upon initial cursory examination, it was not obvious whether the activity was some kind of flood with the purpose of denial of service, a scan, or something else. The methodical analysis presented demonstrates how and why the incident was determined to be a concurrent scan by several hundred suspected zombie hosts.
Records from tcp dump were extracted and parsed using perl programs to examine datagram fields that would assist in determination of the activity. Some pertinent discoveries from this were 1) over 90% of the source IP's had hostname resolution indicating actual live hosts scanning versus anonymous hosts flooding 2) source hosts were assigned a range of destination IP's to scan 3) maximum scanning rats were 2.4 mbps 4) peak scanning rates occurred 21 seconds after the beginning of the scan 5) peak scanning rates were due to a "confluence" of retries of waves of SYN traffic spread 12 seconds apart 6) passive OS fingerprinting indicated most source hosts were Windows, though approximately 5% fit a Unix profile 6) arriving TTL values clustered closely to estimated initial values. Using these findings and others, this was deemed to be a very efficient scan using timing parameters conducted by zombies that more mostly, but not exclusively, Windows hosts.
2." Modeling Network Attacks: Extending the Attack
Tree Paradigm"
J. Dawkins, C. Campbell and J. Hale
Center
for Information Security, Keplinger Hall
University of Tulsa, Tulsa, Oklahoma 74104
ABSTRACT
Intrusion and vulnerability analysis are crucial to mitigating the effects of cyber attacks. Conventional techniques cannot effectively cope with distributed and coordinated assaults; state of the art intrusion detection and attack management systems struggle to effectively represent composite and aggregate attacks. A comprehensive attack model must encapsulate objectives, impact, preconditions, subgoals and behavior. Moreover, the model must engage a mathematical rigor that is conducive to practical applications of formal methods for attack prediction and analysis. This paper describes a network security model that superimposes attack specifications over formal system specifications, allowing for the representation of multistage attacks and the integrated analysis of host/network vulnerabilities. In it, the attack tree paradigm has been extended to facilitate the parameterization of attack templates and the definition of a class hierarchy for network elements.
3."Backscatter from denial of service attacks"
David Marchette,
NSWC
ABSTRACT
We describe some exploratory data analysis performed on backscatter from distributed denial of service attacks. Backscatter occurs when a denial of service attack spoofs the IP address of the monitoring network. By collecting unsolicited packets to one's network, it is possible to get an estimate of the number and types of such attacks on the Internet.
The data
was collected on a network of 2^16 IP addresses. We discuss some of the estimates
that can be made from data of this type, and present some interesting patterns.
This is very preliminary work.
---------------------------------------------------------------------
Machine Learning
D. Marchette, NSWC, chair
1." Comparison of Neural Networks and Support Vector Machines in Intrusion Detection"
Srinivas Mukkamala and Andrew Sung
Department
of Computer Science
New Mexico Tech
Socorro, NM 87801
{srinivas, sung}@cs.nmt.edu
ABSTRACT
In this paper, we describe intrusion detection techniques using neural networks, as well as using SVM (support vectors machines), and compare their performance. Since most of the computer system attacks and misuses can be recognized through examinations of log files and analyses of patterns therein, our intrusion detection techniques are based on neural networks or SVMs that utilize established attack and misuse patterns. We describe both methods that carry out the detection of specific exploitations by comparing user activity (such as recorded in command logs) against (real and synthetic) attack patterns belonging to different categories of intrusion. Testing results based on real-world intrusion data are presented.
2." Improved Detection of Low-Profile Probe and
Novel Denial-of-Service Attacks"
William W. Streilein, Robert K. Cunningham, Seth E. Webster
MIT Lincoln Laboratory
ABSTRACT
As more people make use of the Internet, their computers and the valuable data they contain become exposed to attackers lying in wait in cyberspace. Attackers are constantly scanning the Internet for victim machines that can be broken into and commandeered in order to suit their malicious purposes, such as, the enlistment of new zombies for distributed denial-of-service attacks, the unauthorized use of network storage resources or the defacement of corporate or government web-pages. In order to protect computer systems, network-based intrusion detection systems (IDSs) have been developed to analyze Internet traffic and recognize when attackers are at work probing a network or attacking a machine.
State-of-the-art
network-based intrusion detection systems detect attackers by comparing network
traffic with signatures of known attacks. Knowledgeable attackers can alter
the details of many attacks to avoid using the short signatures detected by
these systems. In this paper, we present enhancements to our network-based
intrusion detection system, which makes use of multiple neural network classifiers
to
accurately detect several classes of attacks including stealthy probes and
novel denial-of-service attacks. An intrinsic representation of the local
network and detection features derived from network traffic enable the system
to detect entire attack classes. Improvements to our system include enhanced
robust TCP session reconstruction, handling simplex and duplex traffic modes,
an expanded feature vector that includes measures of inter-packet delays and
counts of anomalous TCP sessions, and binary tree-based internal data structures
which are faster and less vulnerable to attack. Our system achieves a detection
rate of 100% with a false alarm rate of .1% when tested against stealthy attacks
in the DARPA 1999 IDSEvaluation. It also performs well on a moderately loaded
research network.
3."Passive Operating System Identification: What can be inferred from TCP Syn packet headers?"
Patricia Carter and Alan Berger
NSWC
ABSTRACT
How well
can operating systems of computers on a network be determined passively? Here
we evaluate the efficacy of certain features and clustering/classification
algorithms by analyzing a particular set of packet header data. Features were
computed using multiple TCP SYN packet headers from each host. We use a statistical
methodology rather than the more usual signature matching. True operating
system class for each host was determined from a database of 'actual' operating
system types. The types used in our data analysis were Windows/Dos, Irix,
Linux, Solaris, and Mac/Apple. The hosts of each operating system were randomly
split into raining and test data at the beginning of the analysis. The superparamagnetic
clustering (SPC) method of Domany et al. was extended to include use of training
data. The SPC method attained 85% accuracy while a specifically designed Bayesian
classifier achieved 95% accuracy.
---------------------------------------------------------------------
D Naiman, JHU, chair
1. "A Formal Model of the Lookahead Pair Model of System-call N-grams"
Paul Helman and Stephanie Forrest
UNM
ABSTRACT
We have had good success in the past using very simple data modeling methods for anomaly intrusion detection. An example is the n-gram approach \cite{ForrestEtAl95b} in which normal behavior of an executing program is defined in terms of short $n$ grams of symbols (system calls in the original work but the method could be applied to other data streams). Conceptually, we define a small fixed size window and ``slide'' it over each trace, record in which calls precede the current call within the sliding window. The current call and a call at a fixed preceding window position form a ``pair,'' with the contents of a window of length $x$ being represented by $x-1$ pairs. The collection of unique pairs over all the traces for a single program constitutes our model of normal behavior for the program. Profiles of n-grams can be stored in constant (and compact) space, for given $n$, and are consequently amenable to implementation in hardware. Although we have performed some empirical comparisons between this method and other more traditional data modeling methods, such as Hidden-Markov models (HMMs), what is lacking is a mathematical characterization of how and when this simple approach can compete with more powerful statistical methods.
The paper will compare the mathematics of the lookahead-pair method to the obvious alternative models based on statistics, such as HMMs or Bayeseian methods
2. "Challenges and Opportunites for Application-Based Anomaly Detection"
Anup Ghosh
DARPA
ABSTRACT
Application-based
anomaly detection work has been effective at detecting novel threats against
Internet servers. The premise of application-based anomaly detection has proven
to be useful: Internet servers tend to be used in fairly regular ways, but
their complexity has provided holes which hackers exploit to gain greater
privileges. Exploiting bugs in software
tends to change the behavioral profile of the software, e.g., overflowing
buffers, executing shells, abrupt terminations, and accessing privileged files.
Anomaly detection approaches detect changes in the normal behavioral profile
of the process and flag warnings of possibly corrupted processes.
The approach is the antithesis of a signature-based approach for detecting
known threats, and allows detection of previously unknown attacks. The challenges
for anomaly detection approaches have been robust training, calibration with
each environment/installation, reducing false positive rates to acceptable
levels, and response. This talk explores these challenges as well as opportunities
for application-based anomaly detection approaches to address next generation
threats against networked systems.
3. "Automata models for Learning Program Behaviors"
R. Sekar
SUNY
ABSTRACT
Anomaly detection
based on program behavior models has become one of the most successful ways
for detecting novel intrusions. Since the original work of Forrest et al on
using fixed-length sequences of system calls for program behavior modelling,
several new approaches have emerged. In this talk, we present results on using
finite-state and push-down automata models of program behavior. As compared
to fixed-length sequences, automata models compactly represent common program
structures such as branches, joins, loops and function calls (in the case
of PDA models). This enables our approach to generalize and predict future
behaviors from past behaviors, e.g., if a program executed a loop once in
an execution, our method
will learn that the program may iterate through the loop zero or more times
in the next execution. As a result, the training periods needed for our FSA
based approach are short, and the false positives are reduced.
Our approach
can use static analysis of source code, runtime monitoring, or a combination
to construct these models. This talk will describe our techniques for constructing
such automata
models and present an experimental evaluation of these techniques.
---------------------------------------------------------------------
Anomaly Detection
D Marchette, NSWC, chair
1 "Analyzing LYSIS: Template Matching, Permutation Masks, and Limited Lifetimes"
Fernando Esponda and Stephanie Forrest
UNM
ABSTRACT
In this paper we analyze some properties of an anomaly detection system called LYSIS, modeled after some features of the vertebrate immune system. First, we study the behavior of a matching rule (matching between detectors and activity patterns in a computer network) loosely based on the binding of lymphocytes to antigens. We\ present some of its statistical properties, such as the number of detectors and the number of distinct patterns it is able to detect at a specific instant in time. We further access on two distinctive properties of LYSIS, namely its distributed nature and the adaptation provided by the constant turnover of detectors. The second part of the paper deals with the (statistical) mechanisms used to differentiate between false and true positives in order to determine true positive, although the nature of the specified response is not covered by the present work
2."Tracking Congestion in the Internet"
Stephan Bohacek and Boris Rozovski
USC
ABSTRACT
A one-dimensional, mean-reverting diffusion model for roundtrip time is presented. This model accurately reflects the roundtrip time experienced by packets on the Internet. However, the parameters of this model vary as the congestion varies. To account for this variation, the parameters are modeled as finite state- pace Markov process. This paper has two objectives. First the transition probabilities and invariant distributions are estimated from data. Next, a recursive method for estimating the posterior probability distributions of parameters is developed. This method utilizes the diurnal nature of network congestion so as to more accurately estimate the model parameters. The results presented have been collected from a large number of "live" network experiments. This data indicates that, to some degree, the variation of the model parameters is consistent over large parts of the Internet. While this paper focuses on modeling and monitoring, one application of this work is the detection of anomalies. Specifically, change point detection methods could detect sudden changes in the behavior of the parameters. Such a variation could indicate the presents of an anomaly.
3. "Learning Process Behaviors through Sequences of System Calls"
Jiang Hu,
JHU
ABSTRACT
Anomaly intrusion detection has been proved to be a necessary method to defense novel attacks. How to characterize normal behavior of a process is critical for the success of an anomaly detection model. In this talk we discuss how to characterize a linux deamon's activity through its sequence of system calls with extra help from other log files. We will present some rules extracted from the system call trace of httpd and its child processes. Given a request queue, our model can predict the system call sequences of httpd in some way. Instead of a single process, we develop our models based on a group of processes, their classifications and their correlations. In another word, we study not only the local structure of sequences, but also the global structure of all sequences. We will expand our approach on other privileged processes so that a malicious application of privileged processes could be detected.
Steganography/Watermarking
N. Johnson, GMU, chair
1. "Audio Steganography and Steganalysis"
Stephen P. Mahoney
GMU
ABSTRACT
Steganography is the process of hiding information within information, thereby concealing the very existence of a message. Though used throughout history, recent advances in computer technology have opened vast new venues for transmitting these covert messages. Every medium (hardware and software) within the field of information technology is currently capable of being utilized as a communications channel, including image, audio and video files, as well as the controlling Internet transmission protocols themselves. While much is known regarding the use of graphical images for steganography (graphical images are most commonly used due to their large "carrying capacity"), the use of audio files for this purpose is relatively unexplored. This study addresses the application of steganographic techniques to embed information in audio files, and considers which existing steganalysis techniques could be applied to detect the hidden messages. There are currently no known tools that will adequately detect audio steganography.
Several techniques applicable to image steganography are also applicable to hiding information in audio files, and current approaches to developing audio steganography are mirroring those used in image steganography (least significant bit, statistical embedding, transformations, encryption, etc.). As expected, similar limitations and restrictions are being found when applying these techniques to audio. However, due to the nature of audio and the human auditory system, a few techniques show considerable promise for audio steganography (direct sequence spread spectrum, autocorrelation, controlled embedding, etc.).
At least three open-market freeware/shareware tools advertise their audio steganographic capability. These tools employ specific techniques to hide information, and also leave specific "footprints" when they are installed and used on a computer. Using a commercially available tool called Snapshot, these footprints were recorded. Specific techniques used by these tools were also analyzed to determine which approaches might be applicable to steganalysis of audio files.
The work performed under this effort will be integrated with other ongoing efforts being performed at George Mason University to develop a broad-based steganalysis tool. Interest in this tool exists within the intelligence, law enforcement, and commerce communities, several U.S. and foreign universities, and corporate businesses.
2. "Securing Networks Against Malicious Insiders"
Gina Fisk
Los Alamos National Laboratory
ABSTRACT
Recently, there has been a disproportionate emphasis on securing sites from outside attackers rather than malicious insiders. While security personnel spend huge amounts of time installing and maintaining firewalls and intrusion detection systems, the potentially high-bandwidth threat of the undisclosed dissemination of sensitive data through covert channels such as steganography remains unchecked. In an effort to begin addressing this deficiency, I will discuss our work on the concept of Minimal Requisite Fidelity (MRF), which is a preventative paradigm for proactively stifling steganography, covert channels, and other network attacks before they happen. Because these types of communication are designed to be nearly impossible to detect, I will introduce a model in which all network traffic is routed through active wardens which modify communications as to preserve the overt communications, yet prevent the propagation of extraneous or ambiguous information that can be used to exploit covert channels, subliminal channels, and certain forms of intrusion and intrusion detection evasion. I will argue that a security perimeter is not complete unless it includes not only firewalls and intrusion detection, but also active warden technology to prevent the covert exfiltration of data through the security perimeter.
3. "Stego Watch: Discovering Evidence Hidden
in Plain Sight"
Chet Hosmer
WetStone Technologies
ABSTRACT
WetStone Technologies has been working to advance steganography detection by developing ?blind? stego detection algorithms since 1999, with the U.S. Air Force Research Laboratory as a sponsor of the core research. Since that early research, the best-of-breed blind stego detectors have been integrated into a forensic toolkit called Stego Watch. We have combined the core algorithms into an integrated tool that can be expanded, integrated and adapted into other environments. This talk will focus on two areas of our work. First, we?ll describe the core concepts behind our algorithm development, experimentation and results; and second, we?ll present a detailed definition of the internal architecture of Stego Watch. Stego Watch has been specifically designed to easily integrate new stego-detection algorithms, and provide for easy embedding into other information technologies.
---------------------------------------------------------------------
