Intrusion detection based on evasion-resistant network modeling by imitation techniques
DOI:
https://doi.org/10.26439/ciis2019.5504Keywords:
abnormalities, evasion attacks, intrusion detection, communication networksAbstract
Emerging network systems have brought new threats that have sophisticated their modes of operation in order to go unnoticed by security systems, which has led to the development of more effective intrusion detection systems capable of recognizing anomalous behaviors. Despite the effectiveness of these systems, research in this field reveals the need for their constant adaptation to changes in the operating environment as the main challenge to face. This adaptation involves greater analytical difficulties, particularly when dealing with threats of evasion through imitation methods. These threats try to hide malicious actions under a statistical pattern that simulates the normal use of the network, so they acquire a greater probability of evading defensive systems. In order to contribute to its mitigation, this article presents an imitation-resistant intrusion detection strategy built on the basis of PAYL sensors. The proposal is based on building network usage models and, from them, analyzing the binary contents of the payload in search of atypical patterns that can show malicious content. Unlike previous proposals, this research overcomes the traditional strengthening through randomization, taking advantage of the similarity of suspicious packages to previously constructed legitimate and evasion models. Its effectiveness was evaluated in 1999 DARPA and 2011 UCM traffic samples, in which it was proven effective in recognizing imitation evasion attacks.
Downloads
References
Ariu, D., Tronci, R., y Giacinto, G. (2011). HMMPayl: An intrusion detection system based on hidden Markov models. Computers y Security, 30(4), 221-241.
Bolzoni, D., Etalle, S., Hartel, P., y Zambon, E. (2006). Poseidon: a 2-tier anomaly-based network intrusion detection system. Proceedings of the 4th IEEE International Workshop on Information Assurance (IWIA), 144-156.
Fogla, P., Sharif, M., Perdisci, R., Kolesnikov, O., y Lee, W. (2006). Polymorphic blending attacks. Proceedings of the 15th USENIX Security Symposium, 241-256.
García-Teodoro, P., Díaz-Verdejo, J. E., Tapiador, J. E., y Salazar-Hernández, R. (2015). Automatic generation of HTTP intrusion signatures by selective identification of anomalies. Computers and Security, 55, 159-174.
Green, R., Staffell, I., y Vasilakos, N. (2014). Divide and Conquer? k-Means Clustering of Demand Data Allows Rapid and Accurate Simulations of the British Electricity System. IEEE Transactions on Engineering Management, 61(2), 251-260.
Hadziosmanovic, D., Simionato, L., Bolzoni, D., Zambon, E., y Etalle, S. (2012). N-gram against the machine: On the feasibility of the n-gram network analysis for binary protocols. Proceedings of the 15th International Symposium on Recent Advances in Intrusion Detection (RAID), 59-81.
Jamdagni, A., Tan, Z., He, X., Nanda, P., y Liu, R. P. (2013). RePIDS: A multi tier realtime payload-based intrusion detection system. Computer Networks, 57, 511-824.
Jonathon, T., Somesh, J., y Miller, B. P. (2006). Automated discovery of mimicry attacks. Proceedings of the 9th International Symposium on Recent Advances in Intrusion Detection (RAID), 41-60.
Karami, A. (2018). An anomaly-based intrusion detection system in presence of bening outliers with visualization capabilities. Expert Systems with Applications, 108, 36-60.
Lippmann, R., Haines, J. W., Fried, D. J., Korba, J., y Das, K. (2000). The 1999 DARPA offline intrusion detection evaluation. Computer Networks, 34(4), 579-595.
Maestre Vidal, J., Sandoval Orozco, A. L., y García Villalba, L. J. (2016). Online masquerade detection resistant to mimicry. Expert Systems with Applications: An International Journal, 61, 162-180.
Maestre Vidal, J., Sandoval Orozco, A. L., y García Villalba, L. J. (2017a). Advanced payload analyzer preprocessor. Future Generation Computer Systems, 76, 474-485.
Maestre Vidal, J., Sandoval Orozco, A. L., y García Villalba, L. J. (2017b). Alert correlation framework for malware detection by anomaly-based packet payload analysis. Journal of Network and Computer Applications, 97, 11-22.
Pastrana, S., Orfila, A., Tapiador, J. E., y Peris-López, P. (2014). Randomized anagram revisited. Journal of Network and Computer Applications, 21, 182-186.
Perdisci, R., Ariu, D., Fogla, P., Giacinto, G., y Lee, W. (2009). McPAD: A multiple classifier system for accurate payload-based anomaly detection. Computer Networks, 53(6), 864-881.
Rottenstreich, O., y Keslassy, I. (2015). The Bloom paradox: when not to use a Bloom filter. IEEE/ACM Transactions on Networking, 23(3), 703-716.
Shana, J., y Venkatachalam, T. (2014). An Improved Method for Counting Frequent Itemsets Using Bloom Filter. Procedia Computer Science, 47, 84-91.
Sidorov, G., Castillo, F., Stamatatos, E., Gelbukh, A., y Chanona-Hernández, L. (2014). Syntactic N-grams as machine learning features for natural language processing. Expert Systems with Applications: An International Journal, 41, 853-860
Swarnkar, M., y Hubballi, N. (2016). OCPAD: One class Naive Bayes classifier for payload based anomaly detection. Expert Systems with Applications: An International Journal, 64, 330-339.
Tapiador, J. E., y Clark, J. A. (2010). Information-theoretic detection of masquerade mimicry attacks. 2010 Fourth International Conference on Network and System Security, 183-190.
Thorat, S. A., Khandelwal, A. K., Bruhadeshwar, B., y Kishore, K. (2009). Anomalous packet detection using partitioned payload. Journal of Information Assurance and Security, 3(3), 195-220.
Viswanathan, A., Tan, K., y Neuman, C. (2013). Deconstructing the Assessment of Anomalybased Intrusion Detectors. Proceedings of the 16th International Symposium on Recent Advances in Intrusion Detection (RAID), 286-306.
Wang, K., Cretu, G., y Stolfo, S. J. (2005). Anomalous Payload-based Worm Detection and Signature Generation. Proceedings of the 8th International Symposium on Recent Advances in Intrusion Detection (RAID), 227-246.
Wang, K., Parekh, J. J., y Stolfo, S. J. (2006). Anagram: A Content Anomaly Detector Resistant to Mimicry Attack. Proceedings of the 9th International Symposium on Recent Advances in Intrusion Detection (RAID), 226-248.
Wang, K., y Stolfo, S. J. (2004). Anomalous Payload-based Network Intrusion Detection. Proceedings of the 7th International Symposium on Recent Advances in Intrusion Detection (RAID), 203-222.
