An autonomic approach to anomaly detection

In the last decade, several efforts have been made by the international research community in order to design robust integrated systems able to both detect anomalies and effectively react to them through the adoption of suitable countermeasures [11][21]. Although many steps forward have been taken in this field and interesting outcomes have been achieved, developed technologies and algorithms have not been revealed as adequate to face generic anomalies. As suitable approaches are identified to detect and mitigate them, in fact, new and advanced kinds of cyber attacks appear, which change very rapidly both in temporal and spatial domain [52][59]. On the other hand, due to the more and more increasing security requirements, network providers have started equipping their infrastructures with hardware and software technologies which are able to locally detect specific anomalies and mitigate their impact by implementing defence strategies at edge networks. Although this approach might be effective to protect from single-source and not coordinated types of cyber attacks, it has limited value when facing more complex ones. As a consequence, nowadays, the main issue which researchers are dealing with is represented by the consumption attacks which are performed by orchestrating several compromised systems in a distributed fashion [53]. Containing distributed attacks is therefore a crucial problem, which has not been adequately addressed so far. The main reason why such a kind of attacks is difficult to counter is that, as previously mentioned, defences are typically deployed at edge networks [54].

When dealing with distributed attacks, two main aspects have to be taken into account. The first one concerns the detection process; although the edge-based approach makes attack detection process easy to implement, since one simply needs to monitor incoming traffic volume for an unusually large burst, the definition of an “unusually” large burst is not immediate since it depends on the traffic metrics and detection algorithms which are used to analyze and detect anomalies. Although many approaches to anomaly detection have been proposed, no “universal” techniques and technologies are available to detect generic and unknown forms of cyber attacks, especially when dealing with distributed ones. The second aspect concerns the fact that containing and mitigating such attacks from the edge is ineffective. Even if accurate filtering is made at the edge, it cannot prevent malicious users from consuming the victim’s bandwidth, and denying service to legitimate users.

Therefore, defending against distributed attacks at the core network might overcome some of the limitations affecting the edge-based solution. The main reason is that backbone networks are well-suited to mitigate distributed attacks, before they cause harm to the victim at the edge. However, distributed attacks are challenging to detect in the backbone because they do not cause a visible, easily detectable change in traffic volume on individual backbone links. Consequently, monitoring systems are demanded to strongly support anomaly detection processes by providing accurate measurements about traffic metrics and network usage. This approach implies a no negligible overhead due to the huge amount of traffic flows to be monitored. Therefore, to effectively detect distributed attacks in the backbone, an innovative and scalable way of simultaneously and efficiently analyzing all traffic flows across the network has to be designed.

The INTERSECTION project aims at designing and developing a novel distributed ADS (Anomaly Detection System) in backbone networks based on the Autonomic Communication paradigm [24]. More precisely, such a system is made up of a self-organizing cooperative anomaly detection overlay network which can be dynamically created and autonomously adapted in order to face potential distributed cyber attacks and, at the same time, reducing monitoring overhead. In fact, due to the distributed nature of novel kinds of cyber attacks, mechanisms to dynamically orchestrate available resources for distributed anomaly detection have to be designed by taking into account the strict interdependency existing between traffic and users behaviours from different network domains and individual backbone links which might be involved in distributed threats [25].

Currently, intrusion detection techniques rely on the use of both hardware and software tools which are pre-configured to analyze specific traffic features in accordance with underlying monitoring infrastructure and networking infrastructure capabilities.

However, we do believe that in order to detect unknown kinds of cyber attacks, in-advance-network-planning is not effective: which traffic metrics should be analysed, which accuracy should be requested, and which kind of countermeasures has to e applied only depends on the dynamic situation which anomaly detection systems finds itself to cope with.

To this aim, a self-managed distributed anomaly detection infrastructure will be developed which will be characterised by self-* properties in order to support in-network decision making processes for security purposes. More precisely, cooperative overlay networks will be endued with mechanisms for self-awareness to increase reaction capabilities as well as with self-adaptation characteristics enabling available peers to (re-)configure underlying monitoring infrastructure so as to optimize detection process by minimizing management overhead.

In order to achieve its objectives, the INTERSECTION project has identified the following areas of work:

–      on-line traffic monitoring and adaptive sampling/classification techniques as an input for cooperative anomaly detection overlay networks;

–      analysis of available methodologies and existing technological solutions for anomaly detection (statistical approaches, mathematical methods such as spectral analysis, learning and knowledge based approaches, data mining and automated pattern recognition) in order to identify formal approaches for capabilities representation;

–      analysis of existing capabilities and alert information exchange protocols and formats;

–      information fusion methodologies to cooperative anomaly detection [55][56];

–      self-management approaches based on reputability and trustworthiness concepts [57][58].

According to the above mentioned objectives and work areas, the INTERSECTION project will also be able to contribute to standardization efforts. More exactly, we believe that our research activities will provide valuable contribution to the following IETF working group:

–      IPFIX (IP Flow Information Export) by proposing potential extensions in both the information model, which describes IP flows, and the IPFIX protocol which supports transport of aggregated monitoring statistics. Furthermore, a configuration data model will be proposed for the design of an extensible policy-based framework for monitoring adaptation enforcement.

–      PSAMP (Packet Sampling) by proposing solutions for adaptive packet sampling, filtering and classification.

Furthermore, in order to meet the interoperability requirement, the alerting process will be carried out by using a well-defined and standardised message format. To this purpose, the IDMEF (Intrusion Detection Message Exchange Format) message format, proposed by the IETF working group on intrusion detection, will be used. All the messages exchanged among the components of the distributed system will comply with the IDMEF format, thus allowing both interoperability and ease of extensibility of the system.

References

[11] K. Sequeira, M. Zaki, “ADMIT: Anomaly-base Data Mining for Intrusions”, Proceedings of the 8th ACM SIGKDD International Conference on Knowledge Discovery and Data Mining, Edmonton, July 2002

[21] S. C. Lee, D. V. Heinbuch, “Training a Neural-Network Based Intrusion Detector to Recognize Novel Attacks”, IEEE Transactions on Systems, Man, and Cybernetics – Part A: Systems and Humans, Vol. 31, No. 4, July 2001

[24] M. Smirnov, “Autonomic Communication – Research Agenda for a New Communication Paradigm”, White Paper, November 2004

[25] C. Mazzariello, F. Oliviero, “An Autonomic Intrusion Detection System based on Behavioral Network Engineering”, Proceedings of 2^nd IEEE INFOCOM Student Workshop 2006 

[52] James R. Binkley and Suresh Singh, “An Algorithm for Anomaly-based Botnet Detection. Computer Science”, PSU, USENIX SRUTI: 06 2nd Workshop on Steps to Reducing Unwanted Traffic on the Internet, July 2006

[53] K. Houle and G. Weaver, “Trends in Denial of Service Attack Technology”, CERT® Coordination Center, 2001

[54] J. Mirkovic, G. Prier and P. Reiher, “Attacking DDoS at the Source”, in Proceedings of ICNP 2002, pp. 312-321, Paris, France, November 2002

[55] N. Ye and M. Xu, “Information Fusion for Intrusion Detection”, in Proceedings of the Third International Conference on Information Fusion, FUSION 2000, July 2000, Volume 2, pp. 17-20

[56] D. Yu and D. Frincke, Alert confidence fusion in intrusion detection systems with extended Dempster-Shafer theory. In Proceedings of the 43rd annual southeast regional conference, ACM Press, pages 142–147, New York, NY, USA, March 2005

[57] A. Garg, R. Battiti, and C. R, Reputation Management: Experiments on the Robustness of ROCQ. Technical Report DIT-05-087

[58] F. Cuppens and A. Miege, Alert Correlation in a Cooperative Intrusion Detection Framework. In Proceedings of the IEEE Symposium on Security and Privacy, pages 202–215, 2002

[59] Jelena Mirkovic, Janice Martin and Peter Reiher, A Taxonomy of DDoS Attacks and DDoS Defense Mechanisms, UCLA Computer Science Department, Technical report #020018

Back to Project Detail