Abstract
Content-based Anomaly Detection (AD) techniques are regarded as a promising mechanism to detect ‘zero-day’ attacks. AD sensors have also been shown to perform better than signature-based systems in detecting polymorphic attacks. However, the False Positive Rates (FPRs) produced by current AD sensors have been a cause of concern. In this paper, we introduce and evaluate transAD, a system of network traffic inspection AD sensors that are based on Transductive Confidence Machines (TCM). Existing TCM-based implementations have very high FPRs when used as NIDS.
Our approach leverages an unsupervised machine-learning algorithm to identify anomalous packets and thus, unlike most AD sensors, transAD does not require manually labeled data. Moreover, transAD uses an ensemble of TCM sensors to achieve better detection rates and lower FPRs than single sensor implementations. Therefore, transAD presents a hardened defense against poisoning attacks.
We evaluated our prototype implementation using two real-world data sets collected from a public university’s network. TransAD processed approximately 1.1 million packets containing real attacks. To compute the ground truth, we manually labeled 18,500 alerts. In the course of scanning millions of packets, our sensor’s low FPR would significantly reduce the number of false alerts that need to be inspected by an operator, while maintaining a high detection rate.
This is a preview of subscription content, log in via an institution to check access.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Preview
Unable to display preview. Download preview PDF.
Similar content being viewed by others
References
Barbará, D., Domeniconi, C., Rogers, J.P.: Detecting outliers using transduction and statistical testing. In: ACM SIGKDD, KDD 2006, pp. 55–64 (2006)
Bloom, B.H.: Space/time trade-offs in hash coding with allowable errors. Commun. ACM 13(7), 422–426 (1970), http://doi.acm.org/10.1145/362686.362692
Boggs, N., Hiremagalore, S., Stavrou, A., Stolfo, S.J.: Cross-domain collaborative anomaly detection: So far yet so close. In: Sommer, R., Balzarotti, D., Maier, G. (eds.) RAID 2011. LNCS, vol. 6961, pp. 142–160. Springer, Heidelberg (2011)
Cisco: Cisco security products (July 2012), http://www.cisco.com/en/US/products/hw/vpndevc/products.html
Cretu, G., Stavrou, A., Locasto, M., Stolfo, S., Keromytis, A.: Casting out demons: Sanitizing training data for anomaly sensors. In: IEEE S&P, pp. 81–95 (May 2008)
Denning, D.: An intrusion-detection model. IEEE Transactions on Software Engineering SE-13(2), 222–232 (1987)
Fowler, G., Noll, L.C., Vo, P.: Fowler/Noll/Vo (FNV) Hash (1991)
Gammerman, A., Vovk, V.: Prediction algorithms and confidence measures based onalgorithmic randomness theory. Theoretical Computer Science 287 (2002)
Juniper: Juniper network security products (July 2012), http://www.juniper.net/us/en/products-services/security/
Kuang, L.: Dnids: A dependable network intrusion detection system using the csi-knn algorithm. Queen’s University (2007)
Levenshtein, V.I.: Binary codes capable of correcting deletions, insertions, and reversals. Tech. Rep. 8 (1966)
McAfee: McAfee Threats Report: First Quarter 2012 (2012), http://www.mcafee.com/us/resources/reports/rp-quarterly-threat-q1-2012.pdf
McAfee: Network intrusion prevention (July 2012), http://www.mcafee.com/us/products/network-security-platform.aspx
Patcha, A., Park, J.M.: An overview of anomaly detection techniques: Existing solutions and latest technological trends. Computer Networks 51(12) (2007)
Paxson, V.: Bro: A System for Detecting Network Intruders in Real-Time. Computer Networks 31(23-24), 2435–2463 (1999)
Sommer, R., Paxson, V.: Outside the closed world: On using machine learning for network intrusion detection. In: IEEE S&P (May 2010)
Sourcefire: Snort intrusion detection system (July 2012), http://www.snort.org/
Suricata: Suricata intrusion detection (July 2012), http://www.openinfosecfoundation.org/
Symantec: Internet Security Threat Report, vol. 17 (2012), http://www.symantec.com/threatreport/
Tavallaee, M., Bagheri, E., Lu, W., Ghorbani, A.: A detailed analysis of the kdd cup 99 data set. In: CISDA 2009, pp. 1–6 (July 2009)
Vovk, V., Gammerman, A., Saunders, C.: Machine-learning applications of algorithmic randomness. In: ICML 1999, pp. 444–453 (1999)
Wang, K., Cretu, G., Stolfo, S.J.: Anomalous payload-based worm detection and signature generation. In: Valdes, A., Zamboni, D. (eds.) RAID 2005. LNCS, vol. 3858, pp. 227–246. Springer, Heidelberg (2006)
Wang, K., Parekh, J.J., Stolfo, S.J.: Anagram: A content anomaly detector resistant to mimicry attack. In: Zamboni, D., Kruegel, C. (eds.) RAID 2006. LNCS, vol. 4219, pp. 226–248. Springer, Heidelberg (2006)
Wang, K., Stolfo, S.J.: Anomalous payload-based network intrusion detection. In: Jonsson, E., Valdes, A., Almgren, M. (eds.) RAID 2004. LNCS, vol. 3224, pp. 203–222. Springer, Heidelberg (2004)
Wasserman, L.: All of Statistics: A Concise Course in Statistical Inference. Springer
Author information
Authors and Affiliations
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2014 Springer International Publishing Switzerland
About this paper
Cite this paper
Hiremagalore, S., Barbará, D., Fleck, D., Powell, W., Stavrou, A. (2014). transAD: An Anomaly Detection Network Intrusion Sensor for the Web. In: Chow, S.S.M., Camenisch, J., Hui, L.C.K., Yiu, S.M. (eds) Information Security. ISC 2014. Lecture Notes in Computer Science, vol 8783. Springer, Cham. https://doi.org/10.1007/978-3-319-13257-0_30
Download citation
DOI: https://doi.org/10.1007/978-3-319-13257-0_30
Publisher Name: Springer, Cham
Print ISBN: 978-3-319-13256-3
Online ISBN: 978-3-319-13257-0
eBook Packages: Computer ScienceComputer Science (R0)