detection and classification of ddos attacks

Download PDF
6 downloads 18432 Views 166KB Size Report
Comment
1Senior Grade Lecturer, Department of Computer Science and Engineering, ... are mistakenly classified normal traffic as security violations. A perfect IDS does ...
DETECTION AND CLASSIFICATION OF DDOS ATTACKS USING FUZZY INFERENCE SYSTEM . T. Subbulakshmi1,Dr. S. Mercy Shalinie2, C. Suneel Reddy3, A. Ramamoorthi 4 1

Senior Grade Lecturer, Department of Computer Science and Engineering, Thiagarajar College of Engineering, Madurai [email protected] 2

HODCSE, Department of Computer Science and Engineering, Thiagarajar College of Engineering, Madurai [email protected] 3 II MECSE, Department of Computer Science and Engineering, Thiagarajar College of Engineering, Madurai [email protected] 4 I MECSE, Department of Computer Science and Engineering, Thiagarajar College of Engineering, Madurai, [email protected]

ABSTRACT DDoS attacks saturates a network by overwhelming the network resources with an immense volume of traffic that prevent the normal users from accessing the network resources. When Intrusion Detection Systems are used, a huge number of alerts will be generated and these alerts consists of both False Positives and True Positives. Due to huge volume of attack traffic, there is a possibility of occuring more False Positives than True Positives which is difficult for the network analyst to classify the original attack and take remedial action. This paper focuses on development of alert classification system to classify False Positives and True Positives related to DDoS attacks. It consists of five phases : Attack Generation, Alert Collection, Alert Fusion, Alert Generalization and Alert classification. In Attack Generation, DDoS attacks are generated in experimental testbed. In Alert Collection, snort IDS will be used to generate alerts for the generated traffic in testbed and alerts are collected. In Alert Fusion, the repeated alerts will be fused together to form meta alerts. In Alerts Generalization, the alerts indicating traffic towards the servers will be taken for further analysis. In Alert Classification, using fuzzy inference system the alerts will be classified as True Positives and False Positives. This reduces the difficulty of the network analyst by eliminating the false positives. This system is tested using an experimental testbed.

KEYWORDS Alert Classification, Alert Generalization, Alert Fusion, DDoS, False positives, Intrusion Detection, Fuzzy Inference System.,

1. INTRODUCTION One of the major problems faced by IDS is huge number of false positive alerts, i.e. alerts that are mistakenly classified normal traffic as security violations. A perfect IDS does not generate false or irrelevant alarms. In practice, signature based IDS found to produce more false alarms than expected. This is because of the overly general signatures and lack of built in verification tool to validate the success of the attack. The huge amount of false positives in the alert log makes the process of taking remedial action for the true positives, i.e. successful attacks, delayed and labor intensive. Same intrusion event can trigger hundreds of similar alerts. For example, a single network scan may cause to generate several alerts which differ by a small amount of time. These alerts can be

fused together before passing to human analyst. Also, different types of alert will be having same underlying event as the root cause. Each attributes of all alerts can be generalized to find out the correlated alerts. This will help in the process of root cause analysis and hence eliminate more number of false positives. Alert generalization also helps to speed up alert verification some times. For example, suppose a large number of IIS exploit attack comes to port 80 of a particular machine which is running an Apache web server and Linux, obviously all of these can be marked as irrelevant since they are not successful. In intrusion detection, machine learning has so far been primarily used to build systems that classify network connections or system call sequences into one of several predefined classes. This task proved to be very difficult because it aimed at building IDSs only from training examples. Lee [6] developed a methodology to construct additional features using data mining. He also showed the importance of domain-specific knowledge in constructing such IDSs. The key advantage of this work is that it employs the real-time data and classify alerts generated by IDSs, whereas other conventional methods use the existing data to build IDS. So the possibility of new attacks and their recognition can be easily accomplished by this research work.

2. Review Of Literature Alert aggregation and verification are often part of Alert correlation [3], but it has a different goal, to reconstruct incidents from alerts and to find attack scenarios.. Kruegel, Robertson and Vigna [3] proposed a method for alert verification using both active and passive verification methods. In their implementation they use active alert verification extensively while only passive alert verification is used in this work. Pietrazek and Tanner [1] propose a two stage alert classification mechanism for reducing false positives. Alert correlation [7] tries to solve a different, though related goal of alert processing, namely reconstructing attacks and incidents from alerts. Attacks most often occur in distinctive groups, which are called incidents or multi staged attacks [8]. In the general case, it is not possible to reconstruct incidents from alerts. Hemler et al. [4] applied RIPPER [10] on system calls to generate small and concise set of rules to classify intrusions for host based IDS. He has investigated incremental learning algorithms and their application to intrusion detection. They underline the significance the symbolic representation language and human understanding of background knowledge and learned concepts and criticize a neural network approach. Human understanding is important because should the system act in a way that is harmful to humans, then the concepts responsible for this behaviour can be inspected and modified. An approach for evolving fuzzy classifiers using genetic algorithms has been proposed[11]. Genetic algorithm with special operations (Gene Addition and Gene deletion) is used to create fuzzy rules for normal and abnormal classes. kddcup ’99 data set with 42 attributes and 4,94,021 records is used for experiments. Several statistical methods have been applied to reduce the dimensionality of the problem. Our work differs from this work by solving the issues related to Real time attack and alert generation schemes. A method is proposed[12] using ‘anfis’ as a classifier to detect intrusions. The system evaluates the performance of anfis in the forms of binary and multiclass classifier. The kddcup ’99 dataset with 42 attributes and 48840 training and 4884 testing records have been used for detection task. Since in this research there are more records and more types of attack classes the system developed can be readily used online.

A real valued negative selection algorithm is proposed [13] and improved using deterministic crowding to generate fuzzy detector rules in the non-self space that can determine if new sample is normal or abnormal. Genetic Algorithm is used with deterministic crowding as the niching technique since it was better than sequential crowding. In evolving fuzzy detector rules first the condition part of the rules is represented using chromosome and fitness of the rules is calculated and the hamming distance is used to perform the deterministic crowding. The experiments were calculated with three different datasets Machey-Glass, Darpa 99, kddcup ‘99 and two algorithms Efficient Rule detectors and Parallel Hill Climbing of fuzzy rule detectors is found to be better than the other algorithms

3. System Architecture In this paper a five phase alert classification system is described. Fig. 1 gives an overview about this architecture. DDoS Attack Generation in Testbed

Snort IDS

Backgr ound knowle dge

Preprocessed alerts

Rule Learners/ Machine Learning

FIS based Alert Classifier

Alert Preprocessing

Classificatio n (TP or FP)

Rule base

Human Analyst

Selected Rules Fig. 1. DDoS Attack Detection /Classification System Architecture

3.1. Anomaly Detection Dataset The DDoS attacks are generated in an experimental testbed using ‘packit’ network packet injection tool. In testbed, first the number of test nodes will be selected based on the attack scenario. In the case of Denial of Service(DoS) attack only one Source node and one Sink node will be selected and in the case of Distributed Denial of Service(DDoS) attacks two or more Source nodes and one Sink node will be selected. The user has to upload the Source and Sink programs to the Server and specify the corresponding Source and Sink nodes in which the programs has to be executed. The user should also specify the time interval in which the programs should be executed. In the specified time interval the programs will be transferred from Server to corresponding Source and Sink nodes and executed. The Source program uses IP spoofing with IP address of the available testbed nodes and generates ICMP, TCP and SYN requests towards the sink node. During the execution of programs the specified Source programs will generate traffic towards Sink nodes. The sink program uses traffic recording program. During the time interval the traffic along the Sink nodes will be recorded using the tshark traffic/protocol analyzer and dumped into a file. The dumped traffic contains both the generated traffic and the normal network traffic. When the time interval expires the dumped file will be transferred to Server.

3.2 Alert Generation The dumped file is taken from the Server and given as input to the open source lightweight intrusion detection system ‘Snort’. The default snort rule base contains rules for detecting all types of attacks like DDoS, Remote to Local, User to Root and Probing. By default all the rules will be enabled for detecting all the types of attacks. The snort rules have been modified to detect the DDoS attacks. The rules for detecting DDoS attacks, ICMP and TCP rules have been changed for the environment in which the test is conducted. When the dump file is given as input to the snort, it will generate the alerts. The alerts will be recorded in Comma Separated Value(CSV)files for further processing. The alerts generated from snort consists of six tuples (“msg”, “proto”, “srcip”, “srcport”, “dstip”, “dstport”)

3.3 Alert Preprocessing Alerts generated by one or more IDS can be set to log into a centralized database. If different types of IDS are used, (Application, Network and Host based) the attack messages also will be in different formats. So preprocessing step has to be run, preferably in batch mode, before passing into the clustering component. While preprocessing the alert best effort values will be supplied for the missing attributes. Also the timestamp is converted into seconds for the purpose of comparison. Since different IDS may use different naming conventions for the same event, there is a need to standardize the messages. For example, the messages ‘scanning’, ‘nmap scan’, ’port scan’ all belongs to the category ‘port scan’. The standard names are chosen either from CVE or Bugtraq and in some cases names from one of the IDS is taken as standard. In addition, a unique id is also added to every alert for the purpose of tracking the alerts.

3.3.1 Alert Fusion First, alerts with same attributes are fused together for the purpose of alert reduction. This is possible since multiple IDS may be there in the network which produces redundant alerts and same event may cause to trigger hundreds of similar alerts. Alert fusion also makes the process of generalization fast. Alerts with same attributes are fused together to form meta-alerts and the number of alerts is added at the end as seventh tuple ‘count’. The format of alerts is (“msg”, “proto”, “srcip”, “srcport”, “dstip”, “dstport”, “count”)

3.3.2 Alert Generalization For the purpose of generalization of alerts, hierarchical background knowledge has to be incorporated for each attribute. A sample hierarchy is shown in Fig.2. Human understandable descriptions of alert clusters are preferred since human intervention may be required for advanced analysis. Generalization is carried out as a step by step process. On every iteration, one of the selected attribute is generalized to the next higher level of hierarchy and those alerts which have become similar by this generalization are grouped together. This process is repeated until one of the generalized alerts reach a threshold count. The selection of this threshold is left as a design choice. Since it is assumed that the attacks are originated from the outside source unique internal destination ips are extracted from the previous step.

IP

Source

Internal

Destination

External Internal

External

Fig. 2. Sample Hierarchy

3.3.3 Alert Verification Alert verification is done based on the static asset information collected about the machines inside the network. The process of collecting services and vulnerability information is done with Nessus [9] client. The false positives and irrelevant alerts are marked separately for further analysis. Alert verification is of two types, active and passive. In active verification, whenever an alert is received an information gathering process is initiated to verify the correctness of alert. This method requires more resources and it may slow down the whole alert management process. As an alternative, passive alert verification system is employed this depends on a priori gathered information about the host and network. A drawback of passive alert verification is that the information may be redundant. But still, for real-time environments, the performance of passive verification suits well. The human analyst can optionally examine the output of this step for advanced root cause analysis and for updating firewall and IDS rules for avoiding irrelevant and false positive alerts. The labeled alerts are passed to the next phase.

3.4 Alert Classification using Fuzzy Inference System Unfortunately, alerts generated by IDS have to be reviewed by a mentor since no rule can assure hundred percent true positive or true negative rates. In this phase, the labeled alerts from first phase are used for training the automatic classifier which uses RIPPER algorithm for learning the classification rules. The main aim of this phase is to build an automatic alert classifier that reduces the workload of the human analyst. Source IP Destination IP Source Port

Fuzzy Inference System

Fuzzy Output

Destination Port Count

Fig. 3. Fuzzy Alert Classification System

The analyst examines the rules formed by the classifier and modifies if required. The qualified rules are updated to an Alert filter which classifies the alerts as true and false positives. Some algorithms can give confidence level of classification. In this case, the one with high level of confidence can be safely removed as false positives. The alerts which have been classified as false positive by the human analyst can be considered for training purpose. In addition to training examples, background knowledge is used to learn improved classification rules. These rules are then used by the classifier to classify alerts. The analyst can inspect the rules to make sure they are correct. Fuzzy logic is used to identify the alerts as either true positive or false positive. Fuzzy Inference system with five input variables and one output variables is used. The input and output variables and their membership functions are given in Table 1. Table 1. Fuzzy Input/Output Membership Functions Sl. No

Input /Output

1

Input

Name of the Input or Output Source IP

Membership functions

2

Input

Destination IP

3

Input

Source port

4

Input

Destination port

legal, illegal, unknown

5

Input

Count

Low, medium, high

6

Output

Classification

TP, FP, Unknown

Int_server, int_client, ext_host Int_server, int_client, ext_host legal, illegal, unknown

fuzzy logic offers flexibility of classifying the attacks into any of the three categories of output unlike the binary classification of the other machine learning based methods. If the alert is classified into true positive then it is actually the serious attack to be considered immediately. If the alert is classified into false positive then it is actually the wrong information given by the snort intrusion detection system. If the alert is classified as unknown then the alert needs further investigation. The unknown alerts are taken out and they will be further investigated.

4. Implementation Details Snort, an open source light weight intrusion detection system, is used to detect attacks and generate alerts. The default rule set of Snort is used because there is no intension to evaluate the performance of Snort as IDS. Separate IDS is placed for wireless and wired networks inside the campus. The alerts generated are logged into a file. Each alert is represented as a seven filed record containing the following attributes: timestamp, signature ID, Source and destination IP addresses, message name and protocol. The alerts generated for a period of 24 hours have been collected for the purpose of analysis. Alerts from multiple IDS are combined and considered for preprocessing. The preprocessed alerts are then normalized with standard naming conventions as discussed earlier. After normalizing similar alerts are fused together for eliminating redundancy. The alerts are then

generalized for root cause analysis and alert verification. The background knowledge for generalization is represented as a tree structure. The whole system was developed in java. For the fuzzy logic based alert classification system the alerts are classified into attacks based on the rules. The rules are written to classify the alerts into the three output categories. Some example rules are •

If source IP is ext_host and destination IP is int_server and source port is unknown and destination port is illegal and count is high then output is TP



If source IP is ext_host and destination IP is int_client and source port is unknown and destination port is illegal and count is high then output is TP



If source IP is ext_host and destination IP is ext_host and source port is unknown and destination port is legal and count is high then output is unknown



If source IP is int_host and destination IP is int_server and source port is unknown and destination port is illegal and count is low then output is FP

Some more information is added as background knowledge for the purpose of learning. Attribute valued representation of background knowledge [1], which is most suitable for machine learning algorithms, is used in this experiment. Eight more attributes to the alerts generated by snort has been added. The background knowledge sets used are IP address classification and operating system for source and destination IP addresses, Aggregate 1 containing number of alerts in the time window of one minute with same source or destination IP address and total number of alerts in the same time window, Aggregate 2 contains fields same as Aggregate 1 but within the time window of 5 minutes. WEKA implementation of RIPPER algorithm is used in the experiments.

5. Results and Discussion The result of Alert Correlation Steps is shown in Table2. It is shown that about 81% of the false positives were successfully identified by the system. This may not be the case always. The alerts collected were mostly repeated and redundant. Table 2 Results of Alert Classification

Name of Alert Correlation Steps Alert Detection Alert Preprocessing – Fusion Alert Preprocessing – Generalization Alert Classification – threshold based method Alert Classification – Fuzzy method

Reduction in number of alerts 63592 3207 2515 679 400

Table 3 Results of Ripper algorithm using Background Knowledge Background Knowledge Full Partial

Precision 0.972 0.954

Recall 0.954 0.996

F-measure 0.962 0.975

The labeled alerts after verification have been sent to the experiments in WEKA with two sets of background knowledge. The results, as shown in Table 3, indicates that RIPPER performs well with full background knowledge set. Table 4 Results obtained Machine learning classifiers ALGORITHM RandomForest DecisionStump RIPPER NNge oneR PART FIS based AC

Precision 0.958 0.954 0.954 0.959 0.954 0.955 0.999

Recall 0.965 0.996 0.996 0.954 0.993 0.985 0.963

F-Measure 0.961 0.975 0.975 0.956 0.973 0.970 0.971

ROC 0.625 0.473 0.580 0.554 0.496 0.668 0.552

T

zz y Fu

R PA

eR on

ge N N

Jr ip

D

R

S

0.1 0.09 0.08 0.07 0.06 0.05 0.04 0.03 0.02 0.01 0 F

FPR

The result of 10-fold cross validation is given in Table 4. Cross validation results indicates the suitability of classifier for future instances. In algorithms like RIPPER, the classifier with no background knowledge performs worse than the classifier with simple classifications of IP addresses and operating systems running on the machines in terms of false positives. Using the background knowledge consisting of the classifications above and aggregates significantly reduces the false positive rate and increases the true positive rate. Full background knowledge performs much better to the reduced one. So all attributes of background knowledge were used in this research.

Clas s ification Sche m e

Fig. 4. Graph showing False Positive Rates (FPR) for different classification schemes A good measure for fitness of algorithms is to take the ones with area under ROC (Receiver Operating Characteristics) curve greater than 0.5. Table 4 provides a comparison of all the six algorithms used on the basis of ROC curve area. PART and Random Forest algorithm performs well in this manner, but compared to FIS Based AC the false negative ratio is higher for these algorithms (Figure 4). FIS based AC has only minimum false negative rate which is tolerable. Also, it supports incremental learning for batch classification of alerts and provides classification confidence for each rule produced. Fuzzy Inference Systems based Alert Classification gives better classification results. This can be very much useful in a system which processes alerts autonomously. The outputs with high classification confidence can be passed

without verification by the analyst. Putting it all together, FIS based Alert Classification comes out to be the most suitable algorithm for false positive reduction. 5.1 Key Findings of the Research •

Fuzzy Inference System based Alert Classification produces three classes of outputs true positive, false positive and unknown alerts which is different from the other machine learning methods which produces binary classification. Even though the machine learning methods produce multi class classification the classes of output will be the types of attacks or normal class.



Fuzzy Inference system produces output based on the nature of attacks and the output value of the alerts [0,1] specifies the severity of the attack.



o

If value is nearer to ‘1’, then the attack should be considered as highly severe and it will be classified as True Positive

o

If value is ‘0.5’ then the attack should be considered as moderately severe and it will be classified as unknown

o

If value is nearer to ‘0’ then the attack should be considered as less severe and it will be classified as false positive

The False Positive Rate (FPR) of the FIS based Alert Classification is found to be lower than the other machine learning algorithms Random Forest, Decision Stump, JRipper, NeuralNetworks Generalization, OneR, PART. The FIS based Alert Classification produces less false positives and it is more effective since it produces the classes of alerts along with their severity ratings. The alerts which have high severity can be attended immediately and low severity alerts will be removed from the system which helps in building an effective classifier.

6. Conclusion The Alert Classification System is implemented using Fuzzy Inference System based Alert Classification and machine learning techniques. Alert preprocessing helped in eliminating about 63% of the false positives. After the process of passive verification 18% of the alerts were marked as irrelevant. So a total of 81% reduction is achieved through Fuzzy Inference System based Alert Classification which is actually really impressive. The result may slightly vary from organization to organization since in our network most of the attack types and alerts were repeated. Most of the attacks were originated from inside the network, which also helped in generalization. The classification accuracy can be further improved by classifying using Machine learning algorithms with feature selection and on line classification. 7. Acknowledgement This work was supported by grants from National Technical Research Organization of Government of India, as a part of "Smart and Secure Environment". The authors sincerely thank the Management and Principal of Thiagarajar College of Engineering, Madurai, India for their support and encouragement

8. References [1] Tadeusz Pietraszek and Axel Tanner. Data mining and machine learning-Towards reducing false positives in intrusion detection. Information Security Technical Report, 10:169–183, 2005 [2] Tadeusz Pietraszek. "Using adaptive alert classification to reduce false positives in intrusion detection", In Recent Advances in Intrusion Detection (RAID2004), volume 3324 of Lecture Notes in Computer Science, pages 102–124, Sophia Antipolis, France, 2004. Springer-Verlag. [3] Christopher Kruegel, W. Robertson and Giovanni Vigna, “Using alert verification to identify successful intrusion attaempts”, K.G. Saur Verlag, Munchen, 2004 [4] Guy Helmer, Johny S.K. Wong, Vasant Honavar, Les Miller, “Automated discovery of concise predictive rules for intrusion detection”, The Journal of Systems and Software, 60(2):165–175, 2002. [5] Herv´e Debar, Andreas Wespi, “Aggregation and correlation of intrusion detection alerts”, In Recent Advances in Intrusion Detection (RAID2001), volume 2212 of Lecture Notes in Computer Science, pages 85–103. Springer-Verlag, 2001 [6] Wenke Lee, "A Data Mining Framework for Constructing Features and Models for Intrusion Detection Systems", PhD thesis, Columbia University, 1999 [7] William W. Cohen. "Fast effective rule induction". In Armand Prieditis and Stuart Russell, editors, Proceedings of the 12th International Conference on Machine Learning, pages 115–123, Tahoe City, CA, 1995. Morgan Kaufmann Publishers. [8] John D. Howard, Thomas A. Longstaff, “A common language for computer security incidents”, Technical report, CERT, 1998. [9]William W. Cohen, "Fast effective rule induction". In Armand Prieditis and Stuart Russell, editors, Proceedings of the 12th International Conference on Machine Learning, pages 115–123, Tahoe City, CA, 1995, Morgan Kaufmann Publishers. [10] Guy Helmer, Johny S.K. Wong, Vasant Honavar, Les Miller, “Automated discovery of concise predictive rules for intrusion detection”, The Journal of Systems and Software, 60(2):165–175, 2002. [11] Jonatan Gomez, Dipankar Dasgupta, “Evolving Fuzzy Classifiers for Intrusion Detection” , Proceedings of the 2002 IEEE Workshop on Information Assurance, 2002 [12] Adel Nadrajan Toosi, Mohsen Kahani, Reza Monsefi, “Network Intrusion Detection Based on Neuro-Fuzzy Classification”, Proceedings Of IEEE International Conference on Computing and Informatics, IEEE, 2006 [13] Jnatan Gomez, Fabio Gonzalez, Dipankar Dasgupta, “An Immuno-Fuzzy Approach to Anomaly