Scribd Logo
Hochladen

Willkommen bei Scribd!

  • Traffic Monitoring and Diagnosis With Multivariate Statistical Network Monitoring: A Case Study

    Hochgeladen von

    NESG UGR
    57 Ansichten20 Seiten
    IEEE Security & Privacy International Workshop on Traffic Measurements for Cybersecurity (WTMC 2017) Abstract The research literature on cybersecurity incident response is very rich in automatic intrusion detection methodologies. The most accepted approach to compare the detection performance of the methods is by using a real traffic data set where normal traffic and anomalies are conveniently combined and labeled. In this paper, we follow this approach in a real network where a number of controlled attacks are launched. Using the captured traffic and the feedback of the IT team of the network, we assess the performance of the Multivariate Statistical Network Monitoring (MSNM) technique proposed in a recent paper, and compare it with the one-class Support Vector Machine (OCSVM). We derive two main conclusions from this real experiment: i) while both approaches showed a similar detection performance, MSNM was superior in diagnosis, a step which is seldom considered in comparisons; and ii) the traffic also presented several non-induced anomalies, initially labeled as normal traffic and clearly detected by both MSNM and OCSVM. This suggests caution in the use of typical performance measures in this type of experiments, since they heavily rely on the correctness of the labeling. With this experiment, we illustrate that the MSNM approach is coherent with the needs of an incident response team: it provides an adequate priorization of the security events and gives support to diagnosis, so that in less time and with less resources the team can be more effective.

    Originaltitel

    Traffic Monitoring and Diagnosis with Multivariate Statistical Network Monitoring: A Case Study

    Copyright

    © © All Rights Reserved

    Verfügbare Formate

    PDF, TXT oder online auf Scribd lesen

    Stufen Sie dieses Dokument als nützlich ein?

    Sind diese Inhalte unangemessen?

    Dieses Dokument melden
    IEEE Security & Privacy International Workshop on Traffic Measurements for Cybersecurity (WTMC 2017) Abstract The research literature on cybersecurity incident response is very rich in automatic intrusion detection methodologies. The most accepted approach to compare the detection performance of the methods is by using a real traffic data set where normal traffic and anomalies are conveniently combined and labeled. In this paper, we follow this approach in a real network where a number of controlled attacks are launched. Using the captured traffic and the feedback of the IT team of the network, we assess the performance of the Multivariate Statistical Network Monitoring (MSNM) technique proposed in a recent paper, and compare it with the one-class Support Vector Machine (OCSVM). We derive two main conclusions from this real experiment: i) while both approaches showed a similar detection performance, MSNM was superior in diagnosis, a step which is seldom considered in comparisons; and ii) the traffic also presented several non-induced anomalies, initially labeled as normal traffic and clearly detected by both MSNM and OCSVM. This suggests caution in the use of typical performance measures in this type of experiments, since they heavily rely on the correctness of the labeling. With this experiment, we illustrate that the MSNM approach is coherent with the needs of an incident response team: it provides an adequate priorization of the security events and gives support to diagnosis, so that in less time and with less resources the team can be more effective.

    Copyright:

    © All Rights Reserved
    Als PDF, TXT herunterladen oder online auf Scribd lesen
    Markieren Sie unangemessene Inhalte
    57 Ansichten20 Seiten

    Traffic Monitoring and Diagnosis With Multivariate Statistical Network Monitoring: A Case Study

    Hochgeladen von

    NESG UGR
    IEEE Security & Privacy International Workshop on Traffic Measurements for Cybersecurity (WTMC 2017) Abstract The research literature on cybersecurity incident response is very rich in automatic intrusion detection methodologies. The most accepted approach to compare the detection performance of the methods is by using a real traffic data set where normal traffic and anomalies are conveniently combined and labeled. In this paper, we follow this approach in a real network where a number of controlled attacks are launched. Using the captured traffic and the feedback of the IT team of the network, we assess the performance of the Multivariate Statistical Network Monitoring (MSNM) technique proposed in a recent paper, and compare it with the one-class Support Vector Machine (OCSVM). We derive two main conclusions from this real experiment: i) while both approaches showed a similar detection performance, MSNM was superior in diagnosis, a step which is seldom considered in comparisons; and ii) the traffic also presented several non-induced anomalies, initially labeled as normal traffic and clearly detected by both MSNM and OCSVM. This suggests caution in the use of typical performance measures in this type of experiments, since they heavily rely on the correctness of the labeling. With this experiment, we illustrate that the MSNM approach is coherent with the needs of an incident response team: it provides an adequate priorization of the security events and gives support to diagnosis, so that in less time and with less resources the team can be more effective.

    Copyright:

    © All Rights Reserved
    Als PDF, TXT herunterladen oder online auf Scribd lesen
    Markieren Sie unangemessene Inhalte
    von 20

    Traffic Monitoring and Diagnosis with

    Multivariate Statistical Network Monitoring:


    A Case Study
    Network Engineering and Security Group

    Jos Camacho (josecamacho@ugr.es)


    Pedro Garca-Teodoro (pgteodor@ugr.es)
    University of Granada
    Jos Camacho, Ph.D.

    Gabriel Maci-Fernndez (gmacia@ugr.es)


    Motivation - I
    Anomaly Detection from Traffic Data
    Accuracy & Variate Sources

    Software for CyberSec:


    Pivoting (Specific)
    High False Anomalies (Correlation)
    Network Engineering and Security Group

    CyberSec Research ML
    Data Fusion (General)
    High Detection but Semantic Gap
    University of Granada
    Jos Camacho, Ph.D.

    Multivariate Statistical Network Monitoring


    Data Fusion (General)
    High Detection & Diagnosis
    22
    Seguridad en Redes Corporativas: Detectando al Intruso
    Motivation - II
    Multivariate approach
    In a data set with many measured variables, the interesting
    information is contained in a (much lower) number of latent
    variables

    Multivariate Statistical Control (PCA)


    Network Engineering and Security Group

    4 40

    3 35
    University of Granada

    2 30
    Jos Camacho, Ph.D.

    1 25
    V2

    0 20

    -1 15

    -2 10

    -3 5

    -4 0
    -4 -3 -2 -1 0 1 2 3 4 1 2 3 4 5 6 7 8 9 10
    V1

    3
    Seguridad en Redes Corporativas: Detectando al Intruso 3
    MSNM - I
    Multivariate Network Security Monitoring (MSNM)
    Network Engineering and Security Group
    University of Granada
    Jos Camacho, Ph.D.

    4
    Seguridad en Redes Corporativas: Detectando al Intruso 4
    MSNM - II
    MSNM: 5 steps from the hay to the needle
    Network Engineering and Security Group
    University of Granada
    Jos Camacho, Ph.D.

    5
    Seguridad en Redes Corporativas: Detectando al Intruso 5
    Network Engineering and Security Group
    University of Granada
    Jos Camacho, Ph.D.

    Seguridad en Redes Corporativas: Detectando al Intruso


    66
    MSNM - III
    Network Engineering and Security Group
    University of Granada
    MSNM - III
    Jos Camacho, Ph.D.

    Combine any sources: from low level sensors (e.g. netflow) to high level info
    (e.g. correlation rules at SIEM) 77
    Seguridad en Redes Corporativas: Detectando al Intruso
    MSNM - VI
    V1 V2 VM V1 V2 VM
    O1 O1
    O2 O2



    Network Engineering and Security Group

    ON ON
    University of Granada
    Jos Camacho, Ph.D.

    MSNM creates a normality model for detection (which answers when an


    anomaly
    Seguridad en Redes takes place)
    Corporativas: and diagnosis
    Detectando (in which source/s of info it is detected) 8 8
    al Intruso
    Network Engineering and Security Group
    University of Granada
    MSNM - V
    Jos Camacho, Ph.D.

    Logs with detailed info of the anomaly are manually identified from the
    information
    Seguridad en Redes Corporativas: Detectando provided by MSNM
    al Intruso 9
    9
    Network Engineering and Security Group
    University of Granada
    Jos Camacho, Ph.D.

    Seguridad en Redes Corporativas: Detectando al Intruso


    10
    10
    Case Study - I
    Network Engineering and Security Group
    University of Granada
    Case Study - II
    Jos Camacho, Ph.D.

    Synthetic attacks: DoS, scan, exfiltration (3 types)


    11
    Seguridad en Redes Corporativas: Detectando al Intruso 11
    Network Engineering and Security Group
    University of Granada
    Jos Camacho, Ph.D.

    Seguridad en Redes Corporativas: Detectando al Intruso


    12
    12
    Case Study - III
    Case Study - V

    Features (138, no Fusion)


    Network Engineering and Security Group

    One-class SVM
    University of Granada
    Jos Camacho, Ph.D.

    B. Scholkopf, A. J. Smola, R. C. Williamson, and P. L. Bartlett, New Support Vector


    Algorithms, Neural computation, vol. 12, no. 5, pp.12071245, 2000.
    B. Scholkopf, J. C. Platt, J. Shawe-Taylor, A. J. Smola, and R. C. Williamson,
    Estimating the Support of a High-Dimensional Distribution, Neural Computation, vol.
    13, no. 7, pp. 14431471, 2001.

    13
    13
    Network Engineering and Security Group
    University of Granada
    Jos Camacho, Ph.D.

    Synthetic attacks
    Results - I

    14
    14
    Results - II

    Real attacks: Detection scores

    20 Top detections
    Network Engineering and Security Group

    Top & Synth.

    Least agreement
    University of Granada
    Jos Camacho, Ph.D.

    15
    15
    Results - III

    Real attacks: Diagnosis


    Network Engineering and Security Group

    Many SMTP short


    connections
    University of Granada
    Jos Camacho, Ph.D.

    Advantage over ML

    Diagnosis is useful, but too


    complicate!
    16
    16
    Network Engineering and Security Group
    University of Granada
    Jos Camacho, Ph.D.

    Real attacks: De-parsing example

    Normal
    SPAM campaing
    Results - IV

    17
    Network Engineering and Security Group
    University of Granada
    Jos Camacho, Ph.D.

    Seguridad en Redes Corporativas: Detectando al Intruso


    18
    18
    Results - V
    Conclusion- I

    MSNM ~ OCSVM in detection.


    Good detectionperformance when including real
    attacks.
    MSNM has diagnosis support reduces the time
    from detection to response.
    Network Engineering and Security Group

    Unlike other methods, MSNM takes advantage of a


    large number of features improves Diagnosis
    University of Granada
    Jos Camacho, Ph.D.

    Future work:
    Other sources (Host), Dynamic Features, MSNM-
    SIEM, Privacy & Scalibility,

    19
    Seguridad en Redes Corporativas: Detectando al Intruso 19
    Traffic Monitoring and Diagnosis with
    Multivariate Statistical Network Monitoring:
    A Case Study
    Network Engineering and Security Group

    Jos Camacho (josecamacho@ugr.es)


    Pedro Garca-Teodoro (pgteodor@ugr.es)
    Gabriel Maci-Fernndez (gmacia@ugr.es)
    University of Granada
    Jos Camacho, Ph.D.

    This work is partly supported by the Spanish Ministry of


    Economy and Competitiveness and FEDER funds through
    project TIN2014-60346-R

    Das könnte Ihnen auch gefallen