Network-based mimicry anomaly detection using divergence measures

2015 International Symposium on Networks, Computers and Communications (ISNCC) Pub Date : 2015-05-13 DOI:10.1109/ISNCC.2015.7238570

S. Pukkawanna, Y. Kadobayashi, S. Yamaguchi

{"title":"Network-based mimicry anomaly detection using divergence measures","authors":"S. Pukkawanna, Y. Kadobayashi, S. Yamaguchi","doi":"10.1109/ISNCC.2015.7238570","DOIUrl":null,"url":null,"abstract":"To evade detection by network-based anomaly detectors, sophisticated attackers are trying to make their malicious traffic resemble legitimate traffic by running attacks through ports used on a daily basis (e.g., port 80 for HTTP). This mimicry traffic is potentially neglected by detectors. In this paper, we propose a Kullback-Leibler (KL) divergence-based method for detecting anomalous traffic mimicking legitimate traffic. Our method firstly observes the port pair distribution of traffic flows, which is a novel statistical traffic feature proposed in this work. Secondly, our method computes the KL divergence between the port pair distributions of the current and previous time intervals. Our method starts to find anomalous flows when the KL divergence deviates from a specified threshold. We tested the performance of our method with traffic which was mixed by four synthetic mimicry anomalies and real-world backbone traffic. The results indicated that our method could precisely detect all synthetic anomalies. Furthermore, our method additionally revealed six real-world anomalies that were hidden in the testing backbone traffic.","PeriodicalId":430315,"journal":{"name":"2015 International Symposium on Networks, Computers and Communications (ISNCC)","volume":"86 1","pages":"0"},"PeriodicalIF":0.0000,"publicationDate":"2015-05-13","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":"5","resultStr":null,"platform":"Semanticscholar","paperid":null,"PeriodicalName":"2015 International Symposium on Networks, Computers and Communications (ISNCC)","FirstCategoryId":"1085","ListUrlMain":"https://doi.org/10.1109/ISNCC.2015.7238570","RegionNum":0,"RegionCategory":null,"ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"","JCRName":"","Score":null,"Total":0}

引用次数: 5

Abstract

To evade detection by network-based anomaly detectors, sophisticated attackers are trying to make their malicious traffic resemble legitimate traffic by running attacks through ports used on a daily basis (e.g., port 80 for HTTP). This mimicry traffic is potentially neglected by detectors. In this paper, we propose a Kullback-Leibler (KL) divergence-based method for detecting anomalous traffic mimicking legitimate traffic. Our method firstly observes the port pair distribution of traffic flows, which is a novel statistical traffic feature proposed in this work. Secondly, our method computes the KL divergence between the port pair distributions of the current and previous time intervals. Our method starts to find anomalous flows when the KL divergence deviates from a specified threshold. We tested the performance of our method with traffic which was mixed by four synthetic mimicry anomalies and real-world backbone traffic. The results indicated that our method could precisely detect all synthetic anomalies. Furthermore, our method additionally revealed six real-world anomalies that were hidden in the testing backbone traffic.

查看原文本刊更多论文

基于网络的发散度量模拟异常检测

为了逃避基于网络的异常检测器的检测，老练的攻击者试图通过日常使用的端口(例如，HTTP的端口80)进行攻击，使恶意流量类似于合法流量。这种模仿流量可能会被检测器忽略。在本文中，我们提出了一种基于Kullback-Leibler (KL)发散的方法来检测模仿合法流量的异常流量。该方法首先观察交通流的端口对分布，这是本文提出的一种新的统计交通特征。其次，我们的方法计算当前和以前的时间间隔的端口对分布之间的KL散度。当KL散度偏离指定阈值时，我们的方法开始发现异常流。我们用四种合成模拟异常和真实骨干流量混合的流量测试了我们的方法的性能。结果表明，该方法能准确地检测出所有的合成异常。此外，我们的方法还揭示了隐藏在测试骨干流量中的六个真实世界异常。

本文章由计算机程序翻译，如有差异，请以英文原文为准。

求助全文

约1分钟内获得全文求助全文

来源期刊

2015 International Symposium on Networks, Computers and Communications (ISNCC)

自引率

0.00%

发文量