Need for Classification Classification required To isolate - PDF document

Need for Classification • Classification required – To isolate traffic of interest Classification of Internet Traffic – To treat special types of traffic in a different manner • Some types of classification already seen in Alok Shriram AI learning systems. • Some types of classification seen in Data mining. Identification of Repeated Attacks Three Techniques Using Network Traffic Forensics • A Framework for Classifying Denial of • To Identify repeated attacks Service Attacks ( Single or Multiple Source Attacks) • Forensic evidence used to investigate and establish facts • Identification of Repeated Attacks Using Network Traffic Forensics. • Depending on Intent attackers punishment is decided • Class of Service Mapping for QoS. Objective Methodology in a Nutshell • Build an attack fingerprinting system • Given an attack scenario – Figure out if attack has occurred previously. • Make this system of creating fingerprints automatic • For this we filter attack – Fingerprint is any characteristic feature of an • Create attack fingerprint attack which can uniquely identify it. • Compare attack to previously fingerprinted • Automatic matching system attack • Identify repeated attacks

Creating Attack Fingerprint • Convert packet trace into time series • Consider interval of time p – Packet arrivals [t, t + p) • For T second trace T/p samples • Max frequency 1/2p Hz • Use p=1 msec and attack segment length =2 s Creating Attack Fingerprint(1) Creating Attack Fingerprint(2) • Thus we have time series x(t). • Ideally exact match identifies complete spectrum • Compute autocorrelation function(ACF) of time series • However – Adds complexity • Compute ACF for different values of L to get r k (L) – Needs more samples • Thus we take the twenty most common • Compute FFT of r k (L) samples – Periodicity shows up as dominant frequency. Creating the fingerprint(3) Creating the fingerprints (Finally) • F a consists of all segment fingerprints X k • F a is 20 by 200 matrix • Use F a to compute digest M a =mean of X k • M a vector of size 20 C a = covariance of X k • N a /#X k >=10 • C a vector of size 20 by 20 – Thus N a =20

Comparing Fingerprints(1) • Use a comparator to match similarity • Bayes ML classifier – Assumptions • Spectral profiles normal w.r.t dominant frequency • Each scenario equally likely • Attacks are independent Comparing Fingerprints(2) Analyzing the results • With each attack we just need some • Low CA 5 % quartile indicate the at least 5 information to compare each segment % match very accurately against signature • 95%-5% small range of this indicates • Quantify separation between current attack precision. and signatures Experimental Results (1)

A Framework for Classifying Experiments and Results (2) Denial of Service Attacks • Denial Of Service Attacks are of two types – Single Source – Multiple Source • Identifying the number of sources helps in mitigation strategies Objective Two Types of Attacks • Develop framework to classify attacks as • Software Attacks single or multiple source – Use Ramp up behavior • Flooding Attacks – Port numbers – Single Source – Spectral Characteristics of attack traffic – Multiple Source • Spectral content cannot be spoofed – Reflector Attacks • Could be used in DOS detection and response systems Classifying Attacks Header Content • Three Methods that are used for • Use fragment ID field and TTL field classification – Single hosts monotonically increasing – Header Content – Multiple Hosts – Ramp-up Behavior • Many ID sequences • Two sequence considered unique if they have an – Spectral Characteristics IDgap >16 • ID gap is there to tolerate moderate packet reordering.

Ramp-up Behavior • Single sources don’t exhibit a ramp-up behaviour • Multiple source with large number of processes – Exhibit ramp up behavior – Clock and RTT skews cause gradual buildup – By observing this we can guess the number of sources. Experiments: Packet Header Analysis Spectral Analysis • Stuff about spectra analysis here from previous slides.. Experiments: Ramp Up Behavior Experiments: Arrival Rate Analysis Analysis

Experiments: Spectral Content Experiment: Explanation Analysis • Single Source Dominant high frequencies • Multi Source attacks Dominant low Frequencies How do two sources combine to form lower frequency?? Class of Service Mapping for QoS • Support different applications • With different quality demands • Concept has been around for some time – What ails QoS? • The ability to identify types of traffic Traffic Classification Objective (In the dark ages) • Develop a signature based classification • Based on Port Numbers framework • These techniques had several limitations • Class of Service to Traffic mapping – More than one application using the same port problem – P2P does not use any standardized ports. • How to choose statistics that accurately – Some applications tunnel through other application ports represent traffic behavior. – Different ports used to circumvent control.

Implementing CoS Mapping Statistics Collection • Three Stage process • Place monitors and collect network stats • Need to collect aggregate stats – Statistics Collection • Form a vector of statistics • Ideally statistics should be updatable – Classification recursively or in an online manner. – Rule Creation Instance of recursive Classification Classification • Now we have a collection of statistics indexed by aggregate • Use classification algorithm to classify traffic • This classification can have a direct quality mapping What type of traffic can there be? What statistics can we collect • Interactive -> Real time interaction. • Packet Level features – Mean Packet Size • Streaming -> Multimedia with RT constraints. – RMS size • Bulk Data Transfers-> Large volumes of • Flow Summaries data over the internet. – Mean flow duration • Transactional-> Small volumes of traffic. – Mean data volume

What statistics can we collect Classification methods • Connection Level • Two methods of classification – Track Connection level Characteristics – Linear Discriminant Analysis (LDA) – Symmetry of connection – Nearest Neighbor (NN) – Advertised window size • Intra-flow • Given k classes m features and n training – IAT between packets data points • Multi Flow – Can we classify traffic into characteristics types? – Features across different flows. Simple Classification Results Streaming vs. Data What does this have to do with Temporal Difference NIDS? • If we can classify traffic as the DOS type traffic • Provide QoS of zero to it. – Basically means deny service to that traffic

The END