Servicios Personalizados
Revista
Articulo
Indicadores
- Citado por SciELO
- Accesos
Links relacionados
- Similares en SciELO
Compartir
Journal of applied research and technology
versión On-line ISSN 2448-6736versión impresa ISSN 1665-6423
J. appl. res. technol vol.8 no.2 Ciudad de México ago. 2010
An Architecture for Intrusion Detection Based on an Extension of the Method of Remaining Elements
P. VelardeAlvarado*1, C. VargasRosales 2, D. TorresRoman 3, A. MartinezHerrera 2
1 Universidad Autónoma de Nayarit, Ciudad de la Cultura Amado Nervo Tepic, Nayarit. Mexico *Email: pvelarde@nayar.uan.mx
2 Department of Electrical and Computer Engineering, ITESMMonterrey Eugenio Garza Sada 2501 Sur, Monterrey, Nuevo Leon. Mexico.
3 Center for Investigation and Advanced Studies (CINVESTAVIPN), Av. Cientifica 1145, C.P. 44019, Zapopan, Jalisco, Mexico.
ABSTRACT
This paper introduces an Anomalybased Intrusion Detection architecture based on behavioral traffic profiles created by using our enhanced version of the Method of Remaining Elements (MRE). This enhanced version includes: a redefinition of the exposure threshold through the entropy and cardinality of residual sequences, a dual characterization for two types of traffic slots, the introduction of the Anomaly Level Exposure (ALE) that gives a better quantification of anomalies for a given traffic slot and rfeature, an alternative support that extends its detection capabilities, and a new procedure to obtain the exposure threshold through an analysis of outliers on the training dataset. Regarding the original MRE, we incorporate the refinements outlined resulting in a reliable method, which gives an improved sensitivity to the detection of a broader range of attacks. The experiments were conducted on the MITDARPA dataset and also on an academic LAN by implementing real attacks. The results show that the proposed architecture is effective in early detection of intrusions, as well as some kind of attacks designed to bypass detection measures.
Keywords: Anomalybased Intrusion Detection, Method of Remaining Elements (MRE), traffic profiling, entropy.
RESUMEN
Este artículo presenta una arquitectura para la detección de intrusiones basado en anomalías cuya base referencial son perfiles de comportamiento del tráfico creados con nuestra versión mejorada del Método de los Elementos Remanentes (MRE). Esta versión de MRE incluye lo siguiente: una redefinición del umbral de exposición a través de la entropía y remanencia de las secuencias residuales, una caracterización simultanea para dos tipos de ranura de tráfico, la introducción del nivel de exposición de anomalías (ALE) brinda una mejor cuantificación de las anomalías para un rasgo y ranura de tráfico determinado, un soporte alternativo que extiende las capacidades de detección, y un nuevo procedimiento para obtener el umbral de exposición a través de un análisis de valores atípicos del conjunto de datos de entrenamiento. La incorporación de las mejoras señaladas proporciona un método confiable con mayor sensibilidad en la detección de un rango más amplio de ataques. Los experimentos se realizaron empleando la traza de red MITDARPA y en una LAN académica usando ataques reales. Los resultados muestran que la arquitectura propuesta es efectiva en la detección temprana de intrusiones, así como de algunos ataques diseñados para evadir la detección.
DESCARGAR ARTÍCULO EN FORMATO PDF
References
[I] FLUKE NETWORKS. Security ROI A financial view of network security. Application Note. 2005 [ Links ]
[2] CounterStorm. White paper. Targeted Attack Technical Brief http://www.counterstorm.com/ [ Links ]
[3] 2008 CSI Computer Crime and Security Survey; http://www.gocsi.com/ [ Links ]
[4] Sana Security. http://www.sanasecurity.com/support/enterprise/pr/faq.php [ Links ]
[5] Nucci A., and Bannerman S., Controlled Chaos. IEEE Spectrum. Vol.44. No.12. Dec. 2007, pp. 4248. [ Links ]
[6] Vacca J. R., Computer and Information Security Handbook. The Morgan Kaufmann Series in Computer Security by Elsevier Inc., 2009, pp. 4142, 64 [ Links ]
[7] Xu K., Zhang Z., and Bhattacharyya S., Internet Traffic Behavior Profiling for Network Security Monitoring, Transactions on Networking, IEEE/ACM . Vol. 16, No. 6, Dec. 2008, pp. 1241 1252. [ Links ]
[8] Ziviani A., Gomes A., and Monsores M., Network Anomaly Detection Using Nonextensive Entropy, IEEE Communications Letters, IEEE. Vol. 11, No.12, Dec. 2007, pp. 10341036. [ Links ]
[9] Wagner A., and Plattner B., Entropy Based Worm and Anomaly Detection in Fast IP Networks, Proc. of the 14th IEEE International WorksShop on Enabling Tech.: Infrastructure for Collaborative Enterprise, 2005, pp. 172 177, Linköping, Sweden, June. [ Links ]
[10] Lee W., and Xiang D, Informationtheoretic Measures for Anomaly Detection, In Proc. of IEEE Symposium on Security and Privacy, 2001, pp. 130143, Oakland, CA, USA, May. [ Links ]
[11] VelardeAlvarado P., VargasRosales C., TorresRomán D., and MuñozRodríguez D., Entropy Based Analysis of Worm Attacks in a Local Network, Research in Computing Science, Vol. 34. May 2008, pp. 225235. [ Links ]
[12] VelardeAlvarado P., VargasRosales C., TorresRomán D., and MartinezHerrera A, EntropyBased Profiles for Intrusion Detection in LAN Traffic, Advances in Artificial Intelligence: Algorithms and Applications, Research in Computing Science, Vol. 40, 2008, pp. 119-130. [ Links ]
[13] Nychis G., Sekas V., Andersen D., Kim H., and Zhhang H., An Empirical Evaluation of Entropybased Traffic Anomaly Detection. Internet Measurement Conference, ACMSIGCOMM, 2008, pp. 151156, Vouliagmeni, Greece, October. [ Links ]
[14] VelardeAlvarado P., VargasRosales C., TorresRoman D., and MartinezHerrera A, Detecting Anomalies in Network Traffic Using the Method of Remaining Elements. IEEE Communications Letters, Vol.13, No.6, June 2009, pp. 462464 [ Links ]
[15] Wang Y. Statistical Techniques for Network Security: Modern StatisticallyBased Intrusion Detection and Protection .Igi Global. 2009, pp. 70 [ Links ]
[16] ] Jajodia S., Intrusion Detection Systems, Advances in Information Security. Springer Science+Business Media, LLC., 2008. [ Links ]
[17] Roesch M., Snort Lightweight Intrusion Detection for Networks. In: LISA '99: Proc., 13th USENIX Conference on System Administration, 1999, pp. 229-238 [ Links ]
[18] Wang K., and Stolfo S., Anomalous PayloadBased Network Intrusion Detection, in Recent Advances in Intrusion Detection, Springer Editors, 2004, pp. 203222. [ Links ]
[19] Bonachela J. A., Hinrichsen H., and Muñoz M. A., Entropy Estimates of Small Data Sets, Journal of Physics A: Mathematical and Theoretical. No. 41. April, 2008. [ Links ]
[20] Conway J. H., and Guy R. K., The Book of Numbers, New York: SpringerVerlag, 1996, pp. 143 and 258262. [ Links ]
[21] Tukey J.W., Exploratory Data Analysis, AddisonWesley Series in Behavioral Science, 1977. [ Links ]
[22] Jacobson V., Leres C., and McCanne S., Tcpdump/libpcap. http://www.tcpdump.org/ [ Links ]
[23] Peppo A., plab. Tool for traffic traces. http://www.grid.unina.it/software/Plab/ [ Links ]
[24] Trac Project. Libtrace. http://www.wand.net.nz/trac/libtrace [ Links ]
[25] Kohler E., ipsumdump. Traffic tool. http://www.cs.ucla.edu/~kohler/ipsumdump [ Links ]
[26] Lincoln Laboratory, MIT. DARPA Intrusion Detection Data. [ Links ]