Detecting Unknown Network Attacks using Language Models · Detecting Unknown Network Attacks using...
Transcript of Detecting Unknown Network Attacks using Language Models · Detecting Unknown Network Attacks using...
![Page 1: Detecting Unknown Network Attacks using Language Models · Detecting Unknown Network Attacks using Language Models Konrad Rieck and Pavel Laskov DIMVA 2006, July 13/14 Berlin, Germany](https://reader035.fdocuments.us/reader035/viewer/2022062615/5f16a9d41f587275ab5b7fb1/html5/thumbnails/1.jpg)
Detecting Unknown Network Attacks using Language Models
Konrad Rieck and Pavel LaskovDIMVA 2006, July 13/14
Berlin, Germany
![Page 2: Detecting Unknown Network Attacks using Language Models · Detecting Unknown Network Attacks using Language Models Konrad Rieck and Pavel Laskov DIMVA 2006, July 13/14 Berlin, Germany](https://reader035.fdocuments.us/reader035/viewer/2022062615/5f16a9d41f587275ab5b7fb1/html5/thumbnails/2.jpg)
The zero-day problem
‣ How to distinguish normal from unknown?
GET /scripts/..%%35c../..%%35c../..%%35c../..%%35c %%35c../winnt/system32/cmd.exe?/c+dir+c:\ HTTP/1.0Host: wwwConnection: close
‣ Cast intrusion detection into linguistic problem
‣ Utilization of machine learning instruments
GET /dimva06/john/martin.htmlAccept: */*Accept-Language: enHost: wwwConnection: keep-alive
![Page 3: Detecting Unknown Network Attacks using Language Models · Detecting Unknown Network Attacks using Language Models Konrad Rieck and Pavel Laskov DIMVA 2006, July 13/14 Berlin, Germany](https://reader035.fdocuments.us/reader035/viewer/2022062615/5f16a9d41f587275ab5b7fb1/html5/thumbnails/3.jpg)
N-gram models
ge ett▯ ▯/
in nd⋯
/i
2-grams
get▯/index.html
Connection payload
g et ▯
i n⋯
/
Bytes
get et▯
t▯/ ▯/iind nde
⋯
/in
3-grams
⋯
n-grams
![Page 4: Detecting Unknown Network Attacks using Language Models · Detecting Unknown Network Attacks using Language Models Konrad Rieck and Pavel Laskov DIMVA 2006, July 13/14 Berlin, Germany](https://reader035.fdocuments.us/reader035/viewer/2022062615/5f16a9d41f587275ab5b7fb1/html5/thumbnails/4.jpg)
N-grams in attacks
!0.02
!0.01
0
0.01
0.02
0.03
0.04
0.05
4!grams
frequ
ency
diff
eren
ce
Nimda IIS attack and HTTP traffic comparison
GET /scripts/..%%35c../..%%35c../..%%35c../..%%35c %%35c../winnt/system32/cmd.exe?/c+dir+c:\ HTTP/1.0
Frequency differences to 4-grams in normal HTTP
%%35 35c. 5c.. c../
Acce cept
![Page 5: Detecting Unknown Network Attacks using Language Models · Detecting Unknown Network Attacks using Language Models Konrad Rieck and Pavel Laskov DIMVA 2006, July 13/14 Berlin, Germany](https://reader035.fdocuments.us/reader035/viewer/2022062615/5f16a9d41f587275ab5b7fb1/html5/thumbnails/5.jpg)
Geometric representation
‣ A simple example
00.0050.01
0
0.05
0
0.005
0.01
0.015
Acce
GET▯
GET▯
Acce
%%35
00.0050.01
0
0.05
0
0.005
0.01
0.015
%%35
HTTP pipelining
Similarity of connections
‣ Huge feature space
‣ 256n dimensions
‣ Geometric representation of connections
![Page 6: Detecting Unknown Network Attacks using Language Models · Detecting Unknown Network Attacks using Language Models Konrad Rieck and Pavel Laskov DIMVA 2006, July 13/14 Berlin, Germany](https://reader035.fdocuments.us/reader035/viewer/2022062615/5f16a9d41f587275ab5b7fb1/html5/thumbnails/6.jpg)
Similarity measures
‣ Distances, kernel functions, ... e.g.
k!"
w!L |!w(x) " !w(y)|k‣ Minkowski
!w!L |!w(x) " !w(y)|‣ Manhattan
‣ Efficient computation not trivial
‣ Sparse representation of n-gram frequencies
‣ Linear-time algorithms (cf. DIMVA 2006 paper)
x, y ! {0, . . . , 255}", L = {0, . . . , 255}n
!w(x) = frequency of w in sequence x
![Page 7: Detecting Unknown Network Attacks using Language Models · Detecting Unknown Network Attacks using Language Models Konrad Rieck and Pavel Laskov DIMVA 2006, July 13/14 Berlin, Germany](https://reader035.fdocuments.us/reader035/viewer/2022062615/5f16a9d41f587275ab5b7fb1/html5/thumbnails/7.jpg)
Anomaly detection
‣ Detection of outliers in feature space
‣ Exploration of geometry between connections
‣ No training phase - no labels required
‣ Anomaly detection (AD) methods
‣ e.g. Spherical AD, Cluster AD, Neighborhood AD
0 0.2 0.4 0.6 0.8 10
0.2
0.4
0.6
0.8
1Toy data
0 0.2 0.4 0.6 0.8 10
0.2
0.4
0.6
0.8
1Toy data
0 0.2 0.4 0.6 0.8 10
0.2
0.4
0.6
0.8
1Toy data
0 0.2 0.4 0.6 0.8 10
0.2
0.4
0.6
0.8
1Spherical anomaly detection
0 0.2 0.4 0.6 0.8 10
0.2
0.4
0.6
0.8
1Cluster anomaly detection
0 0.2 0.4 0.6 0.8 10
0.2
0.4
0.6
0.8
1Neighborhood anomaly detection
![Page 8: Detecting Unknown Network Attacks using Language Models · Detecting Unknown Network Attacks using Language Models Konrad Rieck and Pavel Laskov DIMVA 2006, July 13/14 Berlin, Germany](https://reader035.fdocuments.us/reader035/viewer/2022062615/5f16a9d41f587275ab5b7fb1/html5/thumbnails/8.jpg)
Experiments
‣ Open questions
‣ Do n-gram models capture semantics sufficient for detection of unknown attacks?
‣ Can anomaly detection reliably operate at low false-positive rates?
‣ How does this approach compare to classical signature-based intrusion detection?
![Page 9: Detecting Unknown Network Attacks using Language Models · Detecting Unknown Network Attacks using Language Models Konrad Rieck and Pavel Laskov DIMVA 2006, July 13/14 Berlin, Germany](https://reader035.fdocuments.us/reader035/viewer/2022062615/5f16a9d41f587275ab5b7fb1/html5/thumbnails/9.jpg)
Evaluation data
‣ PESIM 2005 data set
‣ Real network traffic to servers at our laboratory
‣ HTTP Reverse proxies of web sites‣ FTP Local file sharing, e.g. photos, media‣ SMTP Retransmission flavored with spam
‣ Attacks injected by pentest expert (e.g. metasploit)
‣ DARPA 1999 data set as reference
‣ Statistical preprocessing
‣ Extraction of 30 independent samples comprising 1000 incoming connection payloads per protocol
![Page 10: Detecting Unknown Network Attacks using Language Models · Detecting Unknown Network Attacks using Language Models Konrad Rieck and Pavel Laskov DIMVA 2006, July 13/14 Berlin, Germany](https://reader035.fdocuments.us/reader035/viewer/2022062615/5f16a9d41f587275ab5b7fb1/html5/thumbnails/10.jpg)
Method comparison
‣ Comparison of anomaly detection methods
‣ Criteria: AUC0.01 - Area under ROC within [0, 0.01]
‣ Results averaged over n-gram lengths [1,7]
Protocol Best method AUC0.01
HTTP Spherical (qsSVM) 0.781
FTP Neighborhood (Zeta) 0.746
SMTP Cluster (Single-linkage) 0.756
Bottom line: Different protocols require different anomaly detection methods
![Page 11: Detecting Unknown Network Attacks using Language Models · Detecting Unknown Network Attacks using Language Models Konrad Rieck and Pavel Laskov DIMVA 2006, July 13/14 Berlin, Germany](https://reader035.fdocuments.us/reader035/viewer/2022062615/5f16a9d41f587275ab5b7fb1/html5/thumbnails/11.jpg)
N-gram lengths
‣ How does one choose the optimal n-gram length?
0%
10%
20%
30%
40%
1 2 3 4 5 6 7
HTTP FTP SMTP
Optimal n-gram length per attack
‣ No single n fits all: variable-length models required
![Page 12: Detecting Unknown Network Attacks using Language Models · Detecting Unknown Network Attacks using Language Models Konrad Rieck and Pavel Laskov DIMVA 2006, July 13/14 Berlin, Germany](https://reader035.fdocuments.us/reader035/viewer/2022062615/5f16a9d41f587275ab5b7fb1/html5/thumbnails/12.jpg)
Variable-length models
indexget
html
Words
get▯/index.html
Connection payload
CR LF TAB ▯ , . : / &
Combined n-grams
g et ▯
i n⋯
/ge et
t▯ ▯/in nd
⋯
/i
get et▯
t▯/ ▯/iind nde
⋯
/in
n = {1,2,3,...}
![Page 13: Detecting Unknown Network Attacks using Language Models · Detecting Unknown Network Attacks using Language Models Konrad Rieck and Pavel Laskov DIMVA 2006, July 13/14 Berlin, Germany](https://reader035.fdocuments.us/reader035/viewer/2022062615/5f16a9d41f587275ab5b7fb1/html5/thumbnails/13.jpg)
Comparison with Snort
‣ Language models vs. Snort
‣ Combined n-gram (1-7) and word models
‣ Snort: Version 2.4.2 with default rules
0 0.002 0.004 0.006 0.008 0.010
0.1
0.2
0.3
0.4
0.5
0.6
0.7
0.8
0.9
1
false positive rate
true
posit
ive ra
te
HTTP traffic
Best combinedWordsSnort
0 0.002 0.004 0.006 0.008 0.010
0.1
0.2
0.3
0.4
0.5
0.6
0.7
0.8
0.9
1
false positive rate
true
posit
ive ra
te
FTP traffic
Best combinedWordsSnort
0 0.002 0.004 0.006 0.008 0.010
0.1
0.2
0.3
0.4
0.5
0.6
0.7
0.8
0.9
1
false positive rate
true
posit
ive ra
te
SMTP traffic
Best combinedWordsSnort
![Page 14: Detecting Unknown Network Attacks using Language Models · Detecting Unknown Network Attacks using Language Models Konrad Rieck and Pavel Laskov DIMVA 2006, July 13/14 Berlin, Germany](https://reader035.fdocuments.us/reader035/viewer/2022062615/5f16a9d41f587275ab5b7fb1/html5/thumbnails/14.jpg)
Conclusions and outlook
‣ Language models for intrusion detection
‣ Characteristic patterns in normal traffic and attacks
‣ Unsupervised nomaly detection with high accuracy
‣ Detection of ~80% unknown network attacks
‣ Future perspective
‣ From in vitro to in vivo: real-time application
‣ Language models as prototypes for signatures?
![Page 15: Detecting Unknown Network Attacks using Language Models · Detecting Unknown Network Attacks using Language Models Konrad Rieck and Pavel Laskov DIMVA 2006, July 13/14 Berlin, Germany](https://reader035.fdocuments.us/reader035/viewer/2022062615/5f16a9d41f587275ab5b7fb1/html5/thumbnails/15.jpg)
Outwit language models
‣ Approaches
‣ Red herringDenial-of-service with random traffic patterns
‣ Creeping poisoningCareful subversion of normal traffic model
‣ Mimicry attacksAdaption of attacks to mimicry normal traffic
‣ Conclusions
‣ (1) Worse for signature-based intrusion detection
‣ (2,3) Requires profound insider knowlegde
![Page 16: Detecting Unknown Network Attacks using Language Models · Detecting Unknown Network Attacks using Language Models Konrad Rieck and Pavel Laskov DIMVA 2006, July 13/14 Berlin, Germany](https://reader035.fdocuments.us/reader035/viewer/2022062615/5f16a9d41f587275ab5b7fb1/html5/thumbnails/16.jpg)
Questions?