Context-aware security framework based on Traffic Anomaly Detection Indicator

Abstract

Context-aware security utilizes external data, such as time of the day or user information, to improve its capability of detecting a security breach. In this paper we present a Context-aware security framework based on a Traffic Anomaly Detection Indicator (TADI) which indicates when a threat can occur. The main novelty of our approach is that we use as a context the time-based information derived from profile analysis of a typical day to determine more accurately the presence of an anomaly based on the time of day it occurs. This 24-h typical daily analysis helps us to consider the time interval (night-time, working hours, etc.) in which a potential threat occurs, in contrast to traditional sudden peak changes. First, a preliminary analysis based on historical data shows how traffic typically behaves at each particular period of the day. We subsequently calibrate our procedure by checking the effectiveness of different algorithms so that we are aware of which ones gets better performance in each period of the day. Finally the TADI is calculated from the time-based contextual information. We also present the results based on actual traffic traces collected from a campus university that show the effectiveness of the proposed method.

Appendices

Appendix: Overview of the change point detection algorithms used in this work

Appendix 1: Cumulative sum control charts (CUSUM)

Statistical Control Charts (SCC) perform measurements obtained as variations from the expected value by the standard deviation. In particular CUSUM (CUMulative SUM) is a sequential analysis algorithm that allows to monitor sudden changes in continuous processes, such as changes in traffic.

The state of the art shows that there is no single SCC algorithm that stands out from the other ones but the performance of SCC depends on the underlying traffic characteristics [21–24]. So, in order to simplify this study, we have focused on the most renowned one, the CUSUM chart, as the implementation of other control chart methods (e.g. EWMA) would lead to equivalent results.

The CUSUM chart plots the cumulative sums of the deviations of the sample values from a target value [19]. It consists of a cumulative sum which value \(C{_{i}}\) determines if the process is under control. When CUSUM exceeds a certain threshold value then it is considered that a change has occurred.

If \(\mu _{0}\) is the target for the process mean, then the cumulative sum control chart is made up by depicting the quantity \(C{_{i}}\) with respect to the order number i of the sample \(\widetilde{x_{j}}\) according to the following equation.

$$\begin{aligned} C{_{i}}=\sum _{j=1}^{i} (\widetilde{x_{j}} - \mu _{0}) \end{aligned}$$

(5)

This way, if the process mean shifts upward, the charted CUSUM points will eventually drift upwards, and viceversa if the process mean decreases.

In order to determine if the CUSUM values are under control, two thresholds C+ and C (called one-sided upper and lower cusums respectively) are defined:

$$\begin{aligned}&C_{i}^{+} = max [0, (x_{i}-(\mu _{0}+K)+C_{i-1}^{+})]\end{aligned}$$

(6)

$$\begin{aligned}&C_{i}^{-} = max [0, ((\mu _{0}-K)- x_{i} +C_{i-1}^{-})] \end{aligned}$$

(7)

where

• the starting values are \(C_{0}^{+} = C_{0}^{-} = 0\)

• K is a reference value that is often chosen about halfway between the target \(\mu _{0}\) and the out of control value of the mean \(\mu _{1}\) that we are interested in detecting quickly.

If the shift is expressed in standard deviation units as \(\mu _{1}=\mu _{0}+\delta \sigma \) then K is one-half the magnitude of the shift:

$$\begin{aligned} K = \frac{\delta }{2} \sigma = \frac{\left| \mu _{1}-\mu _{0} \right| }{2} \end{aligned}$$

(8)

The SCC are graphs that show whether a sample of data falls within the normal range of variation. In CUSUM (also known as CSUM) as measurements are taken, the difference between each measurement and the benchmark value is calculated, and this is cumulatively summed up. When there is an anomaly in the traffic, the CUSUM value will progressively depart from that of the benchmark. For our purpose all the values from a period are compared to the ones from the immediate previous period.

Statistical Control Charts, and CUSUM in particular, have been widely used to identify abrupt changes. In [21, 22] the authors made a comparison of SCC applied to IP traffic forecasts. The papers empirically describe the performance of CUSUM for traffic trends, by using a longitudinal traffic analysis of 8 weeks to detect sudden peak changes. Other authors have also determined the suitability of using CUSUM to detect sudden peak changes, such as [23, 25]. In [24] we can find the application of SCC for change-point detection based on spectrum analysis rather than using raw traffic. The spectrum analysis is applied in some scenarios where the traffic is evaluated sequentially to detect sudden peak changes in order to get higher accuracy. The author concludes again that as with most data-driven approaches, there is no one change-point detection technique that works on all types of data; different techniques perform better on different types of data. Yet this work does not study typical day analysis, is based only on SCC, and uses simulated time series data. In the same research line [26] the authors propose to combine CUSUM with signal processing based on wavelets to detect sudden peak changes again. The experimental tests demonstrate the efficiency of the proposed solution for different traffic anomalies.

All in all, we have selected this method in first place since CUSUM has been traditionally considered as the reference algorithm to detect abrupt changes in traffic.

Appendix 2: Tests of goodness-of-fit

The tests of goodness-of-fit [17] are used to derive whether a given time interval of one day shows a traffic distribution independent from the rest of the intervals (i.e. how similar are two consecutive periods) that can be used to determine changes.

In this work the two main test of goodness-of-fit have been carried out. These tests are described in the following sections: Pearson’s chi-square test [17] and Kolmogorov–Smirnov test [27].

1.1 Appendix 2.1: Pearson’s Chi-squared test (\(\chi ^2\))

This test measures the discrepancies between the expected number of times each outcome occurs (assuming that the model is true) and the observed number of times each outcome occurs [28].

The goodness of samples is determined by comparing the observed values with those expected [28]. This study considers that the observed and expected values of a sample are related to a time interval and the previous one. Specifically, it compares the values of the previous hour with the current one in this way.

$$\begin{aligned} \chi ^2_j = \sum _{i=1}^k{\frac{(H_i^{j-1}-H_i^j)^2}{H_i^j}} \end{aligned}$$

(9)

where

• j is the time interval (i.e. hour)

• k is the number of days

• \(H_i^j\) is the aggregate value of j interval (current time period or hour)

• \(H_i^{j-1}\) is the aggregate value of the previous interval (j-1) (preceding time period or hour)

The decision rule to determine the critical value in this case considers the hypothesis \(H_0\) is rejected if the calculated statistical value is greater than or equal to the theoretical value found from the table of the Chi-square distribution.

• If \(\chi ^2_{calc} \ge \chi ^2_\alpha \) then Reject the null hypothesis

• Ig \(\chi ^2_{calc} < \chi ^2_\alpha \) then Accept the null hypothesis

where \(\chi ^2_{calc}\) is the statistic value obtained and \(\chi ^2_\alpha \) is the threshold for a given \(\alpha \).

In this work it is considered that the observed values correspond to the current aggregate time period, and the expected values correspond to the preceding aggregate time period. To calculate the statistics of each interval, we create a histogram with the number of occurrences for different days.

Such intervals have a similar probability distribution within these periods and independent of adjacent periods, well differentiated from the rest. This allows us to detect changes in network behavior in these time slots.

1.2 Appendix 2.2: Kolmogorov–Smirnov test (K–S)

This test [27] checks that the distribution of a set of samples conforms to the theoretical distribution.

This test measures the maximum distance D between two consecutive Cumulative Distribution Functions (CDF) [27].

In our environment this test compares the CDFs of each period with the previous one.

$$\begin{aligned} D_j = max | F_{j-1}(x) - F_j(x) | \end{aligned}$$

(10)

where

• j is the time interval (i.e. hour)

• \(F_j (x)\) is the CDF of j interval (current time period or hour)

• \(F_{j-1} (x)\) is the CDF of the previous interval (\(j-1\)) (preceding time period or hour)

First of all we determine the threshold above which it is considered that the statistical value does not meet expectations, that is, the null hypothesis is rejected for \(\alpha \) if:

$$\begin{aligned} \sqrt{\frac{nn'}{n+n'}} D_{n, n'} > K_\alpha \end{aligned}$$

(11)

where D is the K–S statistic value, and \(n, n'\) the samples \((n=n'=\) number of days) [15].

The \(K_\alpha \) values depend on alpha, and are tabulated in the bibliography. In particular [29] includes a table where \(K_\alpha \) are represented for different values of alpha.

To test the hypothesis the two Cumulative Distribution Functions (CDF) are compared, that is, the empirical and theoretical distribution function.

When comparing empirical values, the observed and expected CDF are used, in this work the CDF of one period and the immediately preceding one. Once both distributions are calculated the KS statistic is determined from the biggest difference between both functions, the maximum distance between two consecutive CDF.

Both tests of goodness-of-fit (Kolmogorov–Smirnov and Pearsons Chi-squared tests) have also been used to derive change-point detection. In [30] the authors show a comparison of SCC versus tests of goodness-of-fit. The work presents a benchmark of both methods when detecting intrusions in the network. In particular the authors compare the CUSUM algorithm with the Chi-squared test of goodness-of-fit. The experiments illustrate that the CUSUM algorithm detects the attack in a better way than the other algorithms. However, once again a longitudinal traffic analysis, namely, detecting sudden peak changes, rather than typical day study is made, and in addition the authors used detailed protocol type information (e.g. TCP SYN, UDP and ICMP packets) with an accuracy of at least seconds, as most in the state of the art, that many times it is not available or accessible.

We have used the tests of goodness-of-fit in addition to CUSUM because they rely on traffic statistical characteristics to provide better accuracy when the traffic changes are not so abrupt, as we have proved in Sect. 3.

Appendix 3: Mutual information (MI)

The Mutual Information is a measure of the amount of information that one random variable contains about another one. That means that if both random variables are independent, the Mutual Information is zero.

The mutual information of two random variables is a quantity that determines the mutual dependence of the two random variables [18] and measures the reduction in uncertainty of a random variable, X, due to another variable, Y [31].

The mutual information of two random variables, X and Y, with the joint probability distribution function p(x, y) is defined as:

$$\begin{aligned} I(X;Y)={\sum _{x\in X}^{}} {\sum _{y\in Y}^{}} p(x,y) log \frac{p(x,y) }{p(x)p(y)} \end{aligned}$$

(12)

The former equation can be also expressed in terms of entropy. The information that a period has about the other, or the mutual information, can be defined by the following equation:

$$\begin{aligned} I(X;Y)=H(X) + H(Y) - H(X,Y) \end{aligned}$$

(13)

Since there are no reference values in terms of figures that can take the mutual information algorithm, beyond the minimum is zero when they are independent variables, typically a value of normalized Mutual Information (MIn) with respect to the highest value that takes in a series of traffic is used.

Different authors have used Mutual Information in change point detection field, although for other purposes rather than detecting sudden changes. In [32] the authors use the mutual information theory to improve the feature selection for fault detection. They present a fault diagnosis procedure based on discriminant analysis and mutual information. In order to obtain good classification performances, a selection of important features is done with a new developed algorithm based on the mutual information between variables. Nevertheless they do not use the mutual information theory as a criteria for fault detection. In the same way, in [33] the authors present mutual information-based feature selection for intrusion detection systems. The usefulness of mutual information for selecting the most relevant features in a given classification task has been proven in other fields [34]. In [35] the authors use the mutual information to implement a dynamic modeling of Internet traffic for intrusion detection. The results show that mutual information is especially useful in detecting flooding attacks such as CBR (Constant Bit Rate) attacks.

In this work Mutual Information is used as a measure of the similarity between the traffic of two consecutive intervals. This way the Mutual Information measures the amount of information that one period of traffic contains about the previous one and therefore constitutes an algorithm to detect changes in traffic.