Abstract
Little or no integration exists today between Intrusion Detection Systems (IDSs) and SNMP-based Network Management Systems (NMSs), in spite of the extensive monitoring and alarming capabilities offered by commercial NMSs. This difficulty is mainly associated with the distinct data sources used by the two systems: packet traffic and audit records for IDSs and SNMP MIB variables for NMSs. In this paper we propose and evaluate a methodology for utilizing NMSs for the early detection of Distributed Denial of Service attacks (DDoS). A principled approach is described for discovering precursors to DDoS attacks in databases formed by MIB variables recorded from multiple domains in networked information systems. The approach is rooted in time series quantization, and in the application of the Granger Causality Test of classical statistics for selecting variables that are likely to contain precursors. A methodology is proposed for discovering precursor rules from databases containing time series related to different regimes of a system. These precursor rules relate precursor events extracted from input time series with phenomenon events extracted from output time series. Using MIB datasets collected from real experiments involving Distributed Denial of Service Attacks, it is shown that precursor rules relating activities at attacking machines with traffic floods at target machines can be extracted by the methodology. The technology has extensive applications for security management: it enables security analysts to better understand the evolution of complex computer attacks, it can be used to trigger alarms indicating that an attack is imminent, or it can be used to reduce the false alarm rates of conventional IDSs.
This is a preview of subscription content, log in via an institution to check access.
Similar content being viewed by others
REFERENCES
D. Denning, An intrusion detection model, IEEE Transactions on Software Engineering, Vol. 13, No. 2, pp. 222–232, February 1987.
B. Schneier, Secrets and Lies: Digital Security in a Networked World, John Wiley, 2000.
S. Kent, On the trail of intrusions into information systems, IEEE Spectrum, pp. 52–56, December 2000.
F. B. Schneider, ed., Trust in Cyberspace, National Academy Press, 1998.
J. Allen, A. Christie,W. Fithen, J. McHugh, J. Pickel, and E. Stoner, State of the practice of intrusion detection technologies, Technical Report CMU/SEI-99–TR-028, Carnegie Mellon University, Software Engineering Institute, January 2000.
L. Lewis, Managing Business and Service Networks, Kluwer Academic Press, 2001.
E. Amoroso, Intrusion Detection: An Introduction to Internet Surveillance, Correlation, Traps, Trace Back and Response, Intrusion. Net Books, First Edition, 1999.
M. Subramanian, Network Management-Principles and Practice, Addison-Wesley, 2000.
X. Qin, W. Lee, L. Lewis, and J. B. D. Cabrera, Integrating intrusion detection and network management, Proceedings of the Eighth IEEE/IFIP Network Operations and Management Symposium, Florence, Italy, pp. 329–344, April 2002.
X. Qin, W. Lee, L. Lewis, and J. B. D. Cabrera, Using MIB II variables for network intrusion detection. D. Barbará and S. Jajodia, eds., Applications of Data Mining in Computer Security, Kluwer Academic Publishers, Boston, 2002 (in press).
J. B. D. Cabrera, L. Lewis, X. Qin, W. Lee, and R. K. Mehra, Proactive intrusion detection-A study on temporal data mining. D. Barbará and S. Jajodia, eds., Applications of Data Mining in Computer Security, Kluwer Academic Publishers, Boston, 2002 (in press).
J. B. D. Cabrera and R. K. Mehra, Extracting precursor rules from time series-A classical statistical viewpoint, Proceedings of the Second SIAM International Conference on Data Mining, Arlington, Virginia, pp. 213–228, April 2002.
G. Das, K.-I. Lin, H. Mannila, G. Renganathan, and P. Smyth, Rule discovery from time series, Proceedings of the Fourth International Conference on Knowledge Discovery and Data Mining, pp. 16–22, 1998.
Science and Technology Section, Internet security-Anatomy of an attack, The Economist, pp. 80–81, February 19, 2000.
D. Moore, G. M. Voelker, and S. Savage, Inferring Internet Denial-of-Service Activity, Proceedings of USENIX Security Symposium, Washington, D.C., 2001.
P. J. Criscuolo, Distributed denial of service-Trin00, Tribe flood network, tribe flood network 2000, and Stacheldraht, Technical Report CIAC-2319, Department of Energy-Computer Incident Advisory Capability, (CIAC) February 2000.
K. Kendall, A database of computer attacks for the evaluation of intrusion detection systems, Master's thesis, Massachusetts Institute of Technology, June 1999.
J. B. D. Cabrera, B. Ravichandran, and R. K. Mehra, Statistical traffic modeling for network intrusion detection, Proceedings of the Eighth International Symposium on Modeling, Analysis, and Simulation of Computer and Telecommunications Systems, IEEE Computer Society, San Francisco, California, pp. 466–473, August 2000.
W. R. Stevens, TCP/IP Illustrated, Volume 1: The Protocols, Addison-Wesley, pp. 363–388, 1994.
H. Mannila, H. Toivonen, and A. I. Verkamo, Discovery of frequent episodes in event sequences, Data Mining and Knowledge Discovery, Vol. 1, No. 3, pp. 259–289, 1997.
R. Agrawal, T. Imielinski, and A. Swami, Database mining: A performance perspective, IEEE Transactions on Knowledge and Data Engineering, Vol. 5, No. 6, pp. 914–925, December 1993.
C.W. J. Granger, Investigating causal relations by econometric models and cross-spectral methods, Econometrica, Vol. 34, pp. 424–438, 1969.
J. Hamilton, Time Series Analysis, Princeton University Press, 1994.
M. Evans, N. Hastings, and B. Peacock, Statistical Distributions. John Wiley, New York, Second Edition, 1993.
G. Casella and R. L. Berger, Statistical Inference, Duxbury Press, Belmont, California, p. 364, 1990.
M. Thottan and C. Ji, Proactive anomaly detection using distributed agents, IEEE Network, pp. 21–27, September 1998.
F. Zhang and J. Hellerstein, An approach to on-line predictive detection, Proceedings of the Eighth International Symposium on Modeling, Analysis, and Simulation of Computer and Telecommunications Systems, IEEE Computer Society, San Francisco, California, pp. 549–556, August 2000.
J. B. D. Cabrera, L. J. Popyack, Jr., L. Lewis, B. Ravichandran, and R. K. Mehra, The monitoring, detection, interpretation and response paradigm for the security of battlespace networks, Proceedings of IEEE MILCOM 2001, Washington, D.C., October 2001.
D. Schnackenberg, K. Djahandari, and D. Sterne, Infrastructure for intrusion detection and response, Proceedings of DARPA Information Survivability Conference and Exposition, Hilton Head Island, South Carolina, January 2000.
S. Northcutt, Network Intrusion Detection-An Analyst's Handbook, NewRiders Publishing, 1999.
S. Axelsson, The base-rate fallacy and its implications for the difficulty of intrusion detection, Proceedings of the Sixth ACMConference on Computer and Communications Security, Singapore, November 1999.
J. E. Gaffney, Jr., and J. W. Ulvila, Evaluation of intrusion detectors: A decision theory approach, Proceedings of the IEEE Symposium on Security and Privacy, May 2001.
W. Lee,W. Fan, M. Miller, S. J. Stolfo, and E. Zadok, Toward cost-sensitive modeling for intrusion detection and response, Journal of Computer Security, 2002 (in press).
K. Boudaoud, H. Labiod, R. Boutaba, and Z. Guessoum, Network security management with intelligent agents, IEEE Publishing, Proceedings of NOMS, 2000.
Z. Fu, H. Huang, T.Wu, S.Wu, F. Gong, C. Xu, and I. Baldine, ISCP: Design and implementation of an inter-domain Security Management Agent (SMA) coordination protocol, IEEE Publishing, Proceedings of NOMS, 2000.
Author information
Authors and Affiliations
Corresponding author
Rights and permissions
About this article
Cite this article
Cabrera, J.B.D., Lewis, L., Qin, X. et al. Proactive Intrusion Detection and Distributed Denial of Service Attacks—A Case Study in Security Management. Journal of Network and Systems Management 10, 225–254 (2002). https://doi.org/10.1023/A:1015910917349
Issue Date:
DOI: https://doi.org/10.1023/A:1015910917349