Using Bayesian Networks Using Bayesian Networks for Detecting Network for Detecting Network

AnomaliesAnomalies

Lane ThamesLane Thames

ECE 8833 Intelligent SystemsECE 8833 Intelligent Systems

Goals for this ProjectGoals for this Project

To see how well a Bayesian Learning To see how well a Bayesian Learning Network performs at predicting attacks Network performs at predicting attacks within a computer networkwithin a computer network

How do the predictions change when How do the predictions change when using pure network data versus a using pure network data versus a combination of network and host datacombination of network and host data

Common Types of AttacksCommon Types of Attacks

Buffer Overflow AttacksBuffer Overflow Attacks Redirects Program Control Flow which causes Redirects Program Control Flow which causes

the computer to execute carefully injected the computer to execute carefully injected malicious codemalicious code

Code be crafted to elevate the privileges of a Code be crafted to elevate the privileges of a user by obtaining super user (root) privilegesuser by obtaining super user (root) privileges

Common Types of AttacksCommon Types of Attacks

Denial of ServiceDenial of Service Exhaust a computer’s resources: TCP SYN Exhaust a computer’s resources: TCP SYN

Flooding AttackFlooding Attack Consume a computer’s available networking Consume a computer’s available networking

bandwidth: ICMP Smurf Attackbandwidth: ICMP Smurf Attack

Data SetsData Sets

UCI Knowledge Discovery in Databases UCI Knowledge Discovery in Databases (KDD) archive(KDD) archive

KDD Cup 1999 for Intrusion Detection KDD Cup 1999 for Intrusion Detection DatabaseDatabase

A subset of data generated by MIT Lincoln A subset of data generated by MIT Lincoln Labs that simulated a military networking Labs that simulated a military networking environment (4 weeks @ 22 hrs/day of environment (4 weeks @ 22 hrs/day of data)data)

Data SetsData Sets

Contained data for training and separate, Contained data for training and separate, labeled data for testinglabeled data for testing

The test data contained noise because it The test data contained noise because it contained attack data that was not contained attack data that was not included in the training dataincluded in the training data

Data SetsData Sets

22 total attack types were generated and 22 total attack types were generated and were interlaced with normal traffic flowswere interlaced with normal traffic flows

Types of Attacks within the dataTypes of Attacks within the data Denial of ServiceDenial of Service Unauthorized remote accessUnauthorized remote access Local user to super user accessLocal user to super user access Probing: Reconnaissance and network Probing: Reconnaissance and network

mappingmapping

Data SetsData Sets

41 Features that could be used as 41 Features that could be used as Random Variables within a Bayesian Random Variables within a Bayesian NetworkNetwork Host Based FeaturesHost Based Features Network Based FeaturesNetwork Based Features

Feature Set SnippetFeature Set Snippet

protocol service flag srcB dstB cnt srvcnt serrrate rerrrate typeAtck

tcp http SF 235 1337 8 8 0 0 normal.

tcp http SF 219 1337 6 6 0 0 normal.

icmp ecr_i SF 1032 0 511 511 0 0 smurf.

icmp ecr_i SF 1032 0 511 511 0 0 smurf.

tcp private S0 0 0 103 1 1 0 neptune.

tcp private S0 0 0 112 10 1 0 neptune.

Tool Boxes Used for the ProjectTool Boxes Used for the Project

BN Power ConstructorBN Power Constructor Developed by J. Cheng at the University of Developed by J. Cheng at the University of

Alberta in CanadaAlberta in Canada Tool for generating possible network Tool for generating possible network

structures given a set of training datastructures given a set of training data Exports the structure in DNE Bayesian Exports the structure in DNE Bayesian

network file format network file format

Tool Boxes Used for the ProjectTool Boxes Used for the Project

NeticaJ by NorsysNeticaJ by Norsys Java based development libraryJava based development library Used to build the Bayesian network codebase Used to build the Bayesian network codebase

for this projectfor this project Imports structure in DNE file formatImports structure in DNE file format Contains functions for doing inference and Contains functions for doing inference and

learning CPTs given a set of training datalearning CPTs given a set of training data

ImplementationImplementation

2 types of structures used2 types of structures used Combination of network and host based Combination of network and host based

featuresfeatures Only network based featuresOnly network based features

Host/Network StructureHost/Network Structure

Host/Network Test ResultsHost/Network Test Results

Using the Noisy Test DataUsing the Noisy Test Data

65,505 Total Test Cases65,505 Total Test Cases

65,019 Correctly Classified65,019 Correctly Classified

99.26% Classification Accuracy99.26% Classification Accuracy

Probabilities for a Single FlowProbabilities for a Single FlowAttack Probablities for a Normal Flow

1.00E-13

1.00E-12

1.00E-11

1.00E-10

1.00E-09

1.00E-08

1.00E-07

1.00E-06

1.00E-05

1.00E-04

1.00E-03

1.00E-02

1.00E-01

1.00E+00

1.00E+01

Attack Type

Pro

bab

ility

Probabilities for a Smurf FlowProbabilities for a Smurf FlowAttack Probability during a SMURF attack

1.00E-18

1.00E-17

1.00E-16

1.00E-15

1.00E-14

1.00E-13

1.00E-12

1.00E-11

1.00E-10

1.00E-09

1.00E-08

1.00E-07

1.00E-06

1.00E-05

1.00E-04

1.00E-03

1.00E-02

1.00E-01

1.00E+00

1.00E+01

Attack Type

Pro

bab

ility

Time Series of Normal ProbabilitiesTime Series of Normal ProbabilitiesTime Series Normal Classifications

0

0.2

0.4

0.6

0.8

1

1.2

0 50 100 150 200 250 300 350 400 450

Time Epoch

Pro

ba

bili

ty

Network Features StructureNetwork Features Structure

Network Variables Test ResultsNetwork Variables Test Results

62,047 Total Noisy Test Cases62,047 Total Noisy Test Cases

59,734 Correctly Classified59,734 Correctly Classified

96.27% Classification Accuracy96.27% Classification Accuracy

ConclusionConclusion

The Bayesian Network produced very The Bayesian Network produced very impressive resultsimpressive results

The reduced structure only relied on The reduced structure only relied on network data, and only suffered from a network data, and only suffered from a small decrease in accuracysmall decrease in accuracy

Term project will extend this to incorporate Term project will extend this to incorporate a SOM variable a SOM variable