Abordagem fim-a-fim para uso de aprendizado de máquina em IDS – Caso de detecção stateless para TCP Scan
Abstract
The recent evolution of networks has driven to an increase in cyber attacks. Considering the chain of an attack, it starts from the reconnaissance phase, in which hosts are probed for active services through scans with the TCP transport protocol being still the most used. This work proposes an approach to identify the attacks in their initial phase, and thus stop or compromise their accomplishment. This approach uses isolated inspection of packages (stateless) considering a set of deterministic rules obtained by machine learning, It works as an intrusion detection system (IDS) that achieved an f1-score performance of 0.96 for detection of TCP scan when treated as a problem of data analysis alone, and 82% accuracy when assessed in an end-to-end approach.
References
Angrishi, K. (2017). Turning Internet of Things(IoT) into Internet of Vulnerabilities (IoV): IoT Botnets. CoRR, abs/1702.03681.
Bezerra, V. H., da Costa, V. G. T., Martins, R. A., Junior, S. B., Miani, R. S., and Zarpelão, B. B. (2018). Providing iot host-based datasets for intrusion detection research. In Anais Principais do XVIII Simpósio Brasileiro em Segurança da Informação e de Sistemas Computacionais, pages 15–28, Porto Alegre, RS, Brasil. SBC.
Buczak, A. L. and Guven, E. (2016). A survey of data mining and machine learning methods for cyber security intrusion detection. IEEE Communications Surveys Tutorials, 18(2):1153–1176.
Faceli, K., Lorena, A. C., Gama, J., Carvalho, A. C. P. d. L., et al. (2011). Inteligência Artificial: Uma abordagem de aprendizado de máquina. LTC.
Fontugne, R., Borgnat, P., Abry, P., and Fukuda, K. (2010). Mawilab: Combining diverse anomaly detectors for automated anomaly labeling and performance benchmarking. In Proceedings of the 6th International COnference, Co-NEXT ’10, pages 1–12. ACM.
Ghiëtte, V., Blenn, N., and Doerr, C. (2016). Remote identification of port scan toolchains. In 2016 8th IFIP International Conference on New Technologies, Mobility and Security (NTMS), pages 1–5. IEEE.
Glatz, E. and Dimitropoulos, X. (2012). Classifying internet one-way traffic. In Proceedings of the 2012 Internet Measurement Conference, IMC’12.
Idzikowski, F., Chiaraviglio, L., Liu, W., and van de Beek, J. (2018). Future internet architectures and sustainability: An overview. In 2018 IEEE International Conference on Environmental Engineering (EE), pages 1–5.
Jung, J., Paxson, V., Berger, A. W., and Balakrishnan, H. (2004). Fast portscan detection using sequential hypothesis testing. In IEEE Symposium on Security and Privacy, 2004. Proceedings. 2004, pages 211–225. IEEE.
Lee, Y. and Lee, Y. (2012). Toward scalable internet traffic measurement and analysis with hadoop. SIGCOMM Comput. Commun. Rev., 43(1):5–13.
Lobato, A. G. P., Lopez, M. A., and Duarte, O. C. M. B. (2016). Um sistema acurado de detecção de ameaças em tempo real por processamento de fluxos. In XXXIV Simpósio Brasileiro de Redes de Computadores e Sistemas Distribuídos (SBRC).
Moon, D., Im, H., Kim, I., and Park, J. H. (2017). Dtb-ids: an intrusion detection system based on decision tree using behavior analysis for preventing apt attacks. The Journal of supercomputing, 73(7):2881–2895.
Ring, M., Wunderlich, S., Scheuring, D., Landes, D., and Hotho, A. (2019). A survey of network-based intrusion detection data sets. Computers & Security, 86:147–167.
Santos, A. L., Cervantes, C. A., Nogueira, M., and Kantarci, B. (2019). Clustering and reliability-driven mitigation of routing attacks in massive iot systems. JISA, 10(1):18.
Sanz, I. J. and Lopez, M. A. (2018). Um sistema de detecção de ameaças distribuídas de rede baseado em aprendizagem por grafos. Anais do Simpósio Brasileiro de Redes de Computadores e Sistemas Distribuídos (SBRC), 36.
Sicari, S., Rizzardi, A., Grieco, L., and Coen-Porisini, A. (2015). Security, privacy and trust in internet of things: The road ahead. Computer Networks, 76.
Torabi, S., Bou-Harb, E., Assi, C., Galluscio, M., Boukhtouta, A., and Debbabi, M. (2018). Inferring, characterizing, and investigating internet-scale malicious iot device activities: A network telescope perspective. In 2018 48th Annual IEEE/IFIP International Conference on Dependable Systems and Networks (DSN), pages 562–573.
Viegas, E. K., Santin, A. O., and Oliveira, L. S. (2017). Toward a reliable anomaly-based intrusion detection in real-world environments. Computer Networks, 127:200–216.
Wuu, L.-C., Hung, C.-H., and Chen, S.-F. (2007). Building intrusion pattern miner for snort network intrusion detection system. Journal of Systems and Software, 80(10):1699–1715.
Yadav, T. and Rao, A. M. (2015). Technical aspects of cyber kill chain. In International Symposium on Security in Computing and Communication, pages 438–452. Springer.
Yi, S., Li, C., and Li, Q. (2015). A survey of fog computing: concepts, applications and issues. In Proceedings of the 2015 workshop on mobile big data, pages 37–42.
Zhao, Y. (2016). Network intrusion detection system model based on data mining. In Software Engineering, Artificial Intelligence, Networking and Parallel/Distributed Computing (SNPD), 2016 17th IEEE/ACIS International Conference on.
Bezerra, V. H., da Costa, V. G. T., Martins, R. A., Junior, S. B., Miani, R. S., and Zarpelão, B. B. (2018). Providing iot host-based datasets for intrusion detection research. In Anais Principais do XVIII Simpósio Brasileiro em Segurança da Informação e de Sistemas Computacionais, pages 15–28, Porto Alegre, RS, Brasil. SBC.
Buczak, A. L. and Guven, E. (2016). A survey of data mining and machine learning methods for cyber security intrusion detection. IEEE Communications Surveys Tutorials, 18(2):1153–1176.
Faceli, K., Lorena, A. C., Gama, J., Carvalho, A. C. P. d. L., et al. (2011). Inteligência Artificial: Uma abordagem de aprendizado de máquina. LTC.
Fontugne, R., Borgnat, P., Abry, P., and Fukuda, K. (2010). Mawilab: Combining diverse anomaly detectors for automated anomaly labeling and performance benchmarking. In Proceedings of the 6th International COnference, Co-NEXT ’10, pages 1–12. ACM.
Ghiëtte, V., Blenn, N., and Doerr, C. (2016). Remote identification of port scan toolchains. In 2016 8th IFIP International Conference on New Technologies, Mobility and Security (NTMS), pages 1–5. IEEE.
Glatz, E. and Dimitropoulos, X. (2012). Classifying internet one-way traffic. In Proceedings of the 2012 Internet Measurement Conference, IMC’12.
Idzikowski, F., Chiaraviglio, L., Liu, W., and van de Beek, J. (2018). Future internet architectures and sustainability: An overview. In 2018 IEEE International Conference on Environmental Engineering (EE), pages 1–5.
Jung, J., Paxson, V., Berger, A. W., and Balakrishnan, H. (2004). Fast portscan detection using sequential hypothesis testing. In IEEE Symposium on Security and Privacy, 2004. Proceedings. 2004, pages 211–225. IEEE.
Lee, Y. and Lee, Y. (2012). Toward scalable internet traffic measurement and analysis with hadoop. SIGCOMM Comput. Commun. Rev., 43(1):5–13.
Lobato, A. G. P., Lopez, M. A., and Duarte, O. C. M. B. (2016). Um sistema acurado de detecção de ameaças em tempo real por processamento de fluxos. In XXXIV Simpósio Brasileiro de Redes de Computadores e Sistemas Distribuídos (SBRC).
Moon, D., Im, H., Kim, I., and Park, J. H. (2017). Dtb-ids: an intrusion detection system based on decision tree using behavior analysis for preventing apt attacks. The Journal of supercomputing, 73(7):2881–2895.
Ring, M., Wunderlich, S., Scheuring, D., Landes, D., and Hotho, A. (2019). A survey of network-based intrusion detection data sets. Computers & Security, 86:147–167.
Santos, A. L., Cervantes, C. A., Nogueira, M., and Kantarci, B. (2019). Clustering and reliability-driven mitigation of routing attacks in massive iot systems. JISA, 10(1):18.
Sanz, I. J. and Lopez, M. A. (2018). Um sistema de detecção de ameaças distribuídas de rede baseado em aprendizagem por grafos. Anais do Simpósio Brasileiro de Redes de Computadores e Sistemas Distribuídos (SBRC), 36.
Sicari, S., Rizzardi, A., Grieco, L., and Coen-Porisini, A. (2015). Security, privacy and trust in internet of things: The road ahead. Computer Networks, 76.
Torabi, S., Bou-Harb, E., Assi, C., Galluscio, M., Boukhtouta, A., and Debbabi, M. (2018). Inferring, characterizing, and investigating internet-scale malicious iot device activities: A network telescope perspective. In 2018 48th Annual IEEE/IFIP International Conference on Dependable Systems and Networks (DSN), pages 562–573.
Viegas, E. K., Santin, A. O., and Oliveira, L. S. (2017). Toward a reliable anomaly-based intrusion detection in real-world environments. Computer Networks, 127:200–216.
Wuu, L.-C., Hung, C.-H., and Chen, S.-F. (2007). Building intrusion pattern miner for snort network intrusion detection system. Journal of Systems and Software, 80(10):1699–1715.
Yadav, T. and Rao, A. M. (2015). Technical aspects of cyber kill chain. In International Symposium on Security in Computing and Communication, pages 438–452. Springer.
Yi, S., Li, C., and Li, Q. (2015). A survey of fog computing: concepts, applications and issues. In Proceedings of the 2015 workshop on mobile big data, pages 37–42.
Zhao, Y. (2016). Network intrusion detection system model based on data mining. In Software Engineering, Artificial Intelligence, Networking and Parallel/Distributed Computing (SNPD), 2016 17th IEEE/ACIS International Conference on.
Published
2020-10-13
How to Cite
BERTOLI, Gustavo de Carvalho; PEREIRA, Lourenço A.; VERRI, Filipe; MARCONDES, Cesar; SANTOS, Aldri L.; SAOTOME, Osamu.
Abordagem fim-a-fim para uso de aprendizado de máquina em IDS – Caso de detecção stateless para TCP Scan. In: BRAZILIAN SYMPOSIUM ON CYBERSECURITY (SBSEG), 20. , 2020, Petrópolis.
Anais [...].
Porto Alegre: Sociedade Brasileira de Computação,
2020
.
p. 271-284.
DOI: https://doi.org/10.5753/sbseg.2020.19243.
