Detecção de Intrusão Utilizando Análise de Séries Temporais com Modelos ARMAX/GARCH
Resumo
O objetivo deste trabalho é propor um método de detecção de intrusão por anomalia no tráfego de pacotes de rede aplicando modelos autoregressivos de média móvel com entradas exógenas (Autoregressive Moving Average Exogenous - ARMAX) e autorregressivos com heteroscedasticidade condicional (Generalized Autoregressive Conditional Heteroskedasticity – GARCH). Em termos experimentais, utilizando as bases de tráfego (dataset) disponibilizadas pela DARPA (1999), durante a análise de ataques de negação de serviço synflood e comportamentos de varredura de redes executados por meio de pacotes TCP SYN, o método proposto neste trabalho apresentou probabilidade de detecção de intrusão próxima a 100% e índice de falsos positivos abaixo de 5%.
Referências
Anstee, D., Bussiere, D. and Sockride, G. (2012) “Worldwide Infrastructure Security Report”, Volume VII, Arbor Networks, 2012.
Axelsson, S. (2000) “Intrusion Detection Systems: A Survey and Taxonomy”. In: DEPT. OF COMPUTER ENGINEERING, CHALMERS UNIVERSITY OF TECHNOLOGY, 2000, Sweden, 27p.
DARPA (1999) “1999 darpa intrusion detection evaluation data set”. In: MIT LINCOLN LABORATORIES, 1999.
Divakaran, D., Murthy, H. and Gonsalves, T. (2006) “Detection of SYN flooding attacks using linear prediction analysis”. In: IEEE INTERNATIONAL CONFERENCE ON NETWORKS, 14., 2006, TBD, Singapore, p. 1-6.
Enders, W. (2009) “Applied Econometric Time Series”. 3. ed. [S.I.]: Wiley, 2009. 544p.
Erickson, T. J. (2008) “Digital Signal Processing Leveraged for Intrusion Detection”.
Ohio, USA, 2008. 91p. Dissertação (Mestrado) Air Force Institute of Technology, Air University, Ohio, USA, 2008.
He D., Sun Z. and Zhou B. (2005) “An ARMAX/GARCH time series model for IP Traffic Trace”, in ITC19, Beijing, China, Aug 2005.
James, C. and Murthy, H. (2011) “Time Series Models and its Relevance to Modeling TCP SYN Based DoS Attacks”. In: CONFERENCE ON NEXT GENERATION INTERNET, 7., 2011, Kaiserslautern, Germany, p. 1-8.
Kabiri, P. and Ghorbani, A. A. (2005) “Research on Intrusion Detection and Response: A Survey”. International Journal of Network Security, [S.I.], [S.I.], V.1, N.2, p. 84102, 2005.
Kai, H., Zhengwei, Q. and BO, L. (2009) “Network Anomaly Detection Based on Statistical Approach and Time Series Analysis”. In: IEEE International Conference on Advanced Information Networking and Applications Workshops, 23., 2009, Bradford, United Kingdom, p. 205-211.
Kirchgässner, G. and Wolters, J. (2008) “Introduction to Modern Time Series Analysis”. [S.I.]: Springer, 2008. 284p.
Lu, W. and Ghorbani, A. A. (2009) “Network Anomaly Detection Based on Wavelet Analysis”. EURASIP Journal on Advances in Signal Processing, NY, USA, v.1, n.4, p. 1-16, 2009.
Mchugh, J. (2000) “Testing Intrusion Detection Systems: A Critique of the 1998 and 1999 DARPA Intrusion Detection System Evaluations as Performed by Lincoln Laboratory”. ACM Transactions on Information and System Security, v. 3, n. 4, p. 262–294, November 2000.
Moore, D., Shannon, C., Brown, D. J., Voelker, G. M. and Savage, S. (2006) “Inferring Internet Denial-of-Service Activity”. ACM Transaction on Computer Systems, [S.I.], [S.I.], V.24, N.2, p. 115-139, 2006.
Morettin, P. A. and Toloi, C. M. C. (2006) Análise de Séries Temporais. 2. ed. [S.I.]: Blucher, 2006. 544p.
Nazario, J. (2009). “Politically motivated denial of service attacks”. The Virtual Battlefield: Perspectives on Cyber Warfare, p. 163-181.
Ranjan, N., Murthy, H. A. and Gonsalves, T. A. (2010) “Detection of syn flooding attacks using generalized autoregressive conditional heteroskedasticity (GARCH) modeling technique”. IN: NATIONAL CONFERENCE ON COMMUNICATIONS, 16., 2010, I.I.T Madras, India, p. 1-5.
Saleem, M. and Hassan, J. (2009) “Cyber warfare, the truth in a real case”. In: Project Report for Information Security Course, Linköping Universitetet, 2009, Sweden, 7p.
Shiravi A., Shiravi H., Tavallaee M. and Ghorbani A. A. (2012) “Toward developing a systematic approach to generate benchmark datasets for intrusion detection”, Computers & Security, Volume 31, Issue 3, May 2012, Pages 357 374, ISSN 01674048, 10.1016/j.cose.2011.12.012.
Siris, V. and Papagalou, F. (2006) “Application of anomaly detection algorithms for detecting SYN flooding attacks”. Computer Communications, Amsterdan, v.29, n.6, p.1433-1442, may. 2006.
Sperotto, A., Sadre, R., Boer, P-T. and Pras, A. (2009) “Hidden Markov Model Modeling of SSH Brute-force Attacks”. In: International Workshop on Distributed Systems: Operation and Management, 9., Venice, Italy, volume 5841, p. 164-176.
Sperotto, A., Sadre, R. and Pras, A. (2008) “Anomaly Characterization in Flow-Based Traffic Time Series”. In: IEEE International Workshop on IP Operations and Management, 8., 2008, Samos, Greece, p. 15-27.
Sperotto, A., Schaffrath, G., Sadre, R., Morariu, C., Pras, A. and Stiller, B. (2010) “An Overview of IP Flow-based Intrusion Detection”. IEEE Communications Surveys & Tutorials, [S.I.], v. 12, n. 3, p. 343-356, 2010.
Thomas, C., Sharma, V. and Balakrishnan, N. (2008) “Usefulness of DARPA dataset for intrusion detection system evaluation”. In SPIE Defense and Security Symposium (pp. 69730G-69730G). International Society for Optics and Photonics.
Thottan, M., Liu, G. and Ji, C. (2010) “Anomaly Detection Approaches for Communication Networks”. Algorithms for Next Generation Networks. [S.I.]: Springer, 2010. p. 239-261.
Zhou, B., He, D. and Sun, Z. (2006) “Traffic modeling and prediction using ARIMA/GARCH model”. Modeling and Simulation Tools for Emerging Telecommunication Networks, [S.I.]: Springer, 2006. p. 101-121.
Zhou, M. and Lang, S-D. (2003) “A Frequency-Based Approach to Intrusion Detection”. Systemics, Cybernetics and Informatics, [S.I.], v. 2, n. 3, p. 52-56, 2003.
Axelsson, S. (2000) “Intrusion Detection Systems: A Survey and Taxonomy”. In: DEPT. OF COMPUTER ENGINEERING, CHALMERS UNIVERSITY OF TECHNOLOGY, 2000, Sweden, 27p.
DARPA (1999) “1999 darpa intrusion detection evaluation data set”. In: MIT LINCOLN LABORATORIES, 1999.
Divakaran, D., Murthy, H. and Gonsalves, T. (2006) “Detection of SYN flooding attacks using linear prediction analysis”. In: IEEE INTERNATIONAL CONFERENCE ON NETWORKS, 14., 2006, TBD, Singapore, p. 1-6.
Enders, W. (2009) “Applied Econometric Time Series”. 3. ed. [S.I.]: Wiley, 2009. 544p.
Erickson, T. J. (2008) “Digital Signal Processing Leveraged for Intrusion Detection”.
Ohio, USA, 2008. 91p. Dissertação (Mestrado) Air Force Institute of Technology, Air University, Ohio, USA, 2008.
He D., Sun Z. and Zhou B. (2005) “An ARMAX/GARCH time series model for IP Traffic Trace”, in ITC19, Beijing, China, Aug 2005.
James, C. and Murthy, H. (2011) “Time Series Models and its Relevance to Modeling TCP SYN Based DoS Attacks”. In: CONFERENCE ON NEXT GENERATION INTERNET, 7., 2011, Kaiserslautern, Germany, p. 1-8.
Kabiri, P. and Ghorbani, A. A. (2005) “Research on Intrusion Detection and Response: A Survey”. International Journal of Network Security, [S.I.], [S.I.], V.1, N.2, p. 84102, 2005.
Kai, H., Zhengwei, Q. and BO, L. (2009) “Network Anomaly Detection Based on Statistical Approach and Time Series Analysis”. In: IEEE International Conference on Advanced Information Networking and Applications Workshops, 23., 2009, Bradford, United Kingdom, p. 205-211.
Kirchgässner, G. and Wolters, J. (2008) “Introduction to Modern Time Series Analysis”. [S.I.]: Springer, 2008. 284p.
Lu, W. and Ghorbani, A. A. (2009) “Network Anomaly Detection Based on Wavelet Analysis”. EURASIP Journal on Advances in Signal Processing, NY, USA, v.1, n.4, p. 1-16, 2009.
Mchugh, J. (2000) “Testing Intrusion Detection Systems: A Critique of the 1998 and 1999 DARPA Intrusion Detection System Evaluations as Performed by Lincoln Laboratory”. ACM Transactions on Information and System Security, v. 3, n. 4, p. 262–294, November 2000.
Moore, D., Shannon, C., Brown, D. J., Voelker, G. M. and Savage, S. (2006) “Inferring Internet Denial-of-Service Activity”. ACM Transaction on Computer Systems, [S.I.], [S.I.], V.24, N.2, p. 115-139, 2006.
Morettin, P. A. and Toloi, C. M. C. (2006) Análise de Séries Temporais. 2. ed. [S.I.]: Blucher, 2006. 544p.
Nazario, J. (2009). “Politically motivated denial of service attacks”. The Virtual Battlefield: Perspectives on Cyber Warfare, p. 163-181.
Ranjan, N., Murthy, H. A. and Gonsalves, T. A. (2010) “Detection of syn flooding attacks using generalized autoregressive conditional heteroskedasticity (GARCH) modeling technique”. IN: NATIONAL CONFERENCE ON COMMUNICATIONS, 16., 2010, I.I.T Madras, India, p. 1-5.
Saleem, M. and Hassan, J. (2009) “Cyber warfare, the truth in a real case”. In: Project Report for Information Security Course, Linköping Universitetet, 2009, Sweden, 7p.
Shiravi A., Shiravi H., Tavallaee M. and Ghorbani A. A. (2012) “Toward developing a systematic approach to generate benchmark datasets for intrusion detection”, Computers & Security, Volume 31, Issue 3, May 2012, Pages 357 374, ISSN 01674048, 10.1016/j.cose.2011.12.012.
Siris, V. and Papagalou, F. (2006) “Application of anomaly detection algorithms for detecting SYN flooding attacks”. Computer Communications, Amsterdan, v.29, n.6, p.1433-1442, may. 2006.
Sperotto, A., Sadre, R., Boer, P-T. and Pras, A. (2009) “Hidden Markov Model Modeling of SSH Brute-force Attacks”. In: International Workshop on Distributed Systems: Operation and Management, 9., Venice, Italy, volume 5841, p. 164-176.
Sperotto, A., Sadre, R. and Pras, A. (2008) “Anomaly Characterization in Flow-Based Traffic Time Series”. In: IEEE International Workshop on IP Operations and Management, 8., 2008, Samos, Greece, p. 15-27.
Sperotto, A., Schaffrath, G., Sadre, R., Morariu, C., Pras, A. and Stiller, B. (2010) “An Overview of IP Flow-based Intrusion Detection”. IEEE Communications Surveys & Tutorials, [S.I.], v. 12, n. 3, p. 343-356, 2010.
Thomas, C., Sharma, V. and Balakrishnan, N. (2008) “Usefulness of DARPA dataset for intrusion detection system evaluation”. In SPIE Defense and Security Symposium (pp. 69730G-69730G). International Society for Optics and Photonics.
Thottan, M., Liu, G. and Ji, C. (2010) “Anomaly Detection Approaches for Communication Networks”. Algorithms for Next Generation Networks. [S.I.]: Springer, 2010. p. 239-261.
Zhou, B., He, D. and Sun, Z. (2006) “Traffic modeling and prediction using ARIMA/GARCH model”. Modeling and Simulation Tools for Emerging Telecommunication Networks, [S.I.]: Springer, 2006. p. 101-121.
Zhou, M. and Lang, S-D. (2003) “A Frequency-Based Approach to Intrusion Detection”. Systemics, Cybernetics and Informatics, [S.I.], v. 2, n. 3, p. 52-56, 2003.
Publicado
11/11/2013
Como Citar
FORAIN, Igor; GUELFI, Adilson E.; PONTES, Elvis; SILVA, Anderson.
Detecção de Intrusão Utilizando Análise de Séries Temporais com Modelos ARMAX/GARCH. In: SIMPÓSIO BRASILEIRO DE SEGURANÇA DA INFORMAÇÃO E DE SISTEMAS COMPUTACIONAIS (SBSEG), 13. , 2013, Manaus.
Anais [...].
Porto Alegre: Sociedade Brasileira de Computação,
2013
.
p. 100-113.
DOI: https://doi.org/10.5753/sbseg.2013.19539.
