Filtros de alarmes de anomalias através de Wavelets
Resumo
Diferentes metodologias baseadas em anomalias são utilizadas em Sistemas Detectores de Intrusão de Rede, sendo que recentemente técnicas baseadas na análise de sinais têm sido amplamente utilizadas com bons resultados. O problema, no entanto, destas técnicas ainda é o grande número de falsos positivos. Neste trabalho, é proposta uma abordagem utilizando-se a transformada wavelet para redução de falsos alarmes gerados por um detector de intrusão. Para a detecção de ataques, utilizou-se um detector de intrusão baseado em séries temporais e para correção dos falsos alarmes utilizou-se a filtragem de alarmes por wavelets. Foram selecionados alguns descritores de rede a partir do tráfego bruto para a formação de sinais de rede. A abordagem proposta foi testada usando a base de dados do DARPA 99 e resultou taxa de detecção de ataques 22% melhor, reduzindo 87% o número de falsos positivos, tornando assim, os resultados do detector mais confiáveis.Referências
Barford, P., Kline, J., Plonka, D., and Ron, A. (2002). A signal analysis of network traffic anomalies. In IMW ’02: Proceedings of the 2nd ACM SIGCOMM Workshop on Internet measurment, pages 71–82, New York, NY, USA. ACM.
BRO (2008). Bro Intrusion Detection System. Disponível em: http://www.bro-ids.org/, último acesso em dezembro de 2008.
CERT (2008). Denial-of-Service Attack via ping. Disponível em: http://www.cert.org/advisories/CA-1996-26.html, último acesso em outubro de 2008.
Dalmazo, B. L., Vogt, F., Perlin, T., and Nunes, R. C. (2008). Detecção de intrusão baseado em séries temporais. Gramado, RS, Brasil.
DARPA (1999). Defense Advanced Research Projects Agency. disponível em: http://www.ll.mit.edu/IST/ideval/index.html. Último acesso em outubro de 2008.
Donoho, D. L. and Johnstone, I. M. (1995). De-noising by soft-thresholding.
Ehlers, R. S. (2005). Análise de séries temporais. 2005, 3rd Edição. Departamento de Estatística, Universidade Federal do Paraná, PR.
Gao, J., Hu, G., Yao, X., and Chang, R. (2006). Anomaly detection of network traffic based on wavelet packet. Asia-Pacific Conference on Communications.
Guangmin, L. (2008). Modeling unknown web attacks in network anomaly detection. volume 2, pages 112–116.
Huang, C. T., Thareja, S., and Shin, Y. J. (2006). Wavelet based Real Time Detection of Network Traffic Anomalies. Securecomm and Workshops, Columbia, SC. Departamant of Computer Sci. e Eng.
Johnstone, I. M. and Silverman, B. W. (1997). Wavelet threshold estimators for data with correlated noise. Journal of the Royal Statistical Society: Series B (Statistical Methodology), 59:319–351.
Kemmerer, R. and Vigna, G. (2002). Intrusion detection: a brief history and overview. Computer, 35(4):27–30.
Kim, D. M., Cho, J. M., Lee, H. S., Jung, H. S., and Kim, J. O. (2006). Prediction of dynamic line rating based on assessment risk by time series weather model. PMAPS 2006 International Conference on Probabilistic Methods Applied to Power Systems.
Kim, S. S. and Reddy, A. (2008). Statistical techniques for detecting traffic anomalies through packet header data. Networking, IEEE/ACM Transactions on, 16(3):562–575.
Kozakevicius, A., Nunes, R. C., Rodrigues, C. R., and Filho, R. G. (2005). Adaptive ecg filtering and qrs detection using orthogonal wavelet transform. IASTED International Conference on BioMedical Engineering (BioMed 2005).
Kruegel, C. and Vigna, G. (2003). Anomaly detection of web-based attacks. In CCS ’03: Proceedings of the 10th ACM conference on Computer and communications security, pages 251–261, New York, NY, USA. ACM.
Li, Y. and Fang, B.-X. (2007). A lightweight online network anomaly detection scheme based on data mining methods. pages 340–341.
Liu, T., Qi, A., Hou, Y., and Chang, X. (2008). Method for network anomaly detection based on bayesian statistical model with time slicing. pages 3359–3362.
Lu, W., Tavallaee, M., and Ghorbani, A. (2008). Detecting network anomalies using different wavelet basis functions. Communication Networks and Services Research Conference, 2008. CNSR 2008. 6th Annual, pages 149–156.
Lunardi, R., Dalmazo, B. L., Amaral, E., and Nunes, R. C. (2008). Dibset: um detector de intrusão por anomalias baseado em séries temporais. Gramado, RS, Brasil.
Mallat, S. G. (1989). A theory for multiresolution signal decomposition: the wavelet representation. IEEE Transactions on Pattern Analysis and Machine Intelligence, 11:674–693.
Nunes, R. C. (2003). Adaptação dinâmica do timeout de detectores de defeitos através do uso de séries temporais.
Samaan, N. and Karmouch, A. (2008). Network anomaly diagnosis via statistical analysis and evidential reasoning. Network and Service Management, IEEE Transactions on, 5(2):65–77.
Selvakani, S. and R.S.Rajesh (2007). Genetic algorithm for framing rules for intrusion detection. IJCSNS International Journal of Computer Science and Network Security, 7(11).
SNORT (2008). Snort. Disponível em: http://www.snort.org/, último acesso em dezembro de 2008.
Soule, A., Salamatian, K., and Taft, N. (2005). Combining filtering and statistical methods for anomaly detection. In IMC ’05: Proceedings of the 5th ACM SIGCOMM conference on Internet Measurement, pages 31–31, Berkeley, CA, USA. USENIX Association.
Strang, G. (1993). Wavelet transforms versus fourier transforms. Bulletin of the American Mathematical Society.
Thottan, M. and Ji, C. (2003). Anomaly detection in ip networks. IEEE Transactions on Signal Processing, 51(8).
Tran, N. and Reed, D. A. (2001). Arima time series modeling and forecasting for adaptive i/o prefetching. ACM 15th International Conference on Supercomputing.
Usevitch, B. E. (2001). A tutorial on modern lossy wavelet image compression: Foundations of jpeg 2000. IEEE Signal Processing Magazine.
Wang, X. (2008). Research on effect of frequency band energy leakage to wavelet denoising. 7th World Congress on Intelligent Control and Automation.
Wheelwright, S. C. and Makridakis, S. (1985). Forecasting Methods for Management. John Wiley & Sons Inc, New York.
Wu, Q. and Shao, Z. (2005). Network anomaly detection using time series analysis. pages 42–42.
Xu, Y., Wang, G., Gu, Y., and Liu, H. (2007). A novel wavelet packet speech enhancement algorithm based on time-frequency threshold. Second International Conference on Innovative Computing, Information and Control.
Yao, L., ZhiTang, L., and Shuyu, L. (2006). A fuzzy anomaly detection algorithm for ipv6. pages 67–67.
BRO (2008). Bro Intrusion Detection System. Disponível em: http://www.bro-ids.org/, último acesso em dezembro de 2008.
CERT (2008). Denial-of-Service Attack via ping. Disponível em: http://www.cert.org/advisories/CA-1996-26.html, último acesso em outubro de 2008.
Dalmazo, B. L., Vogt, F., Perlin, T., and Nunes, R. C. (2008). Detecção de intrusão baseado em séries temporais. Gramado, RS, Brasil.
DARPA (1999). Defense Advanced Research Projects Agency. disponível em: http://www.ll.mit.edu/IST/ideval/index.html. Último acesso em outubro de 2008.
Donoho, D. L. and Johnstone, I. M. (1995). De-noising by soft-thresholding.
Ehlers, R. S. (2005). Análise de séries temporais. 2005, 3rd Edição. Departamento de Estatística, Universidade Federal do Paraná, PR.
Gao, J., Hu, G., Yao, X., and Chang, R. (2006). Anomaly detection of network traffic based on wavelet packet. Asia-Pacific Conference on Communications.
Guangmin, L. (2008). Modeling unknown web attacks in network anomaly detection. volume 2, pages 112–116.
Huang, C. T., Thareja, S., and Shin, Y. J. (2006). Wavelet based Real Time Detection of Network Traffic Anomalies. Securecomm and Workshops, Columbia, SC. Departamant of Computer Sci. e Eng.
Johnstone, I. M. and Silverman, B. W. (1997). Wavelet threshold estimators for data with correlated noise. Journal of the Royal Statistical Society: Series B (Statistical Methodology), 59:319–351.
Kemmerer, R. and Vigna, G. (2002). Intrusion detection: a brief history and overview. Computer, 35(4):27–30.
Kim, D. M., Cho, J. M., Lee, H. S., Jung, H. S., and Kim, J. O. (2006). Prediction of dynamic line rating based on assessment risk by time series weather model. PMAPS 2006 International Conference on Probabilistic Methods Applied to Power Systems.
Kim, S. S. and Reddy, A. (2008). Statistical techniques for detecting traffic anomalies through packet header data. Networking, IEEE/ACM Transactions on, 16(3):562–575.
Kozakevicius, A., Nunes, R. C., Rodrigues, C. R., and Filho, R. G. (2005). Adaptive ecg filtering and qrs detection using orthogonal wavelet transform. IASTED International Conference on BioMedical Engineering (BioMed 2005).
Kruegel, C. and Vigna, G. (2003). Anomaly detection of web-based attacks. In CCS ’03: Proceedings of the 10th ACM conference on Computer and communications security, pages 251–261, New York, NY, USA. ACM.
Li, Y. and Fang, B.-X. (2007). A lightweight online network anomaly detection scheme based on data mining methods. pages 340–341.
Liu, T., Qi, A., Hou, Y., and Chang, X. (2008). Method for network anomaly detection based on bayesian statistical model with time slicing. pages 3359–3362.
Lu, W., Tavallaee, M., and Ghorbani, A. (2008). Detecting network anomalies using different wavelet basis functions. Communication Networks and Services Research Conference, 2008. CNSR 2008. 6th Annual, pages 149–156.
Lunardi, R., Dalmazo, B. L., Amaral, E., and Nunes, R. C. (2008). Dibset: um detector de intrusão por anomalias baseado em séries temporais. Gramado, RS, Brasil.
Mallat, S. G. (1989). A theory for multiresolution signal decomposition: the wavelet representation. IEEE Transactions on Pattern Analysis and Machine Intelligence, 11:674–693.
Nunes, R. C. (2003). Adaptação dinâmica do timeout de detectores de defeitos através do uso de séries temporais.
Samaan, N. and Karmouch, A. (2008). Network anomaly diagnosis via statistical analysis and evidential reasoning. Network and Service Management, IEEE Transactions on, 5(2):65–77.
Selvakani, S. and R.S.Rajesh (2007). Genetic algorithm for framing rules for intrusion detection. IJCSNS International Journal of Computer Science and Network Security, 7(11).
SNORT (2008). Snort. Disponível em: http://www.snort.org/, último acesso em dezembro de 2008.
Soule, A., Salamatian, K., and Taft, N. (2005). Combining filtering and statistical methods for anomaly detection. In IMC ’05: Proceedings of the 5th ACM SIGCOMM conference on Internet Measurement, pages 31–31, Berkeley, CA, USA. USENIX Association.
Strang, G. (1993). Wavelet transforms versus fourier transforms. Bulletin of the American Mathematical Society.
Thottan, M. and Ji, C. (2003). Anomaly detection in ip networks. IEEE Transactions on Signal Processing, 51(8).
Tran, N. and Reed, D. A. (2001). Arima time series modeling and forecasting for adaptive i/o prefetching. ACM 15th International Conference on Supercomputing.
Usevitch, B. E. (2001). A tutorial on modern lossy wavelet image compression: Foundations of jpeg 2000. IEEE Signal Processing Magazine.
Wang, X. (2008). Research on effect of frequency band energy leakage to wavelet denoising. 7th World Congress on Intelligent Control and Automation.
Wheelwright, S. C. and Makridakis, S. (1985). Forecasting Methods for Management. John Wiley & Sons Inc, New York.
Wu, Q. and Shao, Z. (2005). Network anomaly detection using time series analysis. pages 42–42.
Xu, Y., Wang, G., Gu, Y., and Liu, H. (2007). A novel wavelet packet speech enhancement algorithm based on time-frequency threshold. Second International Conference on Innovative Computing, Information and Control.
Yao, L., ZhiTang, L., and Shuyu, L. (2006). A fuzzy anomaly detection algorithm for ipv6. pages 67–67.
Publicado
28/09/2009
Como Citar
DALMAZO, Bruno Lopes; PERLIN, Tiago; NUNES, Raul Ceretta; KOZAKEVICIUS, Alice de Jesus.
Filtros de alarmes de anomalias através de Wavelets. In: SIMPÓSIO BRASILEIRO DE SEGURANÇA DA INFORMAÇÃO E DE SISTEMAS COMPUTACIONAIS (SBSEG), 9. , 2009, Campinas.
Anais [...].
Porto Alegre: Sociedade Brasileira de Computação,
2009
.
p. 85-98.
DOI: https://doi.org/10.5753/sbseg.2009.20625.