Network intrusion detection systems (NIDs), which detect malicious activities in networks, are considered a key layer of defence in modern network security infrastructures. Many techniques have been proposed and implemented to detect network intrusions, however, the amount of alerts generated by current NIDs are overwhelmingly large.  For example, NIDs employing a misuse detection technique cannot detect unknown attacks.  On the other hand, those using an anomaly detection technique may miss intrusions by stealthy attacks. Both these give rise to false negatives.  In addition, many of the alerts do not correspond to real malicious activities, resulting in false positives.  These result in unmanageable operational burdens being placed on security analysts.

In this project, we adopt a three-layer approach to reducin­g alerts, Figure 1. 

 

 

Figure 1:  Three-layer approach to NID using flow and traffic pattern anomaly detection and alert correlation.

Firstly, we develop a more robust anomaly detection technique at the data layer.  This includes analysing individual network traffic flows and flow patterns across a network.  Secondly, we develop an alert correlation technique that filters out alerts which are false positives by considering the context in which they are detected.  In the first stage normal network traffic flows are clustered by modelling them as a mixture of Gaussians.  This enables us to develop a model of normal flows.  Following training, the probability of new flows in that model is estimated and if the probability is below a threshold it is deemed to be anomalous.  Figure 2 shows the model of the normal technique (in green) learnt by the clustering algorithm.  Close inspection shows that the mixture components are required to model the normal distribution.  In addition, you can see that the distribution is complicated and non-linear in shape.  The distribution of the flow vectors associated with nine different attack types are in red.  Attack types the features cluster in areas that are not overlapping with the normal model.  However, for other attack types, the clusters are not so well defined and there can be significant overlap between the attack distribution and normal model.

 

 

Figure 2:  Feature space showing ten component mixture model of the normal flows learnt by the clustering algorithm in green.  Also, shown are the feature vector distributions of the nine different attack types (in red).

Figure 3 shows results obtained with all nine attacks and four of the attacks for which best performance was obtained.  Analysis shows that the performance for the reduced set of four attacks is superior.  This is to be expected as the overlap between these attack distributions and the normal model is reduced compared to the remaining five attacks.

 

 

Figure 3: Plots of accuracy, precision, recall and F1 score for all nine attacks and four attacks.

In the second stage, Fig: 4, flows across a network during a time interval are used to construct a bipartite graph whose nodes are IP addresses and whose edges represent the total number of packets that have flowed between the hosts during that time interval.  The adjacency matrix of that graph is then constructed where each matrix element represents the total number of packets between hosts.  The columns of the matrix are then used to train a deep learning autoencoder to learn a sparse representation of the matrix at the hidden layer of the autoencoder.  This sparse representation is analogous in some ways to SVD of the matrix.  The hidden layer is then used to reconstruct the adjacency matrix.  The error between the original and reconstructed matrices is then assumed to be an indication of how anomalous the flow was for that time period. 

 

 

Figure 4: NIDs using autoencoder to learn graph representations for anomaly detection.

In the final stage alerts generated by NIDs and other security sensors, alerts are correlated by evidential reasoning networks.  These can be used to tackle the alert correlation problem based on the application of reasoning and fusion of evidence under uncertainty by Dempster-Shafer theory. Our proposed method treats security status detection in an IT system as an inference process. Relations between alerts, attack actions and security states are formally modelled by evidential networks on the basis of DS theory. Inference takes place in an evidential network through various evidential operations. In this way, our method models not only uncertain sensor evidence but also the relation heuristics of connecting alert observations to attack actions and security status.             

 

Papers 

Jia, G., Miller, P., Kalutarage, H., Hong, X., Ban, T. Anomaly Detection in Network Traffic Using Dynamic Graph Mining with a Sparse Autoencoder. Proceedings of the 18th IEEE International Conference on Trust, Security and Privacy in Computing and Communications (IEEE TrustCom), 2019.