1. ANOMALY DETECTION
ANALYSIS AND EMULATION WITH
DETERLAB
MAJOR PROJECT 2013-14
SWATI JAIN - 10503851
PUJA AGRAWAL - 10503857
AKSHAY BANSAL - 10503878
BATCH - B11
2. PROBLEM STATEMENT
• This research-based project attempts to :
• analyze and emulate anomaly detection techniques.
• Use as Case study : low-rate (pulsating) TCP - targeted
Denial of Service attacks due to their ease of launch,
stealthy and damaging nature.
• Use DETER test-bed to emulate such attacks.
• Plans to design an extensive anomaly checkpoint detection
methodology for the same.
3. BACKGROUND STUDY
• DeterLab :
• Acronym for cyber Defense Technology Experimental
Research network lab.
• DeterLab provides an open, remotely accessible, shared
network research lab.
• Facilities include networking and computing resources, and
an expanding set of tools for using them to construct and
operate experiments.
• An emulation test-bed that allows researchers to evaluate
Internet security technologies.
4. BACKGROUND STUDY
• Changepoint Detection:
• Study of techniques to detect a change (“disorder”) in the
state of a time process, usually from “normal” to
“abnormal”.
• Time instance at which the state of the process changes is
referred to as the changepoint.
• Challenge : changepoint not known in advance.
5. NOVELTY
• This algorithm implemented on the DoS attacks (Feb, 2013), till
now, has not been tested on the case of Low - rate Denial of
Service attacks.
• We had to modify the algorithm in keeping with the case study
of the LDoS attack.
• The likelihood ratio based Shiryaev–Roberts procedure has
appealing optimality properties.
• DeterLab is used to simulate, analyze and emulate the whole
project, compared to network simulator – based analysis of
such attacks.
• This project has attempted to test the algorithm results in a real
- time scenario.
6. NEW TOOLS
• Deterlab:
• We use the resources and networking facilities provided by
DeterLab to simulate, analyze and emulate the attack. The
network topology is created in DeterLab, and the required
attack simulated on end - nodes.
• SEER :
• The SEER workbench contains a packet flooder module
which allows the user to manually introduce attack traffic
into a running experiment
7. NEW TOOLS
• PuTTY :
• PuTTY is a free and open-source terminal emulator, serial
console and network file transfer application.
• We use this software to ssh login to the users.isi.deterlab.net ,
so as to access the tcpdump (log) file of the victim's traffic.
• This way we analyze the ingress and egress traffic of the
target victim node.
• PSCP :
• PSCP is a freeware SCP (Secure CoPy) program for the
Windows command line processor.
• We use this software to secure copy from users.deterlab.net
to our local system.
8. NEW TOOLS
• Iperf :
• This tools is used to measure network performance. Iperf was
originally developed by NLANR/DAST as a modern alternative for
measuring TCP and UDP bandwidth performance.
• Iperf is a tool to measure maximum TCP bandwidth, allowing the
tuning of various parameters and UDP characteristics. Iperf
reports bandwidth and datagram loss.
• Cwnd_track :
• This tool is loosely based on tmeas(tool that records a number of
system level statistics). The purpose of the tool is pretty limited in
its current form. The main goal is to poll TCP congestion window
(Cwnd) values for a given IP. If there is no connection to the
provided IP address, the tool waits and logs nothing. Once the
connection appears, the tool logs the value along with the time
stamp.
9. NEW TOOLS
• TCPDump :
• Tcpdump, a powerful command-line packet analyzer; and
libpcap, a portable C/C++ library for network traffic
capture.
• Tcpdump prints out a description of the contents of packets
on a network interface that match the boolean expression.
It can also be run with the -w flag, which causes it to save
the packet data to a file for later analysis, and/or with the -r
flag, which causes it to read from a saved packet file rather
than to read packets from a network interface. It can also
be run with the -V flag, which causes it to read a list of
saved packet files. In all cases, only packets that match
expression will be processed by tcpdump.
10. PROPOSED ALGORITHM
• Divide traffic into groups of random observations
such that X1, X2,....., Xn, each distributed
according to a known probability density function
(pdf) f
• with pdf .
• : data changes statistical profile
at time instance v = k.
• : Null Hypothesis : No attack ever
occurs.
13. MODIFIED ALGORITHM
• There may be points, where the observed data
appears to be normal, but the detection statistic
shows it to be an anomaly, which surpasses the
threshold set for this test. This is an indication of a
false alarm, since no changepoint has been
detected in the observed data prior to this false
alarm.
• If the corresponding detection statistic graph shows
a peak after the checkpoint, which surpasses the
threshold, it confirms the presence of an anomaly in
the network flow. This time of detection, it calls as
the Detection Point.
26. CURRENT/OPEN PROBLEMS
• Detection delay time : To detect changes in the
statistical profile of network traffic as rapidly as
possible, while maintaining a tolerable level of the
risk of making a false detection.
• Our aim is to detect that the observations’ common
distribution has changed. The challenge is to do so
with as few observations as possible following the
changepoint.
27. CURRENT/OPEN PROBLEMS
• For a successful sequential analysis of anomalies in
a network traffic sample, we must :
• minimize the detection time given fixed false alarm and
misdetection rates
• balance the tradeoff between these three quantities (false
alarm, misdetection rate, detection time) effectively.
28. REFERENCES
1. Chertov ,R. Fahmy, S. Shroff, N. B. and Purdue University, Fidelity of Network
Simulation and Emulation: A Case Study of TCP - Targeted Denial of Service
Attacks, Journal ACM Transactions on Modeling and Computer Simulation
Volume 19 Issue 1 Article No. 4, December 2008.
2. Tartakovsky,A.G. Senior Member, IEEE, Polunchenko, A.S and Sokolov. G.
Efficient Computer Network Anomaly Detection by Changepoint Detection
Methods, IEEE journal of selected topics in signal processing, vol. 7, no. 1,
2013.
3. Chertov ,R. Fahmy, S. Shroff, N. B. High Fidelity Denial of Service (DoS)
Experimentation, Proceedings of the DETER Community Workshop on Cyber
Security Experimentation, 2006.
4. Tan, Z. Jamdagni, A. He, X. Nanda, P. and Liu, R.P. Triangle-Area-Based
Multivariate Correlation Analysis for Effective Denial-of-Service Attack
Detection, IEEE 11th International Conference on Trust, Security and Privacy
in Computing and Communications ISBN: 978-0-7695-4745-9, 2012.
5. Tamilarasan,A. Mukkamala, S. and Sung, A.H. Yendrapalli, K. Feature Ranking
and Selection for Intrusion Detection Using Artificial Neural Networks and
Statistical Methods, Proceeding CCNC'09 Proceedings of the 6th IEEE
Conference on Consumer Communications and Networking Conference
Pages 1066-1073 ISBN: 978-1-4244-2308-8, 2006.
29. REFERENCES
6. Mathew, R. and Katkar,V. Survey of Low Rate DoS Attack Detection
Mechanisms, ICWET '11 Proceedings of the International Conference &
Workshop on Emerging Trends in Technology Pages 955-958 ISBN: 978-1-4503-
0449-8, 2011.
7. Kuzmanovic, A. and Knightly, E.W. Senior Member, IEEE, Low-Rate TCP-
Targeted Denial of Service Attacks and Counter Strategies, IEEE/ACM
TRANSACTIONS ON NETWORKING, VOL. 14, NO. 4, 2006.
8. Ektefa, M. Memar, S. and Sidi, F. Affendey, L. S. Intrusion Detection Using
Data Mining Techniques , Information Retrieval & Knowledge Management,
(CAMP), 2010 International Conference on 17-18 March 2010 Page(s):200 –
203 Print ISBN: 978-1-4244-5650-5, 2010.
9. Liu, Z. and Guan, L. Attack simulation and signature extraction of low-rate
DoS , Intelligent Information Technology and Security Informatics (IITSI), 2010
Third International Symposium on 2-4 April 2010 Page(s):544 – 548 Print ISBN:
978-1-4244-6730-3, 2010.
10. Efstathopoulos, P. Practical Study of a Defense Against Low-Rate TCP-
Targeted DoS Attack, Internet Technology and Secured Transactions, 2009.
ICITST 2009. International Conference form 9-12 Nov. 2009 Page(s):1 – 6 Print
ISBN:978-1-4244-5647-5, 2009.
30. REFERENCES
11. Thatte, G. Mitra, U. and Heidemann, J. Detection of Low-Rate Attacks in
Computer Networks, INFOCOM Workshops 2008, IEEE from 13-18 April 2008
Page(s): 1 – 6 Print ISBN:978-1-4244-2219-7 , 2008.
12. TSUNODA, H. KARA, A. Waizumi, Y. Ansari N. and NEMOTO, Y. Detecting
Pulsing Denial-of-Service Attacks Based on the Bandwidth Usage Condition,
Communications, 2008. ICC '08. IEEE International Conference on 19-23 May
2008 Page(s):1670 – 1674 Print ISBN 978-1-4244-2075-9, 2008.
13. Yu, Y. A Survey of anomaly intrusion detection techniques, Journal of
Computing Sciences in Colleges archive Volume 28 Issue 1, October 2012
Pages 9-17, 2012.
14. Mathew, R. and Katkar, V. Survey of Low Rate DoS Attack Detection
Mechanisms, ICWET '11 Proceedings of the International Conference &
Workshop on Emerging Trends in Technology Pages 955-958 ISBN: 978-1-
4503-0449-8, 2011.
