Using Bayesian Networks for Detecting Network Anomalies

1
Using Bayesian Networks for Detecting Network
Anomalies

• Lane Thames
• ECE 8833 Intelligent Systems

2
Goals for this Project

• To see how well a Bayesian Learning Network
  performs at predicting attacks within a computer
  network
• How do the predictions change when using pure
  network data versus a combination of network and
  host data

3
Common Types of Attacks

• Buffer Overflow Attacks
• Redirects Program Control Flow which causes the
  computer to execute carefully injected malicious
  code
• Code be crafted to elevate the privileges of a
  user by obtaining super user (root) privileges

4
Common Types of Attacks

• Denial of Service
• Exhaust a computers resources TCP SYN Flooding
  Attack
• Consume a computers available networking
  bandwidth ICMP Smurf Attack

5
Data Sets

• UCI Knowledge Discovery in Databases (KDD)
  archive
• KDD Cup 1999 for Intrusion Detection Database
• A subset of data generated by MIT Lincoln Labs
  that simulated a military networking environment
  (4 weeks _at_ 22 hrs/day of data)

6
Data Sets

• Contained data for training and separate, labeled
  data for testing
• The test data contained noise because it
  contained attack data that was not included in
  the training data

7
Data Sets

• 22 total attack types were generated and were
  interlaced with normal traffic flows
• Types of Attacks within the data
• Denial of Service
• Unauthorized remote access
• Local user to super user access
• Probing Reconnaissance and network mapping

8
Data Sets

• 41 Features that could be used as Random
  Variables within a Bayesian Network
• Host Based Features
• Network Based Features

9
Feature Set Snippet
10
Tool Boxes Used for the Project

• BN Power Constructor
• Developed by J. Cheng at the University of
  Alberta in Canada
• Tool for generating possible network structures
  given a set of training data
• Exports the structure in DNE Bayesian network
  file format

11
Tool Boxes Used for the Project

• NeticaJ by Norsys
• Java based development library
• Used to build the Bayesian network codebase for
  this project
• Imports structure in DNE file format
• Contains functions for doing inference and
  learning CPTs given a set of training data

12
Implementation

• 2 types of structures used
• Combination of network and host based features
• Only network based features

13
Host/Network Structure
14
Host/Network Test Results

• Using the Noisy Test Data
• 65,505 Total Test Cases
• 65,019 Correctly Classified
• 99.26 Classification Accuracy

15
Probabilities for a Single Flow
16
Probabilities for a Smurf Flow
17
Time Series of Normal Probabilities
18
Network Features Structure
19
Network Variables Test Results

• 62,047 Total Noisy Test Cases
• 59,734 Correctly Classified
• 96.27 Classification Accuracy

20
Conclusion

• The Bayesian Network produced very impressive
  results
• The reduced structure only relied on network
  data, and only suffered from a small decrease in
  accuracy
• Term project will extend this to incorporate a
  SOM variable