Introduction
Under this project, we will research and develop an accurate and real-time enterprise intrusion detection and prevention solution to detect zero-day network attacks. This solution will consist of two main components: a passive anomaly detector and an active anomaly detector. The active anomaly detector will preemptively and quickly detect Internet-scale and targeted threats and will also facilitate attack forensics. The anomaly detector will evaluate existing and new traffic features of incoming and outgoing traffic for real-time attack characterization. These features will be used for attack detection in novel information-theoretic, statistical, and machine learning frameworks. The second component of the proposed solution, the passive anomaly detector, will be designed to capture incoming traffic that is bound for inactive IP addresses and ports inside an enterprise network. The passive detector will develop a baseline model of mis-configured incoming network traffic. Deviations from this model will be used to detect malicious traffic patterns. Final deliverable of this project would be an open source anomaly detector that will be available online.
Progress
Since its inception, significant progress has been made on this project. Several project milestones have been achieved before their respective deadlines defined in the project proposal. Milestones achieved to-date are described below:
1. Literature Survey and Review
Well known existing attacks and malwares were thoroughly studied. To detect the attacks, existing network security solutions were studied.
1.1 Taxonomy of Anomaly Detection Systems (ADSs)
On the basis of ADSes reviewed, we proposed the taxonomy for ADSes. This work is under process for publication. International standards for security technologies were surveyed too.
1.2 Comparative Evaluation of Existing Security Techniques
After studying the existing techniques and standards, comparative evaluation of existing techniques was done which has been published in RAID 2008 (Download paper here). This comparative evaluation helped us in identifying the shortcomings and new dimensions for improving the performance.
1.3 Performance Improvement Techniques
Techniques have been devised and tested for performance improvement; results of which are very promising. Patenting and publishing of these techniques is under process.
2. Software Design and Testing Document
The progress of software design and testing is step-wise described below:
3.1 Analysis of Software Requirements
Software requirements were gathered from different sources including network administrators of Enterprise Networks and Internet Service Providers (ISPs). These requirements are comprehensively described in a document named Software Requirement Specification (SRS). First version of this document has been released and under review for further enhancements. (Download SRS here).
3.2 Coding Guidelines
To develop open source software, different coding conventions were studied. Objective of defining the coding convention is to keep the code coherent developed by different programmers. This document describes in detail about all the coding convention need to be followed; like variable and function declaration, header files formats, directory structures etc. First version has been released and can be downloaded from this page (Download Coding Guidelines here)
3.3 Study of Existing Modeling and Testing Techniques
Review of existing modeling techniques is complete, this review will yield a suitable technique need to be followed for this project. However we have also started reviewing the software testing techniques available.
Publications
Journal Papers:
-
Sardar Ali, Irfan Ul Haq, Sajjad Rizvi, Naurin Resheed, Unum Sarfraz, Syed Ali Khayam, and Fauzan Mirza "On Mitigating Sampling-Induced Accuracy Loss in Traffic Anomaly Detection Systems," to appear in ACM SIGCOMM Computer Communication Review (CCR), vol. 40, no. 3, July 2010.
-
Syed Ali Khayam, Ayesha Binte Ashfaq and Hayder Radha, "Joint Network-Host based Malware Detection using Information- Theoretic Tools," to appear in Springer Journal in Computer Virology (JCV), January 2010.
-
Ayesha Binte Ashfaq, Muhammad Qasim Ali and Syed Ali Khayam, "Accuracy Improving Guidelines for Network Anomaly Detection Systems," Springer Journal in Computer Virology (JCV), DOI 10.1007/s11416-009-0133-5, September 2009.
Conference Papers:
-
Irfan Ul Haq, Sardar Ali, Hassan Khan, and Syed Ali Khayam, "What is the Impact of P2P Traffic on Anomaly Detection?," Recent Advances in Intrusion Detection (RAID), 2010.
-
Ayesha Binte Ashfaq, Mobin Javed, Syed Ali Khayam, and Hayder Radha, "An Information-Theoretic Combining Method for Multi-Classifier Anomaly Detection Systems,"IEEE International Conference on Communications (ICC), May 2010.
-
Muhammad Qasim Ali, Hassan Khan, Ali Sajjad, and Syed Ali Khayam, "On Achieving Good Operating Points on an ROC Plane using Stochastic Anomaly Score Prediction," ACM Conference on Computer and Communication Security (CCS), 2009.
-
Hassan Khan, Mobin Javed, Fauzan Mirza and Syed Ali Khayam,"Evading Disk Investigation and Forensics using a Cluster-Based Covert Channel," ACM Conference on Computer and Communication Security (CCS), 2009.
-
Mobin Javed, Ayesha Binte Ashfaq, M. Zubair Shafiq, and Syed Ali Khayam, "On the Inefficient Use of Entropy for Anomaly Detection," Recent Advances in Intrusion Detection (RAID), September 2009.
-
Ayesha Binte Ashfaq, Maria Joseph Robert, Asma Mumtaz, Muhammad Qasim Ali, Ali Sajjad and Syed Ali Khayam, "A Comparative Evaluation of Anomaly Detectors under Portscan Attacks," Recent Advances in Intrusion Detection (RAID), 2008
-
Muhammad Zubair Shaifq, Muddassar Farooq and Syed Ali Khayam, "A Comparative Study of Fuzzy Inference Systems, Neural Networks and Adaptive Neuro Fuzzy Inference Systems for Portscan Detection," European Workshop on the Application of Nature-inspired Techniques to Telecommunication Networks and other Connected Systems (EvoCOMNET), 2008. (Best paper nomination)
-
Muhammad Zubair Shafiq, Syed Ali Khayam, and Mudassar Farooq, "Improving Accuracy of Immune-Inspired Malware Detectors using Intelligent Features," ACM Genetic and Evolutionary Computing Conference (GECCO), 2008.
-
Muhammad Zubair Shafiq, Syed Ali Khayam, and Mudassar Farooq, "Embedded Malware Detection using Markov n-grams," Conference on Detection of Intrusions and Malware & Vulnerability Assessment (DIMVA), 2008.