n-gram analysis

40
N-GRAM ANALYSIS INTRUSION DETECTION WITHIN NETWORKS AND ICS

TAGS:

description

n-gram analysis. Intrusion Detection Within Networks and ICS. Little review. SCADA (Supervisory Control and Data Acquisition) is a type of Industrial Control System(ICS) that is used to monitor and control various industrial processes that exist in the physical world Seen in our Smart Grids. - PowerPoint PPT Presentation

Transcript of n-gram analysis

Page 1: n-gram analysis

N-GRAM ANALYSISINTRUSION DETECTION WITHIN NETWORKS AND ICS

Page 2: n-gram analysis

LITTLE REVIEW

• SCADA (SUPERVISORY CONTROL AND DATA ACQUISITION) IS A TYPE OF INDUSTRIAL CONTROL SYSTEM(ICS) THAT IS USED TO MONITOR AND CONTROL VARIOUS INDUSTRIAL PROCESSES THAT EXIST IN THE PHYSICAL WORLD

• SEEN IN OUR SMART GRIDS

Page 3: n-gram analysis

ATTACKS ON SCADA NETWORKS

Page 4: n-gram analysis

INTRUSION DETECTION SYSTEMS

Page 5: n-gram analysis

LOG MINING APPROACH FOR PROCESS MONITORING IN SCADA

• ACCESSING USER RIGHTS TO DO ACTIONS THAT LOOK LEGITIMATE 

• PHEA - PREDICTIVE HUMAN ERROR ANALYSIS (TASK ANALYSIS TREE - POSSIBLE USER ACTIONS)

• HAZOP - HAZARD AND OPERABILITY STUDY

• MAIN ISSUE: DEALING WITH THE ATTACK AFTER THE FACT?

Page 6: n-gram analysis

SMART DEVICE PROFILING

• DEVICE FINGERPRINT• CONNECTIVITY PATTERN• PSEUDO-PROTOCOL PATTERN• PACKET CONTENT STATISTICS• FIRST LEVEL - NETWORK ACCESS

CONTROL MECHANISMS• SECOND LEVEL - INTRUSION

DETECTION SYSTEMS

Page 7: n-gram analysis

N-GRAM AGAINST THE MACHINEN-GRAM NETWORK ANALYSIS FOR BINARY PROTOCOL

Page 8: n-gram analysis

TERMS TO KNOW

• NETWORK INTRUSION DETECTION SYSTEMS (NIDS)

• SIGNATURE-BASED• ANOMALY-BASED• ZERO-DAY AND TARGETED

ATTACKS (STUXNET)

Page 9: n-gram analysis

ANOMALY-BASED NIDS/BINARY PROTOCOLS

• NETWORK-BASED APPROACH (MONITORING IN TRANSPARENT WAY)

• ANALYZE NETWORK FLOW• ANALYZE ACTUAL PAYLOAD• BINARY PROTOCOLS

(SMB/CIFS/RPC/MODBUS)

Page 10: n-gram analysis

N-GRAM ANALYSIS

• MONITORING SYSTEM CALLS• TEXT ANALYSIS• PACKET PAYLOAD ANALYSIS

Page 11: n-gram analysis

NETWORK PAYLOAD ANALYSIS

• USING N-GRAMS IN DIFFERENT WAYS

• TWO PARTICULAR ASPECTS:1. THE WAY N-GRAM BUILDS

FEATURE SPACES2. THE ACCURACY OF

PAYLOAD REPRESENTATION

Page 12: n-gram analysis

THE ALGORITHMSPAYL, POSEIDON, ANAGRAM, MCPAD

Page 13: n-gram analysis

THE ALGORITHMS

PAYL• 1-GRAM-BASED PAYLOAD ANOMALY

DETECTOR• USE OF MODELS1. MEAN BYTE FREQUENCY2. BYTE FREQUENCY STANDARD

DEVIATION• SAME VALUES COMPUTED FOR

INCOMING PACKETS --> COMPARED TO MODEL VALUES

POSEIDON• BUILT ON THE PAYL ARCHITECTURE• EMPLOYS A NEURAL NETWORK TO

CLASSIFY PACKETS• SELF-ORGANIZING MAPS

Page 14: n-gram analysis

THE ALGORITHMS

PAYL - FAIL• VULNERABLE TO MIMICRY ATTACKS

(ONLY MODELS 1-GRAM BYTE DISTRIBUTION)

• ADDITIONAL BYTES ADDED TO MATCH MODELS

POSEIDON - FAIL• MORE RESILIENT TO MIMICRY

ATTACKS (SOM AND PAYL TOGETHER)• ATTACK PORTION OF PAYLOAD SMALL

ENOUGH --> ASSIGNED TO A CLUSTER WITH MODELS OF REGULAR TRAFFIC (SIMILAR BYTE FREQUENCY)

Page 15: n-gram analysis

THE ALGORITHMS

ANAGRAM• HIGHER-ORDER N-GRAMS USED (N >

1)• BINARY-BASED N-GRAM ANALYSIS• USE OF BLOOM FILTERS• LESS MEMORY USED = USE OF HIGER-

ORDER N-GRAMS• MORE PRECISE THAN FREQUENCY-

BASED ANALYSIS (PAYL)

MCPAD• "MULTIPLE-CLASSIFIER PAYLOAD-

BASED ANOMALY DETECTOR"• 2-GRAM ANALYSIS• SUPPORT VECTOR MACHINE (SVM)

CLASSIFIERS

Page 16: n-gram analysis

THE ALGORITHMS

ANAGRAM - FAIL• BLOOM FILTER SATURATES DURING

TRAINING• ATTACK LEVERAGES SEQUENCE OF N-

GRAMS THAT HAVE BEEN OBSERVED DURING TESTING

MCPAD - FAIL• TRIES TO GIVE WIDE

REPRESENTATION OF THE PAYLOAD1. APPROXIMATE REPRESENTATION2. USE OF DIFFERENT CLASSIFIERS

Page 17: n-gram analysis

APPROACHVERIFYING THE EFFECTIVENESS OF THE DIFFERENT ALGORITHMS

Page 18: n-gram analysis

APPROACH

• COLLECT NETWORK DATA• COLLECT ATTACK DATA• OBTAIN WORKING IMPLEMENTATION

OF ALGORITHMS• RUN ALGORITHMS AND ANALYZE

RESULTS

Page 19: n-gram analysis

OBTAINING NETWORK DATA

• REAL-LIFE DATA FROM DIFFERENT NETWORK ENVIRONMENTS (CURRENTLY OPERATING)

• FOCUS ON ANALYSIS OF BINARY PROTOCOLS

1. TYPICAL LAN (WINDOWS-BASED NETWORK SERVICES)

2. PROTOCOLS FOUND IN ICS

Page 20: n-gram analysis

OBTAINING THE IMPLEMENTATIONS

• POSEIDON AND MCPAD OBTAINED FROM AUTHORS

• ANAGRAM AND PAYL --> IMPLEMENTATIONS WRITTEN FROM SCRATCH

Page 21: n-gram analysis

EVALUATION CRITERIA

• DETECTION RATE• FALSE POSITIVE RATE

Page 22: n-gram analysis

EVALUATION CRITERIA

DETECTION RATE• NUMBER OF CORRECTLY DETECTED

PACKETS WITHIN THE ATTACK SET• NUMBER OF DETECTED ATTACK

INSTANCES• ALARM = TRUE POSITIVE IF

ALGORITHM TRIGGERS AT LEAST ONE ALERT PACKET PER ATTACK INSTANCE

FALSE POSITIVE RATE• RELATE TO DETECTION RATE• INSTEAD OF PERCENTAGE, USE

NUMBER OF FALSE POSITIVES PER TIME UNIT

• TWO THRESHOLDS: 1. 10 FALSE POSITIVES PER DAY2. 1 FALSE POSITIVE PER MINUTE

Page 23: n-gram analysis

EVALUATION CRITERIA - SNORT

• SIGNATURE-BASED IDS • USED TO VERIFY ALERTS ARE FALSE

POSITIVES

Page 24: n-gram analysis

DATA SETS AND ATTACK SETS

Page 25: n-gram analysis

WEB DATA SET

DARPA (DS)• USED TO VERIFY IMPLEMENTATIONS• PAYL• ANAGRAM

HTTP (AS)• USED FOR BENCHMARKS WITH

MCPAD• 66 DIVERSE ATTACKS• 11 SHELLCODES

Page 26: n-gram analysis

LAN DATA SETS

SMB (DS)• NETWORK TRACES FROM UNIVERSITY

NETWORK• AVG. DATA RATE: ~40MBPS• FOCUS ON SMB/CIFS PROTOCOL

MESSAGES WHICH ENCAPSULATE RPC MESSAGES

• AVG. PACKET RATE: ~22/SEC

SMB (AS)• SEVEN ATTACK INSTANCES• EXPLOIT 4 DIFFERENT

VULNERABILITIES:1. MS04-0112. MS06-0403. MS08-0674. MS10-061

Page 27: n-gram analysis

ICS DATA SET

MODBUS (DS)• DATA SET TRACES FROM ICS OF REAL-

WORLD PLANT: 30 DAYS OF OBSERVATION• AVG. THROUGHPUT ON NET: ~800KBPS• MAX SIZE OF MODBUS/TCP MESSAGE:

256BYTES• AVG. SIZE OF MODBUS/TCP MESSAGE:

12.02BYTES• AVG. PACKET RATE: ~96/SEC

MODBUS (AS)• 163 ATTACK INSTANCES• EXPLOIT A MULTITUDE OF

VULNERABILITIES OF THE MODBUS/TCP IMPLEMENTATION

• TWO FAMILIES OF EXPLOITED VULNERABILITIES:

1. UNAUTHORIZED USE2. PROTOCOL ERRORS

Page 28: n-gram analysis

IMPLEMENTATION VERIFICATION

Page 29: n-gram analysis

IMPLEMENTATION VERIFICATION

• DARPA (DS) USED FOR INITIAL TESTS• HTTP (AS) USED FOR OTHER TESTS1. ORIGINAL ATTACK SET OF DARPA

DOES NOT REFLECT SOME MODERN ATTACKS

2. NOT ALL ALGORITHMS BENCHMARKED AGAINST THE DARPA (AS)

Page 30: n-gram analysis

TESTS WITH LAN DATA SET

• FIRST TESTS PERFORMED ON SMB (DS) • ALL SMB/CIFS PACKETS DIRECTED TO TCP PORTS 139 OR 445• POOR PERFORMANCE BY ALL ALGORITHMS• HIGH VARIABILITY OF THE ANALYZED PAYLOAD• FILTERED DATA SET USED • SMB/CIFS MESSAGES THAT CARRY RPC DATA

Page 31: n-gram analysis

RESULTS: TESTS WITH LAN DATA SETS

• ANAGRAM - 0.00% FALSE POSITIVE RATE AND LOWEST FALSE POSITIVE RATE OF ALL TESTED ALGORITHMS

• MCPAD - HIGHEST FALSE POSITIVE RATE AND IS IMPOSSIBLE TO LOWER

• ALL FALSE POSITIVES VERIFIED THROUGH SNORT (NONE ARE TRUE POSITIVES)

Page 32: n-gram analysis

ANALYSIS (DETECTED AND UNDETECTED ATTACKS): TESTS WITH LAN DATASETS

• ALL ALGORITHMS DETECT ATTACK INSTANCE EXPLOITING THE MS04-011 VULNERABILITY

• NEVER A SEQUENCE OF 3 BYTES WITH 0X90 --> ANAGRAM

• ANOMALOUS BYTE FREQUENCY DISTRIBUTION ABOVE ALL OTHERS --> PAYL AND POSEIDON

• PEAK IN FREQUENCY OF 2-GRAMS --> MCPAD

Page 33: n-gram analysis

ANALYSIS (DETECTED AND UNDETECTED ATTACKS): TESTS WITH LAN DATASETS

• PAYL AND POSEIDON FAIL TO DETECT ATTACK THAT EXPLOITS MS06-040 

• WHEN FALSE POSITIVE BELOW 2%

Page 34: n-gram analysis

TESTS WITH ICS DATA SET

• NO ISSUES WITH INITIAL TESTS (AS SUPPOSED TO LAN TESTS WITH SMB)

• ANAGRAM HAS OUTSTANDING RESULTS

• MCPAD PERFORMS WELL W.R.T. FALSE POSITIVE

• PAYL BETTER PACKET-RATE DETECTION THAN POSEIDON

Page 35: n-gram analysis

VERIFICATION PROCESS: ICS DATA SET

• NO RAISED ALERT TURNED OUT TO BE A TRUE POSITIVE WHEN PROCCESSED WITH SNORT

1. SIGNATURES FOR THE MODBUS PROTOCOL2. HIGHLY ISOLATED ICS

Page 36: n-gram analysis

ANALYSIS (DETECTED AND UNDETECTED ATTACKS): TESTS WITH ICS DATA SETS

• WHY ANAGRAM WORKS SO WELL?1. VALID READ REQUEST2. ATTACK INSTANCE3. SMALLEST POSSIBLE MODBUS

MESSAGE ALLOWED BY PROTOCOL SPECIFICATION

Page 37: n-gram analysis

CONCLUSION

Page 38: n-gram analysis

CONCLUSION

SMB/CIFS• ATTACKS CORRECTLY DETECTED• HIGH RATE OF FALSE POSITIVES• HIGH COST TO INDEPENDENTLY

DEPLOY ON REAL ENVIRONMENT

MODBUS• ANAGRAM INDEPENDENTLY DETECTS

ALMOST EVERY ATTACK INSTANCE• FALSE POSITIVE RATE LOWER THAN

THE 10 ALERTS PER DAY THRESHOLD • CAN BE DEPLOYED IN REAL

ENVIRONMENT

Page 39: n-gram analysis

CONCLUSION ON ALGORITHMS

• NO ABSOLUTE BEST ALGORITHM • ANAGRAM WORKING BETTER THAN

MOST ON SMB/CIFS WHEN FILTERED• MOST WORK WELL WITH MODBUS• PROBLEM ALLEVIATED WITH

DETECTION SYSTEM AND SENSOR TO VERIFY ALERTS

• ONE OTHER OPEN ISSUE: HOW TO MEASURE TRAFFIC VARIABILITY

Page 40: n-gram analysis

THANK YOU. QUESTIONS?


n Gram Models

n Gram Models

Speech & NLP (Fall 2014): Spellchecking: N-Gram Analysis, Error Detection, Word Boundary Problem, Error Correction in Isolated Words

Speech & NLP (Fall 2014): Spellchecking: N-Gram Analysis, Error Detection, Word Boundary Problem, Error Correction in Isolated Words

n-Gram/2L: A Space and Time Efficient Two-Level n-Gram Inverted Index Structure€¦ ·  · 2017-05-04n-Gram/2L: A Space and Time Efficient Two-Level n-Gram Inverted Index Structure

n-Gram/2L: A Space and Time Efficient Two-Level n-Gram Inverted Index Structure€¦ ·  · 2017-05-04n-Gram/2L: A Space and Time Efficient Two-Level n-Gram Inverted Index Structure

PREDIKSI KUNJUNGAN HALAMAN WEBSITE DENGAN N-GRAM …

PREDIKSI KUNJUNGAN HALAMAN WEBSITE DENGAN N-GRAM …

language modeling: n-gram models - people.cs.umass.edu

language modeling: n-gram models - people.cs.umass.edu

Computing n-Gram Statistics in MapReduce

Computing n-Gram Statistics in MapReduce

Value Chain Analysis Green Gram

Value Chain Analysis Green Gram

Nlp_pos and N-gram Models

Nlp_pos and N-gram Models

Automatic N-Gram Analysis on the Basis of Biber et al.’s (1999) … · 2017. 12. 1. · ICAME 35, Nottingham, 01/05/2014 Automatic N-Gram Analysis on the Basis of Biber et al.’s

Automatic N-Gram Analysis on the Basis of Biber et al.’s (1999) … · 2017. 12. 1. · ICAME 35, Nottingham, 01/05/2014 Automatic N-Gram Analysis on the Basis of Biber et al.’s

VARIATIONAL GRAM FUNCTIONS: CONVEX ANALYSIS AND …VARIATIONAL GRAM FUNCTIONS: CONVEX ANALYSIS AND OPTIMIZATION AMIN JALALIy, MARYAM FAZELz, AND LIN XIAOx Abstract. We introduce a

VARIATIONAL GRAM FUNCTIONS: CONVEX ANALYSIS AND …VARIATIONAL GRAM FUNCTIONS: CONVEX ANALYSIS AND OPTIMIZATION AMIN JALALIy, MARYAM FAZELz, AND LIN XIAOx Abstract. We introduce a

Estimating N-gram Probabilities Language Modeling.

Estimating N-gram Probabilities Language Modeling.

Polyphonic Music Retrieval: The N-gram Approachpeople.kmi.open.ac.uk › stefan › › s.doraisamy-phd.pdf · Polyphonic Music Retrieval: The N-gram Approach Shyamala Doraisamy Department

Polyphonic Music Retrieval: The N-gram Approachpeople.kmi.open.ac.uk › stefan › › s.doraisamy-phd.pdf · Polyphonic Music Retrieval: The N-gram Approach Shyamala Doraisamy Department

Kana-Kanji Conversion using N-gram

Kana-Kanji Conversion using N-gram

Lecture 5: N-gram Context, List Comprehensionnaraehan/ling1330/Lecture5.pdfObjectives Context-aware spell checkers n-gram as context Character-level n-grams Word-level n-grams Frequent

Lecture 5: N-gram Context, List Comprehensionnaraehan/ling1330/Lecture5.pdfObjectives Context-aware spell checkers n-gram as context Character-level n-grams Word-level n-grams Frequent

Unsupervised of Lexical Knowledge from N‐Grams Motivation Deliverables N‐gram data sets Tasks Lexical resources N‐gram search tools Distributional clustering Applications Timeline

Unsupervised of Lexical Knowledge from N‐Grams Motivation Deliverables N‐gram data sets Tasks Lexical resources N‐gram search tools Distributional clustering Applications Timeline

CHAPTER N-gram Language Models - Stanford University

CHAPTER N-gram Language Models - Stanford University

N-gram Graph: Simple Unsupervised Representation for ...pages.cs.wisc.edu/~yliang/ngram_graph_presentation.pdf · N-gram Approach in NLP •𝑛-gram is a consecutive sequence of

N-gram Graph: Simple Unsupervised Representation for ...pages.cs.wisc.edu/~yliang/ngram_graph_presentation.pdf · N-gram Approach in NLP •𝑛-gram is a consecutive sequence of

Universitatea Politehnica Bucuresti Anul universitar 2010-2011andrei.clubcisco.ro/cursuri/4ia1/cursuri/v2/IA_Lect_10_Limbaj_Natural.pdf · Modele N-gram Model N-gram de caractere

Universitatea Politehnica Bucuresti Anul universitar 2010-2011andrei.clubcisco.ro/cursuri/4ia1/cursuri/v2/IA_Lect_10_Limbaj_Natural.pdf · Modele N-gram Model N-gram de caractere

NEr using N-Gram techniqueppt

NEr using N-Gram techniqueppt

Value Chain Analysis Green Gram - agriculture.rajasthan.gov.in · SWOT analysis of the indicative Value Chain of Green Gram 59 8.3. Key constraints in Green Gram crop 60 8.4. PIESTEC

Value Chain Analysis Green Gram - agriculture.rajasthan.gov.in · SWOT analysis of the indicative Value Chain of Green Gram 59 8.3. Key constraints in Green Gram crop 60 8.4. PIESTEC