Professional Documents
Culture Documents
Proceedings of the Third International Conference on Information Technology: New Generations (ITNG'06)
0-7695-2497-4/06 $20.00 © 2006 IEEE
The remainder of this paper is organized as follows. server’s normal behavior. However, unlike the
The section 2 shows the related works of network traditional network intrusion detection system that
anomaly detection. In section 3 we discuss the leaky detects the anomaly directly by the deviation of current
integrate-and-fire model based SMTP traffic anomaly behavior from the profiled normal history behavior,
detection method. In section 4, we evaluate our our method cumulates the deviation in a period to
anomaly detection method and compare our method detect the anomaly according to the method of
with a non-parametric Cumulative Sum method. Integrate-and-fire model described. Compared with the
Finally, section 5 presents our conclusions. CUSUM-type algorithms, the detection algorithm
based on Integrate-and-fire model is more sensitive to
2. Related Works current network status.
Our method uses SMTP server’s log to detect the
It is possible to continuously track the behavior of anomaly. SMTP server log provides a mail server’s
the network by online learning and statistical receiving and sending information including failure
approaches. Statistical analysis has been used to detect message such as mail with invalid account. The log
both anomalies corresponding to network failure, as also includes delivery time of each mail. Since our
well as network intrusions [6]. work is detecting SMTP traffic anomalies, this data
A predictive detection method [7] was used in web source is sufficient.
server anomaly detection, by analyzing time series
measurements of the number of http operations per 3.1. The SMTP Behavior Deviation Evaluation
second. The statistical model considered both seasonal
and trend components, which were modeled using a Let {xn, n=0,1,…} be the serial of mail numbers that
Holt-Winters algorithm. Time correlations were a mail server received within one sampling period, and
modeled using a second order auto-regressive model. let {yn, n=0,1,…} be the corresponding sent mail
After removing the non-stationarities from the time numbers in the same sampling period. We define {Δn,
series measurements, anomalies were detected using a n=0,1,…} be the number of received mails minus that
generalized likelihood ratio algorithm. This method of the corresponding sent mails collected within one
need store history profile for future using. sampling period.
A wavelet approach was proposed and implemented In general, the mean of {Δn} is dependent on the
by Paul and others [8], they used wavelet filter to accounts number of SMTP server, and it may also
process four classes of network traffic anomalies: depend on the access patterns, for example, varying
outages, flash crowds, attacks and measurement with time of the day and week. To make our detecting
failures. Their results showed that wavelet filters were algorithm more general, we should eliminate these
quite effective at exposing the details of both ambient dependencies. Thus, {Δn} is normalized by the average
and anomalous traffic. However, the authors also number Yn of {yn}. Yn can be computed by using an
mentioned that their signal analysis method could not
detect anomalies in real time. exponentially weighted moving average (EWMA) of
The authors of [6] proposed approaches for previous measurements.
detecting SYN flooding attacks using CUSUM-type Yn = β Yn −1 + (1 − β ) yn (1)
algorithm, and this case made use of the standard Where β is the EWMA factor that represents the
sequential change point detection approach. The memory in the estimation. Define Xn=Δn/ Yn , and { Xn }
approach of [6] applied the time series measurements
is no longer dependent on the network size or time-of-
of the difference of the number of SYN packets and the
day.
corresponding FIN packets in a time interval. The
So we can define the deviation of SMTP behavior
simulation results have shown that SYN flooding
for a given interval n as:
attacks can be detected with high accuracy by
CUSUM-type algorithms. Dn = X n − X n−1 (2)
Where X n is the mean rate of Xn and estimated from
3. SMTP Anomaly Detection measurements prior to n-1. The mean X n is also
computed by EWMA method. The deviation of SMTP
In this section, a real time statistical analysis behavior Dn is used as input data of our anomaly
method we developed using the theory of Leaky detection method.
Integrate-and-fire model is discussed. Like most
statistical anomaly detection systems, we compare the 3.2. The Leaky Integrate-and-fire Model
observed sequence with the profile in representing the
Proceedings of the Third International Conference on Information Technology: New Generations (ITNG'06)
0-7695-2497-4/06 $20.00 © 2006 IEEE
Leaky integrate-and-fire model have been proposed Therefore:
as model of neurons for a long time. It can be used for L '( n) = exp( −
1
)( L '( n − 1) + Dn ) (8)
processing time-varying signals [9] and also can be K
used in powerful computing systems [10]. The simplest As the negative SMTP behavior deviation means no
form of integrate-and-fire model consists of a resistor anomaly in our detection, according (8), here we let
R in parallel to a capacitor C driven by an external ⎧ 1 +
current I(t). The voltage V(t) across the capacitor C is ⎪ L (n) = exp(− )( L(n − 1) + Dn ) (9)
⎨ K
compared to a threshold δ. If V(t)=δ at time t an output ⎪⎩ L (0) = 0
spike φ(t) is generated and V(t) is reset to an initial be our network status function. Where n>0 and x+ is
voltage Ur. Between spikes, the voltage of a leaky equal to x if x > 0 and x+ is equal to 0 otherwise. We
integrate-and-fire model is governed by: will use L(n) in making detection decisions. Here we
dV (t ) V (t ) I (t ) (3) call K as cumulating factor.
=− +
dt RC C Let H represents the anomaly threshold. At interval
Suppose that a spike has occurred at ti. For t>ti the n, if L(n)>H, an alarm will be signaled at time n,
stimulating current is I(t). The V(t) can be expressed otherwise the network status is normal. If the alarm is
as: signaled at time n, L(n) will be reset to 0.
t − ti 1 t −t s (4)
C ∫0
V (t ) = U exp(− )+ exp(−
i
r )I (t ) ds
RC RC 3.4. Parameter Specification
When leaky integrate-and-fire model is used to
detect SMTP anomaly, the deviations of SMTP The tuning parameters of above algorithm are the
behavior in each interval of t>ti are inputted, and the cumulating factor K for computing the network health
V(t) are tested as alarm condition. The detail of status, the alarm threshold H, and the EWMA factor β.
detection algorithm will be described in Section 3.3. In general, the EWMA factor β is chosen as 0.98[6],
here we also chose β=0.98 as our EWMA factor in
3.3. Anomaly Detection Approach experiments. To implement our leaky integrate-and-
fire anomaly detection algorithm, we still need to
In our SMTP traffic anomaly detection approach, specify two tunable parameters: K and H. The
the SMTP health status is obtained by the output of cumulating factor K decides how we cumulate the
leaky integrate-and-fire model. In the process of SMTP status deviation to detect the anomaly, and the
capacitor recharging, when the input current is alarm threshold H depends on K. Dn has different
constant, the earlier input current will raise voltage contribution to L(n) with different K. Fig.1 shows the
faster. Therefore, in our detection method, the percentage of (exp(-n/K) Dn) in L(50), where we set Dn
deviation of SMTP behavior Dn will be inputted into =1, n=1,2,…,50.
leaky integrate-and-fire model from the current interval 65
current Dn first, and than the one just before current, 50 K=2
K=3
and so on. In this way, the current SMTP delivery 45
40
K=4
K=5
status will play a more important role in the detection 35 K=6
K=7
result. Because Dn is the discrete value, suppose that a 30
25
K=8
K=9
spike has occurred at interval nk, the output of leaky 20 K=10
15 K=11
integrate-and-fire model at interval n can be gotten 10
∑ (5) 1 6 11 16 21 26 31 36 41 46
V '( n) = U exp(−
r )+ exp( − )D nk + i n
RC C i =1 RC
Fig. 1. Results of exp(-n/K) with different K
Let Ur=0, L’(n) = CV’(n) and K=RC, from (5) we
We can see clearly from Fig.1 that the smaller K,
get:
n−n
the more contribution exp(-1/K) does, and the shorter
k
n − nk − i + 1
L '( n) = ∑
exp( −
i =1
)D (6)
K
nk + i
history profile is referred. When K=1, exp(-1/5)
contributes 63.21% to L(50), and about 8 intervals are
So we have: evidently referred in L(50); when K=15, exp(-1/15)
n − nk n − nk + 1 contributes 8.79% to L(50), and all 50 intervals are
L '(n − 1) = exp( − ) Dnk +1 + exp( − ) Dnk + 2 (7)
K K referred in L(50). Here we can see when K=5,
1 3
+... + exp(− ) Dn −1
K ∑ exp(− n / 5) contributes about 45% of integrate result,
n =1
Proceedings of the Third International Conference on Information Technology: New Generations (ITNG'06)
0-7695-2497-4/06 $20.00 © 2006 IEEE
10
mean duration 10 time intervals. The inter-arrival time
and
∑ exp(−n / 5) contributes about 91% of result. This
n =1
between consecutive attacks is random distributed in
means when we chose K=5, the calculating result not 60-180 time intervals with mean values 120 intervals.
only emphasizes the first three inputs, but also refers Our detection method is not sensitive to the attacking
enough history information. So in our detection pattern: it can detect the attacks with both constant and
algorithm, we chose K=5 as our cumulating factor. burst intensity attacks.
Suppose we should raise an alarm when xn increases
to 1.6 times of normal value. When we decide 4.1. Parameter Selection
cumulating factor K=5, we can calculate H by the
following algorithm: According to the directions described in section 3.4
Function GetThreshold(K) and [6], we chose K=5 and H=2.4 for leaky Integrate-
FOR I = 1 to TO 10 DO and-fire anomaly detection method and chose a=1.1
e = e + exp(-i/K) and threshold TH=2.2 for CUSUM is our test set. In
RETURN e*0.6 order to evaluate the parameters we select, we
EndFunction enumerate each possible combination of parameters of
When we set K=5, we can get H=2.4 following the two anomaly detection methods.
above algorithm. For leaky integrate-and-fire method, we test
threshold H from 2 to 4 increased by 0.1 and test
4. Performance Evaluation cumulating factor K from 1 to 15 increased by 1. For
CUSUM method, we test a from 0.6 to 1.6 with step
In this section, we firstly chose parameters of our 0.05 and test threshold TH from 0.6 to 6 with step 0.1.
method. In order to compare our method with the We reserve the parameter pairs those can archive
CUSUM-type algorithm described in [6], we also average 100% detection probability in 10 round tests.
chose parameters for algorithm in [6]. The algorithm of The test set is generated by overlapping constant
[6] is given by intensity attacks with the duration of 10 intervals (10
minutes). The intensity of attacks is 60% of mean
g n = [ g n −1 + ( X n − a)]+ (10)
actual receiving mails rate.
In addition to parameters choice, we evaluate how For CUSUM algorithm described in [6], we select
the parameters of our detection algorithm affect the parameter pair with a=1.1 and threshold TH=2.2, in
detecting performance. our test set, CUCUM method gets FAR=0.0077 and
Secondly, we investigate the performance of our DD=2.00. For our method, we select K=5 and H=2.4.
leaky integrate-and-fire method presented in the In the test set, our method gets FAR=0.0043 and
previous section for detecting SMTP traffic anomaly. DD=0.7. Our select parameters have smaller false
The performance metrics considered include the alarm ratio and lower detection delay in all reserved
detection probability, the false alarm rate, and the parameter pairs. Considering the tradeoff between false
detection delay. The detection probability (DP) is the alarm ratio and detection delay, the parameter pairs we
percentage of attacks for which an alarm is raised, the select for performance evaluation are suitable.
false alarm ratio (FAR) is the percentage of alarms that
did not correspond to an actual attack, and the 4.2. Evaluation of Cumulating Factor
detection delay (DD) is the detection delay after the
attack starts. Fig.2 shows the how the accumulating factor K
Our experiments use actual SMTP server delivery affects the false alarm ratio and detection delay, where
logs taken from our campus mail server as background the threshold H is adjusted by the algorithm described
data. We use mail server’s log during 2.5 days and in Section 3.4. The Fig.2 is obtained by taking the
measure the SMTP deliveries in one minute. Our test average of 10 runs.
set includes 120412 receiving mails information and Fig.2 shows the effect of cumulating factor K on
80358 sending mails information with average detection delay and false alarm ratio. As the
receiving speed 33.45 mails per minutes and sending cumulating factor K decides the length of history that
speed 22.32 mails per minutes. the detection method uses. The bigger K, the longer
The attacks were generated synthetically, and this history is referred in making decision, and at the same
allowed us to control the characteristics of the attacks, time, the bigger K, the lower weight of current
hence to investigate the performance of the detection delivering status are considered in detection result.
algorithms for different attack intensity. The typical This means the current delivering status influents
attacking duration observed in the Internet is 10 results less. The longer history may lead to long
minutes [11], therefore the attacks are generated with
Proceedings of the Third International Conference on Information Technology: New Generations (ITNG'06)
0-7695-2497-4/06 $20.00 © 2006 IEEE
detection time because current delivery status is not 120
Received
Sent
Mails
80
sensitive to the final detection result. The smaller K, 40
0
the shorter history is considered and the bigger weight 0 720 1440 2160
Amplitude
27
CUSUM
delivering status, it will make more false alarm. 0
3.5
0 720 1440 2160
Detection Delay
3.0 1
LIF
2.5
2.0
1.5 0
0 720 1440 2160
1.0
0.5 Time Intervals
b. Detection results of high intensity attacks
0.0
1 3 5 7 9 11 13
0.04 Fig.3. Detection Results
0.03 Fig.3a and Fig.3b show the results for leaky
FAR
Sent
50 interval.
0 0.008
0 720 1440 2160
Amplitude
17.0 0.006
FAR
8.5 0.004
0.0 0.002
0 720 1440 2160 15 17 19 21 23 25 27 29
1
CUSUM
2.5
2.0
1.5
DD
0 1.0
0 720 1440 2160 0.5
1
15 17 19 21 23 25 27 29
LIF
1.0
0.9
DP
0 CUSUM
0 720 1440 2160 LIF
0.8
Time Intervals
0.7
a. Detection results of low intensity attacks
15 17 19 21 23 25 27 29
Attack Amplitude
Proceedings of the Third International Conference on Information Technology: New Generations (ITNG'06)
0-7695-2497-4/06 $20.00 © 2006 IEEE
detection probability. But our method gets 100% much higher and the false alarm ratio is lower than
detection probability when the attacks are larger than CUSUM method.
50% of mean rate of normal SMTP receiving speed (17
attack mails per interval). 6. References
The detection delay of our method is similar with
CUSUM algorithm, in low intensity attacks with 15 [1] J. Postel, Simple Mail Transfer Protocol, RFC 821,1982
external attack mails injected, the detection delay of
both methods are about 2.5 intervals, and in high [2] R.Caceres, P.Danzig, S.Jamin, and D. Mitzel,
intensity attacks with 29 attacks mails are injected per ”Characteristics of widearea TCP/IP conversations”,
interval, two methods only need about 1 interval to Computer Communication Review,SIGCOMM, ACM Press,
raise alarms. New York, NY,USA, 1991, pp.101–112.
Our method has better false alarm ratio than [3] B. Harris, R. Hunt, “TCP/IP security threats and attack
CUSUM algorithm in all scenarios. The average false methods”, Computer Communications, Elsevier, 1999,
alarm ratio of our method is about 0.4% and 0.7% for pp.885-897
CUSUM algorithm.
The difference in the performance of our detecting [4] N.Yamai, K.Okayama, T.Miyashita, S.Maruyama, and
method and CUSUM method is our method uses M.Nakamura, “A Protection Method against Massive Error
weighted sum method to cumulate the behavior Mails Caused by Sender Spoofed Spam Mails”, Proceeding
deviation and CUSUM method treats all deviation of the 2005 Symposium on Application and the Internet,
fairly, therefore, our method is more sensitive to 2005, IEEE Computer Society, Italy, pp.384-390
current network status than CUSUM method, therefore [5] Brian McWilliams, “Wired News: Time-Travel Spammer
our method has better detection probability and lower Strikes Back”, Lycos, Inc., http://www.wired.
false alarm ratio than CUSUM algorithm, especially in com/news/technology/0,1282,61026,00.html, 2003.10.
low intensity attacks. Detection of low intensity attacks
is important because early detection of anomaly with [6] H. Wang, D. Zhang, and K. G. Shin, “Detecting syn
increasing intensity attacks will enable defensive flooding attacks”, IEEE INFOCOM, New York City, NY,
action to be taken earlier. 2002. pp. 1530-1539
Proceedings of the Third International Conference on Information Technology: New Generations (ITNG'06)
0-7695-2497-4/06 $20.00 © 2006 IEEE