Elsevier

Computer Communications

Volume 32, Issue 6, 27 April 2009, Pages 1104-1110
Computer Communications

Efficient deterministic method for detecting new U2R attacks

https://doi.org/10.1016/j.comcom.2008.12.037Get rights and content

Abstract

The purpose of this study is to describe an efficient deterministic intrusion detection approach that detects both old and new attacks. We especially focused on detecting the user to root (U2R) attacks of the 1999 DARPA evaluation dataset. The main idea of our approach is to test if an unknown behavior is close enough to a known behavior (attack or normal) such as we can conclude that it belongs to its class. To achieve that, we formulate the problem of intrusion detection as a linear programming system (LPS). The objective function of this LPS leads to minimize the distance between an unknown behavior and one of the known behaviors, by respect of some constraints. The solution of such a problem is a set of bivalent variables xij. If (xij = 1) then we can conclude that the unknown behavior i belong to the class of behaviors j. Our experiments demonstrated the efficiency of our approach.

Introduction

An intrusion can be defined as a series of activities aiming at compromising the security of a computer network system [1]. Intrusions may take many forms: external attacks, internal misuses, network-based attacks, information gathering, denial of service, and so on. Intrusion detection is an important step of protecting the computer network system from intrusions. Intrusion detection systems (IDS) are used to detect, identify, and stop intruders. The administrators can rely on them to find out successful attacks and prevent a future use of known exploits. IDS are also considered as a complementary solution to firewall technology by recognizing attacks against the network that are missed by the firewall.

There are two basic types of intrusion detection: host-based and network-based. Each has a distinct approach to monitoring and securing data, and each has distinct advantages and disadvantages. In short, host-based IDSs examine data held on individual computers that serve as hosts, while network-based IDSs examine data exchanged between computers.

In addition to that, intrusion detection techniques can be mapped into two classes: anomaly detection and misuse detection. Anomaly detection consists of establishing normal behavior profile for user and system activity and observing significant deviations of actual user activity with respect to the established habitual pattern. Misuse detection, refers to intrusions that follow well defined attack patterns that exploit weaknesses in system and application software.

These last years many approaches were proposed to detect both the known and unknown attacks of the KDD datasets. The known attacks are those belonging to both the KDD training and testing sets. The unknown attacks also called “new” attacks are those appearing only in the KDD testing set. Even if some enhanced learning techniques especially those based on neural networks and decision trees were used to detect these new attacks, nevertheless they failed to do that. Indeed, these enhanced techniques suffer from the low detection rate of these new attacks and their high false alarm rate. This is the reason why we proposed here an original method based on a LPS for detecting both the old and the new attacks. We especially focus on detecting the user to root (U2R) attacks category (see Section 3). Firstly, we assume here that each class of attacks (see Section 3) can be defined by a vector of features (see Table 2). In addition, the normal behavior is also represented by a features vector. Thus, the idea behind our approach is to test if a new behavior represented by its features vector, is close enough to a known attacks class (a known attack vector) or to a new attacks class (a new attacks vector). This can be done by minimizing an appropriate function with respect to some constraints.

The rest of this paper is organized as follows. Section 2 presents a survey of some intrusion detection methods. Our approach is detailed in Section 3. An example is presented in Section 4. Section 5 describes some experiments and results. Section 6 concludes the paper.

Section snippets

State of art

In this section, some mathematical intrusion detection models are presented.

Our approach

Our proposed approach leads to detect the new attacks of the U2R category [9] by using an appropriate mathematical model. First of all, we suppose that all the behavior categories are already learned by the system and are recorded in a database. We suppose also that each behavior (normal or attack) can be characterized by some known continuous features. These features are the fields describing a connection [9]. We assume that the features can help us to distinguish each known behavior category

Example

Let us now consider a computer system that is corrupted by some attacks of the U2R category. Some of these attacks (three known attacks of U2R) are supposed defined by the following features vectors (Fbuffer_overflow, Floadmodule, and Frootkit), and the normal behavior is defined by Fnormal. In addition, we defined here a features vector FNew that represents the behavior of a new attack class. We supposed that five unknown behaviors enter the system, and we have to determine the class of each

Simulation parameters

Initially we tried to use the 14 variables (attributes) that we deduced in [8], but, unfortunately, this produces some false negatives. After that, we found that the elimination of three variables (E, AF, and AG of Table 2) lead to better results. This is the reason why, we used only 11 variables in our experiments: A, J, L, M, N, P, Q, R, V, W, X (those described in Table 2).

The learning and the testing datasets used in our experiments are composed as follows.

Each features vector used in this

Conclusion

In this research we have investigated a new approach for detecting new U2R attacks and evaluated its performance by achieving some simulations. Even if many methods were proposed to solve the same problem nevertheless they suffer from some disadvantages. These methods lead to both low detection rate and high false alarm rate of the new U2R attacks. This is mainly the reason that led us to propose a new method. Our method is not only a deterministic one (based on a LPS) but consumes reasonable

References (10)

  • R. Beghdad

    Modelling and solving the intrusion detection problem in computer networks

    Computers & Security Journal

    (2004)
  • N. Ye, X. Li, A scalable clustering technique for intrusion signature recognition, in: Proceedings of the 2001 IEEE...
  • L. Mé, Audit de Sécurité par Algorithmes Génétique, Doctoral dissertation, University of Rennes 1, Rennes, France,...
  • Y. Bouzida, F.Cuppens, Neural networks vs. decision trees for intrusion detection, in: IEEE/IST Workshop on Monitoring,...
  • W. Lee et al.

    A framework for constructing features and models for intrusion detection systems

    ACM Transactions on Information and System Security

    (2000)
There are more references available in the full text version of this article.

Cited by (17)

  • Network forensics based on fuzzy logic and expert system

    2009, Computer Communications
    Citation Excerpt :

    The well-known DARPA 2000 intrusion detection evaluation dataset from MIT Lincoln Labs has been used in numerous publications and can be considered a standard benchmark for evaluation of IDS. Even though the DARPA dataset is known to suffer from several flaws [39], especially the selection of attacks can be considered antiquated in comparison to modern security threats, it remains the only major dataset on which results can be reproduced, and it still has the capability to allow researchers to compare different techniques on a common dataset [40–43]. It consists of two datasets: LLDOS 1.0 and LLDOS 2.0.2, and contains data packets monitored in DMZ and Inside by Tcpdump.

  • Detecting Network Anomalies using Multilayer Feature Selection Techniques and Machine Learning Algorithms

    2021, 2021 2nd Global Conference for Advancement in Technology, GCAT 2021
  • Intrusion Detection Based on the Game Theory

    2021, ACM International Conference Proceeding Series
View all citing articles on Scopus
View full text