Elsevier

Computer Communications

Volume 34, Issue 15, 15 September 2011, Pages 1810-1821
Computer Communications

Multi-stage change-point detection scheme for large-scale simultaneous events

https://doi.org/10.1016/j.comcom.2011.05.001Get rights and content

Abstract

Change-point detection schemes, which represent one type of anomaly detection schemes, are a promising approach for detecting network anomalies, such as attacks and epidemics by unknown viruses and worms. These events are detected as change-points. However, the schemes generally also detect false-positive change-points caused by other events, such as improper parameter setting of detectors. Therefore there is a requirement for a scheme that detects only true-positive change-points caused by attacks and epidemics by unknown viruses and worms. The true-positive change-points tend to occur simultaneously and intensively in very large numbers, while the false-positive change-points tend to occur independently. Therefore, we expect that the multi-stage change-point detection scheme, which performs change-point detection in a distributed manner and takes account of the correlation among multiple change-points, can exclude false-positive change-points by neglecting those that occur independently. In this paper, we propose the multi-stage change-point detection scheme and introduce a weighting function that gives smaller weight to LDs with higher false-positive rate inferred by GD in order to avoid a set of false-positive alerts generated by the low-accuracy detectors from causing high false-positive rate of the scheme. We evaluate the performance of the scheme by a simulation using the parameter values obtained in an experiment using real random scan worms. In the evaluation, we modify AAWP (Analytical Active Worm Propagation) model so that it can derive the number of infected hosts (i.e., attack hosts) more accurately by considering a failure of infection behavior by random scan worms. The simulation results show that our scheme can achieve an optimal performance (detection rate of 1.0 and false-positive rate of 0) while the stand-alone change-point detection scheme, which does not use the correlation among multiple change-points, cannot attain such optimal performance, and our scheme with alert weighting always shows better detection performance than the scheme without alert weighting.

Introduction

With the development of the Internet into a widely used information exchange infrastructure, there has been a marked increase in malicious activity. In particular, large-scale simultaneous events, such as distributed denial of service (DDoS) attacks and worm epidemics, cause catastrophic damage. A detection scheme that is capable of detecting these events is required.

Depending on type of large-scale simultaneous events, various detection schemes were proposed. For example, MULTOPS [1] against Smurf and Fraggle attacks, SYN detection [2] against SYN flood attacks, flow-based detection at routers [3], [4] against low-rate TCP DoS attacks and RoQ (Reduction of Quality) attacks, signature-based IDS [5], [6] against worm infection. Because these detection schemes are specific to their target attacks, they may not detect other types of attacks.

Change-point detection schemes [7], [8], [9], [10], [11], on the other hand, are expected to detect various attacks, viruses and worms including unknown ones. They try to detect those events as a change-point in time series data of a monitored metric such as outgoing traffic rate of a subnet. However, they may detect change-points caused by non-target events such as improper parameter settings of detectors. Such misdetection occurs because change-point detection schemes simply detect change-points in a monitored metric and do not take account of causes of change-points. Here, we consider change-points caused by non-target events to be false-positive change-points.

One way to reduce the number of false-positive change-points is to take account of the correlation among multiple change-points. True-positive change-points, which are caused by target events (i.e., DDoS attacks and worm epidemics), tend to occur simultaneously and intensively in very large numbers, while false-positive change-points tend to occur independently. Therefore, we expect that we can decrease false-positives by neglecting those that occur independently.

In this paper, we propose a multi-stage change-point detection scheme in order to detect large-scale simultaneous events with decreased false-positive rate. The scheme is the combination of a change-point detection scheme and a distributed intrusion detection system (distributed IDS) [12] A distributed IDS can take account of the correlation among multiple events from the view point of the whole network by collecting information from distributed sensor nodes. In our scheme, we use a change-point detector as a sensor node in a distributed IDSs and take account of the correlation among multiple change-points. We further introduce a weighting function that gives smaller weight to LDs with higher false-positive rate inferred by GD in order to avoid a set of false-positive alerts generated by the low-accuracy detectors from causing high false-positive rate of the scheme.

The role of the multi-stage change-point detection scheme is detection of a target event. In order to stop the event, we further need to identify the attackers with IP traceback [13], [14], [15], [16] and filter the attack traffic with filtering schemes such as network ingress filtering [17].

In this paper, as a case study, we evaluate the performance of the multi-stage change-point detection scheme against SYN flood attacks by a real random scan worm. The attacks are the most common form of DoS attacks (about 90% of all DoS attacks [18]) because they can easily cause denial of service. It is difficult to detect them by a stand-alone change-point detector with low false-positive rate but our scheme is probably able to detect the events with low false-positive rate. In the evaluation, we modify the conventional worm propagation model called AAWP (Analytical Active Worm Propagation) model so that it can derive the number of infected hosts (i.e., attack hosts) more accurately by considering a failure of infection behavior by random scan worms. We then investigate the influence of the scale of DDoS attacks (i.e., the number of subnets that have attack hosts) and the simultaneity of DDoS attacks (i.e., the number of attack hosts that perform an attack behavior at the same time) on the detection performance. We finally evaluate the efficiency of a weighting function under the situation where there are a small number of low-accuracy LDs.

We describe our multi-stage change-point detection scheme in Section 2. In Section 3, we describe the performance evaluation method with experiment and simulation by using a real worm, MSBLAST. In Section 4, we evaluate the performance of our scheme against realistic DDoS attacks. Section 5 concludes the paper.

Section snippets

Multi-stage change-point detection mechanism

We use a multi-stage change-point detection mechanism consisting of one global detector (GD) and many local detectors (LDs) to detect large-scale simultaneous events (Fig. 1). One local detector is deployed on each monitored subnet and performs change-point detection. Whenever a local detector detects a change-point, it informs the global detector by sending an alert. The global detector then judges whether large-scale simultaneous events are occurring based on the aggregated alerts.

Change-point detection at local detectors

For our

Performance evaluation method

We compare Detection Rate (DR) and False-Positive Rate (FPR) of our multi-stage change-point detection scheme with those of a detection scheme in which each LD independently determines the occurrence of events in the corresponding subnet. We call the latter scheme the stand-alone LD scheme. As a realistic large-scale simultaneous event, we use DDoS attacks by hosts infected with a random scan worm, MSBLAST.

Performance evaluation

We set the number (L) of subnets (i.e., LDs) to 100 because we assume that we protect an enterprise network and its scale will be on the order of tens or hundreds of subnets. Each LD monitors a subnet with 256 hosts (Class C network). We assume that the subnets with infectible hosts have 5 infectible hosts (2% [22] of all hosts on the subnet).

The detection performance of our scheme depends on the following parameters: the scale of a DDoS attack (i.e., the number of subnets that have attack

Conclusions

In this paper, we evaluated the performance of the multi-stage change-point detection scheme by a simulation using the parameter values obtained in an experiment using a real worm, MSBLAST. The scheme takes account of the correlation among multiple change-points and excludes false-positive change-points that occur independently. In addition, in order to avoid a set of false-positive alerts generated by low-accuracy detectors from causing performance degradation, the scheme with alert weighting

Acknowledgement

The authors gratefully acknowledge the contribution of Dr. Hideyuki Shimonishi of System Platforms Research Laboratories in NEC Corporation, Dr. Kenji Yamanishi and Mr. Takayuki Nakata of Common Platform Software Research Labs in NEC Corporation. The authors also would like to thank Dr. Shinsuke Miwa of National Institution of Information and Communications Technology in Japan for providing a virus sample.

References (24)

  • J. Takeuchi et al.

    A unifying framework for detecting outliers and change points from time series

    IEEE Transactions on Knowledge and Data Engineering

    (2006)
  • K. Yamanishi et al.

    IPSJ Magazine

    (2005)
  • Cited by (1)

    View full text