Anomaly Detection Scheme for Prevention of Collaborative Attacks - Dissertation Example

? Anomaly Detection Scheme for Prevention of Collaborative Attacks 23rd Feb, Anomaly Detection Scheme for Prevention of Collaborative Attacks According to Kumar (1995), computer systems are a very important part of day-to-day life. They offer support systems to the operations of humans. They need care and protection against both external and internal attacks. Collaborative attacks occur in a system where more than one running processes collaborate or synchronize their actions to disturb a system. These systems can be networks, ISP core or P2P systems. Some of the attackers that can collaborate to paralyze a system include, Denial of Messages attacks in which corrupt nodes interfere with radio signals of the genuine nodes thus preventing them from receiving messages. Secondly, Sybil attacks in which users acquire multiple fake identities, controls various nodes of the system, and eventually controls its decisions. Finally malicious flooding where a malicious node floods the system with messages. These attackers have various characteristics that lead to inefficiency of a system. They can cause disruptions at short intervals making the system very slow to respond to any action or they can concentrate at various nodes to cause confusion to the anomaly detection system that is in place. An anomaly is the unusual or unexpected behaviors in an information system .Anomalies violate the security policies of a system and they need early detection and counteraction else, they translate into real life negative situations. An anomaly detection scheme is a technical mechanism used to protect a computer infrastructure from attacks. Recently, there are several attack detection schemes. In order to benefit fully from, the anomaly detection concept, there should be additional security features like the authentication and access control protocols. An attack Detection System is a very important part of the entire system when developed with security in mind. The Anomaly Detection Schemes is not a new concept but it is in various applications with a promise of viable results. Lazarevic et al. (2003) compared various Anomaly Detection Schemes in a network to perform execution of data that was suspicious. Most of the organizations have adopted a system that suits them in detection and prevention of attacks .An example of such a system is the Intrusion Prevention System, which is very useful in preventing the Distributed Denial of Service attacks. Detection and prevention of the collaborative attacks depends on several factors. Another such system is the STAND system, which is an improved version of CAD sensors discussed later in the prose. Change in time domain: All detection schemes require enough time for discovery of the attack and reaction to it. The attacks can be automatic, manual or semi-automatic. Automatic attacks leave no communication duration to the machine that is about to take place. The time parameters that determine the effect of an attack are reaction time; detection time and the response time. Many of the attackers make use of slow time dynamics of transmission time out. Here the attacker sends short-term bursts. In order to overcome the attackers in good time, there should be a means for real-time attack classification and a defense mechanism. This means that data mining by the detection system should be real-time, putting into consideration efficiency, accuracy, and usability, (Axelsson, 1999). To ensure high accuracy in a short time, data mining process uses programs that analyze the data and at the same time distinguish between genuine actions and malicious attacks. To ensure high efficiency, the costs of the extracted features are calculated and the cost approach is useful in production of efficient detection model. Usability improvement is by adapting algorithms that that facilitate fast updating of the system to enhance quick attack detection (Barbara et al., 2001; Barbara et al., 2002). Audit data analysis and mining (ADAM) is the system that proposes use of data mining methods and detects abnormalities in the audit data. A good example is the program researched and documented by Barbara et al. (2001) which is used to check the data and store the packets that are transmitted and along the network. ADAM, can in a very flexible manner, represent known patterns in a network while detecting the unknown attack patterns which cannot be detected using others. Second in this line is the system level visualization. This is the integration of a system’s requirements like hardware and software with the appropriate technology to overcome collaborative attacks. Some systems are beyond protection by the traditional intrusions detection systems (SANS Institute, 1999). Therefore, the mitigation of the attacks is by analyzing visual patterns using several visualization tools that are in place for use in early detection of attacks. These tools include detectors, sensors and data warehouses to improve scalability and efficiency of the anomaly detection systems as well as to enhance sharing of data to update the system. When using sensors, exchange of information happens in real-time while ensuring that data structure is intact. The amount of data reduces by filtering the high entropies. When a sensor detects an attack, it tries to match the attacker’s packet with the signature database of the attack. The sensor reports a match of the two to the console and takes an action depending on its configuration. Some of the actions include sending an alert email to an administrator or resetting the connection of the TCP, (Chiang et al., 2004). A data warehouse in this case is useful for analysis, which is necessary for decision making about dealing with attacks and forecasting. Finally, the selection of heterogeneous threshold is very crucial. According to King et al. (2004), it is a set of discretized cut-off points used to model statistically someone’s response to certain issues. Detection and prevention of collaborative attacks in systems highly focuses on selection of heterogeneous threshold. This means that different systems need to have stability as a means of being able to handle large amounts of data and detect attacks at different levels. The heterogeneity ability of a system makes it able to share data with other systems and enable attack detection if the anomaly exceeds a certain selected threshold. One of the methods adopted to explain how heterogeneous threshold offers solution to the problem of collaborative attack, is the Computer Immunological Method. This method based on the ability of a heterogeneous system to differentiate self and non-self (Hofmeyr et al., 1998). In this case, self is a set of strings with a length k, and the same string is non-self if there is no match with any of the strings in the self. If there is a match, the newly generated string is useless; else, it becomes a detector for differentiating self and non-self. According to Forrest et al. (1998), this was a problem and he proposed a z-bits rule for differentiating self and non-self whereby two k-bit strings can only match if only they resemble in z positions. Hofmeyr et al. (1998) also came up with a proposal of using short system calls in differentiating the self and non-self. The immunological method uses a program to collect a database of all unique short calls in the sequence over a certain period (Manila et al., 1995). It then extracts the subsequences that are of length k and computes the distance p minimum (t) between each subsequence t and the database. This calculation is expressed as: p minimum (t) =minimum [p (t, s); where s represents all the sequences in the normal database and p (t, s) represents the distance between sequences [t, s]. If there is an anomaly in any of the elements of the system, this approach detects it and raises an alarm is the set score goes beyond the selected maximum threshold. This method has a high probability to detect system attacks and it has an advantage that it does not need pre-attacks knowledge. Conclusion Computer systems and their applications provide very essential functionalities but are very susceptible to collaborative attacks. The current manual signatures are ineffective in detecting and counteracting these attacks. To efficiently deal with these problems, use of Content Anomaly Detection alerts is the most applicable way (Ghosh et al., 1998). CAD decreases false positives and increases true positives as explained in the context. References Axelsson, S. (1999). Research in intrusion-detection systems: A survey. Technical report TR 98-17.Goteborg, Sweden: Department of Computer Engineering, Chalmers University of Technology. Barbara, D., Couto, J., Jajodia, S., & Wu, N. (2002).An architecture for anomaly detection. In D. Barbara & S. Jajodia (Eds.),Applications of Data Mining in Computer Security (pp. 63--76). Boston: Kluwer Academic. Ghosh, A., Wanken, J., & Charron, F. (1998).Detecting anomalous and unknown intrusions against programs. In K. Keus (Ed), Proceedings of the 14th annual computer security applications conference (pp. 259--267). Los Alamitos, CA: IEEE Computer Society, Hofmeyr, S., Forrest, S., & Somayaji, A. (1998). Intrusion detection using sequences of system calls. Journal of Computer Security, 6: 151--180. Kumar, S., (1995). Classification and detection of computer intrusions. Unpublished doctoral dissertation, Purdue University. King G., Murray C., Salomon A. & Tandon A. (2004).Enhancing the validity and cross-cultural comparability of measurement in survey research. American Political Science Review, 98: 191–207. Lazarevic, A., Ozgur, A., Ertoz, L., Srivastava, J., Kumar, V. (2003). A comparative study of anomaly detection schemes in network intrusion detection. Buenos Aires: SIAM International Conference on Data Mining. Chiang, M., Zilic, Z., Chenard, J. & Radecka, K. (2004). Architectures of Increased Availability Wireless Sensor Network Nodes. Anaheim, CA: International Test Conference, IEEE. Mannila, H., Toivonen, H., &Verkamo, A. (1995).Discovering frequent episodes in sequences. Menlo Park, CA: AAAI Press. SANS Institute. (1999). Intrusion Detection Systems: Definition, Need and Challenges. Retrieved from http://secinf.net/info/ids/nvh_ids/. Read More