Intrusion Detection by Combining and Clustering Diverse Monitor Data TSS/ACC Seminar April 05, 2016 Atul Bohara and Uttam Thakore PI: Bill Sanders 1
Intrusion Detection by Combining and Clustering
Diverse Monitor DataTSS/ACC Seminar
April 05, 2016
Atul Bohara and Uttam Thakore
PI: Bill Sanders
1
Outline
• Motivation
• Overview of the approach
• Feature extraction and selection
• Clustering
• Intrusion detection
• Results
• Future directions
2
Motivation
• Monitoring in enterprise systems is extremely diverse and verbose
Image: http://blog.bro.org/2012/01/monster-logs.html
Image: http://blog.wildpackets.com/2008/10/28/simplify_analysis_-
_packet-based_traffic_netflow_statistics_in_one_ui.html4
Motivation
• Monitoring in enterprise systems is extremely diverse and verbose
Image: http://blog.bro.org/2012/01/monster-logs.html
Image: http://blog.wildpackets.com/2008/10/28/simplify_analysis_-
_packet-based_traffic_netflow_statistics_in_one_ui.html
Problems:
• High false positive rate and verbosity
• Limited ability to combine and analyze
heterogeneous data together
• Require significant input from system
expert
5
Our Contributions
• We fuse data from the host-level and network-level context to perform anomaly detection
• We use unsupervised clustering to identify usage behavior patterns in the data and detect anomalous behavior
• We find attacks that are undetectable with individual monitors alone
6
Overview of Approach
System Logs
Firewall Logs
Feature
Extraction
Feature
Selection &
Fusion
Cluster
Analysis
Intrusion
Detection
Data
Sources
7
Dataset Description
• VAST Challenge 2011, Mini Challenge 2 dataset [link]
• Small enterprise network
• Types of logs• Network-level:
• Firewall logs
• Snort IDS logs
• Host-level• Operating system security event logs
(system logs)
• Attacks were injected into the logs
Snort IDSFirewall logs
OS security event
logs
9
Threat Model
Network flooding attacks• Distributed Denial of Service
(DDoS) from Internet
• Port scan from external host
• Port scan from workstations
Behavior-changing malware• Worm installed on workstations
10
Feature Extraction
Four types of features:• Identification – IP address and timestamp
• Network traffic-based – source/destination IP addresses and ports, TCP connections
• Service-based – connections to different types of servers, e.g., DNS, database, web
• Authentication-based – significant authentication events from system logs
Aggregated into one-minute time intervals
12
Features Extracted
Example System Log Features Example Firewall Log Features
13
Features in orange are identification features.
• IP address
• Timestamp
• # failed logon events from this host (4625)
• # special privileges assignment to new logon (4672)
• # target domain name = NT AUTHORITY
• # remote interactive logons (logon type = 10)
• # NTLM authentications/logons
• # distinct subject logon IDs
• IP address
• Timestamp
• # of unique destination IPs
• # of unique source ports
• # of connections built
• # of accesses to DNS server IPs
• # of accesses to database IPs
Feature Selection
• Not all features are equal!• Some are correlated
• E.g., number of NTLM authentications and number of authentication attempts with host name starting with “WS”
• Some are not useful for clustering• E.g., number of successful logon events
• High dimensionality problem
• Techniques for feature selection:• Pearson correlation coefficient to remove strongly
correlated features• Compare normalized average feature value across
clusters
System log feature distributions
Firewall log feature distributions
15
Features Extracted
System Log Features
Total number of features 36
Number of identification
features
2
Number of service-based
features
2
Number of authentication-
based features
32
Firewall Log Features
16
Total number of features 17
Number of identification
features
2
Number of network traffic-based
features
6
Number of service-based
features
9
Total number of features
after selection
20 Total number of features
after selection
12
Fusion
We fuse the logs using inner join on identification features
Identification Network traffic-basedService-based Authentication-based
Fused feature vector
Syslog feature vectorFirewall feature vector
17
Clustering Techniques
• Apply k-means and DBSCAN clustering algorithms
19
Algorithm Type Cluster shape Noise
handling
Parameter
selection
k-means Centroid based Spherical
clusters
No WCSD,
Silhouettes
DBSCAN Density based Arbitrary
shaped clusters
Yes k-dist graph
Cluster Analysis
20
0
0.2
1.5
0.4
0.6
PC
3
0.8
1
PC2
0.80.5 0.6
PC1
0.40.2
0 0
Outliers : 80
Cluster1 : 14876
Cluster2 : 11825
Cluster3 : 810
Cluster4 : 3009
Cluster5 : 20
Cluster6 : 53
Cluster7 : 84
DBSCAN Clustering on Firewall Logs
Cluster Analysis
0
0.2
1.5
0.4
0.6
PC
3
0.8
1
PC2
0.80.5 0.6
PC1
0.40.2
0 0
Outliers : 80
Cluster1 : 14876
Cluster2 : 11825
Cluster3 : 810
Cluster4 : 3009
Cluster5 : 20
Cluster6 : 53
Cluster7 : 84
DBSCAN Clustering on Firewall Logs Normalized Average Feature Values
1 2 3 4 5 6 7 8 9 10
Features
0
0.2
0.4
0.6
0.8
1
No
rma
lize
d a
ve
rag
e v
alu
e
Cluster 1
1 2 3 4 5 6 7 8 9 10
Features
0
0.2
0.4
0.6
0.8
1
No
rma
lize
d a
ve
rag
e v
alu
e
Cluster 2
1 2 3 4 5 6 7 8 9 10
Features
0
0.2
0.4
0.6
0.8
1
No
rma
lize
d a
ve
rag
e v
alu
e
Cluster 6
1 2 3 4 5 6 7 8 9 10
Features
0
0.2
0.4
0.6
0.8
1
No
rma
lize
d a
ve
rag
e v
alu
e
Cluster 7
Cluster Analysis
22
0
0.2
0.8
0.4
0.5
0.6
PC
3
0.6
PC1PC2
0.8
0.4 00.2
0 -0.5
Outliers : 80Cluster1 : 25342Cluster2 : 54Cluster3 : 37Cluster4 : 23
DBSCAN Clustering on Firewall + System Logs
Cluster Analysis
0
0.2
0.8
0.4
0.5
0.6
PC
3
0.6
PC1PC2
0.8
0.4 00.2
0 -0.5
Outliers : 80Cluster1 : 25342Cluster2 : 54Cluster3 : 37Cluster4 : 23
DBSCAN Clustering on Firewall + System Logs Normalized Average Feature Values
1 3 5 7 9 11 13 15 17 19 21 23 25 27
Features
0
0.2
0.4
0.6
0.8
1
No
rma
lize
d a
vera
ge
va
lue
Cluster 1
1 3 5 7 9 11 13 15 17 19 21 23 25 27
Features
0
0.2
0.4
0.6
0.8
1
No
rma
lize
d a
vera
ge
va
lue
Cluster 2
1 3 5 7 9 11 13 15 17 19 21 23 25 27
Features
0
0.2
0.4
0.6
0.8
1
No
rma
lize
d a
vera
ge
valu
e
Cluster 3
1 3 5 7 9 11 13 15 17 19 21 23 25 27
Features
0
0.2
0.4
0.6
0.8
1
No
rma
lize
d a
vera
ge
valu
e
Cluster 4
Intrusion Detection Approach
• More than 80% data points are captured with in 3 clusters
• These clusters contained more than 50% hosts
• Features have high probability mass at low values
25
Intrusion Detection Approach
• More than 80% data points are captured with in 3 clusters
• These clusters contained more than 50% hosts
• Features have high probability mass at low values
Our approach: Examine the size and distribution of hosts for each clusters
26
Intrusion Detection Approach (contd.)
29
Normal or Anomalous Feature Distributions
1 2 3 4 5 6 7 8 9 10
Features
0
0.2
0.4
0.6
0.8
1
No
rma
lize
d a
ve
rag
e v
alu
e
Cluster 1
1 2 3 4 5 6 7 8 9 10
Features
0
0.2
0.4
0.6
0.8
1
No
rma
lize
d a
ve
rag
e v
alu
e
Cluster 2
1 2 3 4 5 6 7 8 9 10
Features
0
0.2
0.4
0.6
0.8
1
No
rma
lized
ave
rag
e v
alu
e
Cluster 6
1 2 3 4 5 6 7 8 9 10
Features
0
0.2
0.4
0.6
0.8
1
No
rma
lized
ave
rag
e v
alu
e
Cluster 7
1 2 3 4 5 6 7 8 9 10
Features
0
0.2
0.4
0.6
0.8
1
No
rma
lize
d a
ve
rag
e v
alu
e
Cluster 1
1 2 3 4 5 6 7 8 9 10
Features
0
0.2
0.4
0.6
0.8
1
No
rma
lize
d a
ve
rag
e v
alu
e
Cluster 2
1 2 3 4 5 6 7 8 9 10
Features
0
0.2
0.4
0.6
0.8
1N
orm
aliz
ed a
ve
rag
e v
alu
e
Cluster 6
1 2 3 4 5 6 7 8 9 10
Features
0
0.2
0.4
0.6
0.8
1
No
rma
lize
d a
ve
rag
e v
alu
e
Cluster 7
1 2 3 4 5 6 7 8 9 10
Features
0
0.2
0.4
0.6
0.8
1
No
rma
lize
d a
ve
rag
e v
alu
e
Cluster 1
1 2 3 4 5 6 7 8 9 10
Features
0
0.2
0.4
0.6
0.8
1
No
rma
lize
d a
ve
rag
e v
alu
e
Cluster 2
1 2 3 4 5 6 7 8 9 10
Features
0
0.2
0.4
0.6
0.8
1
No
rma
lize
d a
ve
rag
e v
alu
e
Cluster 6
1 2 3 4 5 6 7 8 9 10
Features
0
0.2
0.4
0.6
0.8
1
No
rma
lize
d a
ve
rag
e v
alu
e
Cluster 7
1 2 3 4 5 6 7 8 9 10
Features
0
0.2
0.4
0.6
0.8
1N
orm
aliz
ed
ave
rag
e v
alu
e
Cluster 1
1 2 3 4 5 6 7 8 9 10
Features
0
0.2
0.4
0.6
0.8
1
Norm
aliz
ed
ave
rag
e v
alu
e
Cluster 2
1 2 3 4 5 6 7 8 9 10
Features
0
0.2
0.4
0.6
0.8
1
No
rma
lize
d a
ve
rag
e v
alu
e
Cluster 6
1 2 3 4 5 6 7 8 9 10
Features
0
0.2
0.4
0.6
0.8
1
No
rma
lize
d a
ve
rag
e v
alu
e
Cluster 7
Intrusion Detection Approach (contd.)
30
Normal or Anomalous Feature Distributions Distances
1 2 3 4 5 6 7 8 9 10
Features
0
0.2
0.4
0.6
0.8
1
No
rma
lize
d a
ve
rag
e v
alu
e
Cluster 1
1 2 3 4 5 6 7 8 9 10
Features
0
0.2
0.4
0.6
0.8
1
No
rma
lize
d a
ve
rag
e v
alu
e
Cluster 2
1 2 3 4 5 6 7 8 9 10
Features
0
0.2
0.4
0.6
0.8
1
No
rma
lized
ave
rag
e v
alu
e
Cluster 6
1 2 3 4 5 6 7 8 9 10
Features
0
0.2
0.4
0.6
0.8
1
No
rma
lized
ave
rag
e v
alu
e
Cluster 7
1 2 3 4 5 6 7 8 9 10
Features
0
0.2
0.4
0.6
0.8
1
No
rma
lize
d a
ve
rag
e v
alu
e
Cluster 1
1 2 3 4 5 6 7 8 9 10
Features
0
0.2
0.4
0.6
0.8
1
No
rma
lize
d a
ve
rag
e v
alu
e
Cluster 2
1 2 3 4 5 6 7 8 9 10
Features
0
0.2
0.4
0.6
0.8
1N
orm
aliz
ed a
ve
rag
e v
alu
e
Cluster 6
1 2 3 4 5 6 7 8 9 10
Features
0
0.2
0.4
0.6
0.8
1
No
rma
lize
d a
ve
rag
e v
alu
e
Cluster 7
1 2 3 4 5 6 7 8 9 10
Features
0
0.2
0.4
0.6
0.8
1
No
rma
lize
d a
ve
rag
e v
alu
e
Cluster 1
1 2 3 4 5 6 7 8 9 10
Features
0
0.2
0.4
0.6
0.8
1
No
rma
lize
d a
ve
rag
e v
alu
e
Cluster 2
1 2 3 4 5 6 7 8 9 10
Features
0
0.2
0.4
0.6
0.8
1
No
rma
lize
d a
ve
rag
e v
alu
e
Cluster 6
1 2 3 4 5 6 7 8 9 10
Features
0
0.2
0.4
0.6
0.8
1
No
rma
lize
d a
ve
rag
e v
alu
e
Cluster 7
1 2 3 4 5 6 7 8 9 10
Features
0
0.2
0.4
0.6
0.8
1N
orm
aliz
ed
ave
rag
e v
alu
e
Cluster 1
1 2 3 4 5 6 7 8 9 10
Features
0
0.2
0.4
0.6
0.8
1
Norm
aliz
ed
ave
rag
e v
alu
e
Cluster 2
1 2 3 4 5 6 7 8 9 10
Features
0
0.2
0.4
0.6
0.8
1
No
rma
lize
d a
ve
rag
e v
alu
e
Cluster 6
1 2 3 4 5 6 7 8 9 10
Features
0
0.2
0.4
0.6
0.8
1
No
rma
lize
d a
ve
rag
e v
alu
e
Cluster 7
Intrusion Detection Approach (contd.)
31
1 2 3 4 5 6 7 8 9 10
Features
0
0.2
0.4
0.6
0.8
1
No
rma
lize
d a
ve
rag
e v
alu
e
Cluster 1
1 2 3 4 5 6 7 8 9 10
Features
0
0.2
0.4
0.6
0.8
1
No
rma
lize
d a
ve
rag
e v
alu
e
Cluster 2
1 2 3 4 5 6 7 8 9 10
Features
0
0.2
0.4
0.6
0.8
1
No
rma
lized
ave
rag
e v
alu
e
Cluster 6
1 2 3 4 5 6 7 8 9 10
Features
0
0.2
0.4
0.6
0.8
1
No
rma
lized
ave
rag
e v
alu
e
Cluster 7
Normal or Anomalous Feature Distributions Distances Normalcy
1 2 3 4 5 6 7 8 9 10
Features
0
0.2
0.4
0.6
0.8
1
No
rma
lize
d a
ve
rag
e v
alu
e
Cluster 1
1 2 3 4 5 6 7 8 9 10
Features
0
0.2
0.4
0.6
0.8
1
No
rma
lize
d a
ve
rag
e v
alu
e
Cluster 2
1 2 3 4 5 6 7 8 9 10
Features
0
0.2
0.4
0.6
0.8
1N
orm
aliz
ed a
ve
rag
e v
alu
e
Cluster 6
1 2 3 4 5 6 7 8 9 10
Features
0
0.2
0.4
0.6
0.8
1
No
rma
lize
d a
ve
rag
e v
alu
e
Cluster 7
1 2 3 4 5 6 7 8 9 10
Features
0
0.2
0.4
0.6
0.8
1
No
rma
lize
d a
ve
rag
e v
alu
e
Cluster 1
1 2 3 4 5 6 7 8 9 10
Features
0
0.2
0.4
0.6
0.8
1
No
rma
lize
d a
ve
rag
e v
alu
e
Cluster 2
1 2 3 4 5 6 7 8 9 10
Features
0
0.2
0.4
0.6
0.8
1
No
rma
lize
d a
ve
rag
e v
alu
e
Cluster 6
1 2 3 4 5 6 7 8 9 10
Features
0
0.2
0.4
0.6
0.8
1
No
rma
lize
d a
ve
rag
e v
alu
e
Cluster 7
1 2 3 4 5 6 7 8 9 10
Features
0
0.2
0.4
0.6
0.8
1N
orm
aliz
ed
ave
rag
e v
alu
e
Cluster 1
1 2 3 4 5 6 7 8 9 10
Features
0
0.2
0.4
0.6
0.8
1
Norm
aliz
ed
ave
rag
e v
alu
e
Cluster 2
1 2 3 4 5 6 7 8 9 10
Features
0
0.2
0.4
0.6
0.8
1
No
rma
lize
d a
ve
rag
e v
alu
e
Cluster 6
1 2 3 4 5 6 7 8 9 10
Features
0
0.2
0.4
0.6
0.8
1
No
rma
lize
d a
ve
rag
e v
alu
e
Cluster 7
Intrusion Detection Results: Firewall Logs
0
0.2
1.5
0.4
0.6
PC
3
0.8
1
PC2
0.80.5 0.6
PC1
0.40.2
0 0
Outliers : 80
Cluster1 : 14876
Cluster2 : 11825
Cluster3 : 810
Cluster4 : 3009
Cluster5 : 20
Cluster6 : 53
Cluster7 : 84 Cluster 6: DoS by external hosts
Anomalous clusters: Clusters 6,5,3,4,7
32
1 2 3 4 5 6 7 8 9 10
Features
0
0.2
0.4
0.6
0.8
1
No
rma
lize
d a
ve
rag
e v
alu
e
Cluster 1
1 2 3 4 5 6 7 8 9 10
Features
0
0.2
0.4
0.6
0.8
1
No
rma
lize
d a
ve
rag
e v
alu
e
Cluster 2
1 2 3 4 5 6 7 8 9 10
Features
0
0.2
0.4
0.6
0.8
1
No
rma
lize
d a
ve
rag
e v
alu
e
Cluster 6
1 2 3 4 5 6 7 8 9 10
Features
0
0.2
0.4
0.6
0.8
1
No
rma
lize
d a
ve
rag
e v
alu
e
Cluster 7
1 2 3 4 5 6 7 8 9 10
Features
0
0.2
0.4
0.6
0.8
1
No
rma
lize
d a
ve
rag
e v
alu
e
Cluster 1
1 2 3 4 5 6 7 8 9 10
Features
0
0.2
0.4
0.6
0.8
1
No
rma
lize
d a
ve
rag
e v
alu
e
Cluster 2
1 2 3 4 5 6 7 8 9 10
Features
0
0.2
0.4
0.6
0.8
1N
orm
aliz
ed
ave
rag
e v
alu
eCluster 6
1 2 3 4 5 6 7 8 9 10
Features
0
0.2
0.4
0.6
0.8
1
No
rma
lize
d a
ve
rag
e v
alu
e
Cluster 7
Intrusion Detection Results: Firewall Logs
0
0.2
1.5
0.4
0.6
PC
3
0.8
1
PC2
0.80.5 0.6
PC1
0.40.2
0 0
Outliers : 80
Cluster1 : 14876
Cluster2 : 11825
Cluster3 : 810
Cluster4 : 3009
Cluster5 : 20
Cluster6 : 53
Cluster7 : 84
Cluster 5: Port scan by internal hosts
Cluster 6: DoS by external hosts
Cluster 3, 4, 7: Anomalous but not malicious
Anomalous clusters: Clusters 6,5,3,4,7
33
Intrusion Detection Results: Firewall + System Logs
0
0.2
0.8
0.4
0.5
0.6
PC
3
0.6
PC1PC2
0.8
0.4 00.2
0 -0.5
Outliers : 80Cluster1 : 25342Cluster2 : 54Cluster3 : 37Cluster4 : 23
Cluster 2: Worm infected host
Anomalous clusters: Clusters 2,4,3
34
1 3 5 7 9 11 13 15 17 19 21 23 25 27
Features
0
0.2
0.4
0.6
0.8
1
No
rma
lize
d a
vera
ge
va
lue
Cluster 1
1 3 5 7 9 11 13 15 17 19 21 23 25 27
Features
0
0.2
0.4
0.6
0.8
1
No
rma
lize
d a
vera
ge
va
lue
Cluster 2
1 3 5 7 9 11 13 15 17 19 21 23 25 27
Features
0
0.2
0.4
0.6
0.8
1N
orm
aliz
ed
avera
ge
valu
e
Cluster 3
1 3 5 7 9 11 13 15 17 19 21 23 25 27
Features
0
0.2
0.4
0.6
0.8
1
No
rma
lize
d a
vera
ge
valu
e
Cluster 4
1 3 5 7 9 11 13 15 17 19 21 23 25 27
Features
0
0.2
0.4
0.6
0.8
1
No
rma
lize
d a
vera
ge
va
lue
Cluster 1
1 3 5 7 9 11 13 15 17 19 21 23 25 27
Features
0
0.2
0.4
0.6
0.8
1
No
rma
lize
d a
vera
ge
va
lue
Cluster 2
1 3 5 7 9 11 13 15 17 19 21 23 25 27
Features
0
0.2
0.4
0.6
0.8
1
No
rma
lize
d a
vera
ge
valu
e
Cluster 3
1 3 5 7 9 11 13 15 17 19 21 23 25 27
Features
0
0.2
0.4
0.6
0.8
1
No
rma
lize
d a
vera
ge
valu
e
Cluster 4
Intrusion Detection Results: Firewall + System Logs
0
0.2
0.8
0.4
0.5
0.6
PC
3
0.6
PC1PC2
0.8
0.4 00.2
0 -0.5
Outliers : 80Cluster1 : 25342Cluster2 : 54Cluster3 : 37Cluster4 : 23
Cluster 2: Worm infected host
Cluster 3: Anomalous but not malicious
Cluster 4: Port scan by internal hosts
Anomalous clusters: Clusters 2,4,3
35
Intrusion Detection Summary
Cluster
ID
% Data
points
No. of Unique
hosts
Represented
Attack
Significant features
Firewall data
6 0.172 5 DoS # of unique source ports, # of connections
built, # of connections torn down
5 0.065 3 Port scan # of unique destination IPs
Firewall + System log data
4 0.090 2 Port scan # of connections built, # of connections torn
down
2 0.211 1 Worm # anonymous target user names, # NTLM
authentications, # session keys requested
36
Conclusion
• Intrusion detection using clustering techniques• Without labelling the data
• Without explicit profile for normal behavior
• Generic time-aware features to detect malicious behavior• Can be used for other attack types, e.g., brute-force attacks and data
exfiltration
• Allow data fusion across monitors
• Additional visibility into the system behavior• Average feature values analysis
• More holistic view
• Data reduction
37
Discussion
• Works well for the attacks that change the system behavior, including zero-days
• Complementary to rule-based intrusion detection approaches
• Might not work properly for the attacks that do not change the outward behavior of hosts, such as privilege escalation• However, a better choice of features might change this for some attacks
38
Future Directions
• Attack classes and features• Classify security attacks and respective features to detect them
• Data-driven feature selection
• Clustering algorithm choice• Hierarchical clustering
• Distribution-based clustering
• Online classification• Online clustering
• Train classifier using cluster labels
39