The KIPS Transactions:PartC (정보처리학회논문지C)

Korea Information Processing Society (한국정보처리학회)
권호 표지
DOI QR코드

DOI QR Code

Anomaly Detection Method Using Entropy of Network Traffic Distributions

네트워크 트래픽 분포 엔트로피를 이용한 비정상행위 탐지 방법

  • 강구홍 (서원대학교 컴퓨터정보통신공학부) ;
  • 오진태 (한국전자통신연구원 네트워크보안그룹) ;
  • 장종수 (한국전자통신연구원 네트워크보안그룹)
  • Published : 2006.06.01
Download PDF
⟨ Previous Next ⟩

Abstract

Hostile network traffic is often different from normal traffic in ways that can be distinguished without knowing the exact nature of the attack. In this paper, we propose a new anomaly detection method using inbound network traffic distributions. For this purpose, we first characterize the traffic of a real campus network by the distributions of IP protocols, packet length, destination IP/port addresses, TTL value, TCP SYN packet, and fragment packet. And then we introduce the concept of entropy to transform the obtained baseline traffic distributions into manageable values. Finally, we can detect the anomalies by the difference of entropies between the current and baseline distributions. In particular, we apply the well-known denial-of-service attacks to a real campus network and show the experimental results.

악의적인 네트워크 트래픽은 흔히 공격의 성질을 구체적으로 알지 않고서도 평상시 트래픽과 구별된다. 본 논문에서는 네트워크 인바운드 트래픽 분포를 이용해 네트워크 트래픽 비정상행위를 탐지하는 방법을 제시한다. 이를 위해 먼저 실제 캠퍼스 네트워크의 트래픽 특성을 프로토콜, 패킷 길이, 목적지 IP/포트 주소, TTL 값, TCP SYN 패킷, 그리고 프래그멘트 패킷 분포 등을 통해 조사하였다. 이렇게 구해진 다양한 베이스라인 트래픽 분포로부터 엔트로피를 계산하고 이를 기준으로 비정상행위를 탐지하는 방법을 제시하였다. 특히 본 논문에서는 잘 알려진 서비스거부공격을 실제 캠퍼스 네트워크를 대상으로 실시하였고 그 결과를 제시함으로서 제안된 기법의 타당성을 검증하였다.

Keywords

References

  1. M. Roesch, 'Snort Lightweight Intrusion Detection for Networks,' Proc. USENIX LISA'99 pp.101-109, 1999
  2. H. Debar, M. Dacier, and A. Wespi, 'Towards a taxonomy of intrusion-detection systems,' Computer Networks, Vol.31, No.8, pp.805-822, 1990 https://doi.org/10.1016/S1389-1286(98)00017-6
  3. F. Gong, 'Next Generation Intrusion Detection System (IDS),' IntruVert Networks Report, 2002
  4. Paul Barford and David Plonka, 'Characteristics of Network Traffic Flow Anomalies,' in Proceedings of the ACM Internet Measurement Workshop, Nov. 2001 https://doi.org/10.1145/505202.505211
  5. Paul Barford, Jeffery Kline, David Plonka and Amos Ron, 'A Signal Analysis of Network Traffic Anomalies,' in Proceedings of the ACM Internet Measurement Workshop, Nov. 2002 https://doi.org/10.1145/637201.637210
  6. Jake D. Brutlag, 'Aberrant Behavior Detection in Time Series for Network Monitoring,' in Proceedings of the USENIX Fourteenth system Administration Conference LISA XIV, 2000
  7. M.V. Mahoney, 'Network Traffic Anomaly Detection Based on Packet Byte,' SAC2003, Melbourne, Florida, 2003 https://doi.org/10.1145/952532.952601
  8. M.V. Mahoney and P.K. Chan, 'PHAD: Packet Header Anomaly Detection for Identifying Hostile Network Traffic,' Florida Institute of Technology Technical Report CS-2001-04, 2001
  9. R. Lippmann et al, 'The 1999 DARPA Off-Line Intrusion Detection Evaluation,' Computer Networks, Vol.34, No.4, pp.579-595, 2000 https://doi.org/10.1016/S1389-1286(00)00139-0
  10. A. Papoulis, Probability, Random Variables, and Stochastic Processes, 3rd Ed., McGraw-Hill, 1991
  11. Spender, '리눅스용 DoS 툴 datapool,' available at http://packetstorm.linuxsecurity.com/DoS/indexsize.html
  12. www.nac.net, The WinNuke Relief Page, available at http://www.users.nac.net/splat/winnuke/
  13. Zakath, Syn Flooder, http://packetstorm.linuxsecurity.com/Exploit_Code_Archive/ synk4.c
  14. Fyodor, The Art of Port Scanning, available at http:// www.insecure.org/nmap/nmap_doc.html
  15. www.cert.org, CERT Advisory CA -1996-01 UDP Port Denial-of-Servie Attack, http://www.cert.org/advisories/CA-1996-01.html
  16. www.cert.org, CERT Advisory CA-1996-26 Denial-of-Service Attack via ping, available at http://www.cert.org/advisories/CA-1996-26.html
  17. www.cert.org, CERT Advisory CA-I997-28 IP Denial-of-Service Attacks, available at http://www.cert.org/advisories/CA-1997-28.html