Dismiss
InnovationQ will be updated on Sunday, Oct. 22, from 10am ET - noon. You may experience brief service interruptions during that time.
Browse Prior Art Database

REALISTIC SIMULATION OF NETWORK BEHAVIOR FOR EVALUATION AND SELF-ADJUSTMENT OF INTRUSION DETECTION SYSTEM

IP.com Disclosure Number: IPCOM000238197D
Publication Date: 2014-Aug-07
Document File: 5 page(s) / 29K

Publishing Venue

The IP.com Prior Art Database

Related People

Jan Stiborek: AUTHOR

Abstract

A solution is provided that generates realistic training data for injection into network traffic to enable evaluation and automatic reconfiguration of a behavior-analysis based Intrusion Detection system (IDS) system. The solution recognizes network states for a given network protocol and models the network behavior as sequences of states using Markov chains to later enable statistically correct generation of malware-like test traffic.

This text was extracted from a PDF file.
This is the abbreviated version, containing approximately 30% of the total text.

Page 01 of 5

    REALISTIC SIMULATION OF NETWORK BEHAVIOR FOR EVALUATION AND SELF-ADJUSTMENT OF INTRUSION DETECTION SYSTEM

AUTHOR:

Jan Stiborek

CISCO SYSTEMS, INC.

ABSTRACT

    A solution is provided that generates realistic training data for injection into network traffic to enable evaluation and automatic reconfiguration of a behavior-analysis based Intrusion Detection system (IDS) system. The solution recognizes network states for a given network protocol and models the network behavior as sequences of states using Markov chains to later enable statistically correct generation of malware-like test traffic.

DETAILED DESCRIPTION

    In recent years, malicious activity has rapidly grown on the Internet. Malware such as StuxNet, Flame, etc., force network administrators to set up much more advanced technologies to match the level of such threats. A promising example of such technology is anomaly based Intrusion Detection Systems (IDSs). A problem with utilizing IDSs is the need to configure the system depending on current network properties and states, which also affects the estimation of system efficacy. Both problems can be addressed by using labeled evaluation data. However, to obtain relevant data for adjusting the system, malicious activity needs to be observed directly on the controlled network and its impact evaluated.

    Such an approach suffers from several drawbacks. The first issue is that malicious activity is usually forbidden by the company's security policy since it can cause serious problems on the protected network (e.g., unavailability of critical servers). The second issue is the scalability of such an approach. There exists a number of different

Copyright 2014 Cisco Systems, Inc.
1


Page 02 of 5

networks with different profiles of the network traffic (e.g., corporate network vs. community network vs. network of an Internet Service Provider (ISP)) and a number of different parameters of the malicious activity. The third issue is that the controlled network is never absolutely clean, and therefore, the anomalous test run may have unexpected and misleading manifestations, leading to bias of measured results. Running true malware in-network for configuration purposes is thus not feasible. One possible workaround is the use of an absolutely controlled lab network. This does not in fact solve the problem because such a network has a completely different profile, and consequently, is useless for precise system evaluation purposes.

    The solution presented herein generalizes the approach in a way that uses advanced models of network traffic, and thus, improves self-adaptation and self- monitoring capabilities.

    Current techniques utilize Markov chains for modeling network traffic, but the main issue that is presented, is strictly limited to Secure Shell (SSH) brute-force attacks, which requires manual labelling of input data (e.g., specification of individual states). Such an approach is referenced with regard to: A. Sperotto, R. Sadre, P.-t. D. Boer...