Transcript Anomaly Detection Using Curious Agents: A Case Study in Network

Anomaly Detection using
Curious Agents
A Case Study in Network Intrusion
Detection
Kamran Shafi
Research Associate DSARC
Kathryn Merrick
Lecturer ITEE
Presentation Outline
• Anomaly Detection
• Curious Agents
• Intrusion detection using curious agents
• Metrics, results and analysis
• Future work
Anomaly Detection
• The process of finding patterns
that deviate from the known or
expected behaviour of a
monitored system.
• Assumptions:
– Normal is prevalent
– Anomalous is significantly different
• A word on novelty detection…
Anomaly Detection Challenges
• A burglar alarm detects anomalies…
– Computational models are faced with much more difficult task
• What is ‘normal’ anyway?
– Listing all possibilities is infeasible
– Concepts change over time
– Labelled data may be unavailable, noisy
• Anomalies can be very similar to normal
• Anomalies are domain dependent
Anomaly Detection Techniques
• Classification
• Nearest Neighbour (NN)
• Clustering
• Statistical
• Information Theoretic Approaches
• Spectral Analysis
Based on Varun et al., 2009
Research Questions in Anomaly
Detection
• Streaming data
• Concept drift
• Data labelling
• Contextual anomaly detection
Curious Agents
• Currently used in robotics
and character animation
• Online, single-pass,
unsupervised learners
• Programmed
to seek out
and focus on
‘curious’ stimuli
UNSW@ADFA
Sony CSL, Paris
Curiosity
• In humans and animals:
– A motivation to seek an ‘optimal’ level
of stimulation
– Stimuli that are similar-yet-different to
what we already know
• In artificial systems:
– A scalar value for
environmental stimuli based on:
• Similarity
• Frequency of similar stimuli
• Recency of similar stimuli
Curious Agent Models
Curious reinforcement
learning agents
Robotics and character
animation
Curious supervised
learning agents
Intelligent sensed
environments
(Merrick and Maher, 2009)
Curious reflex agents
Proposed for anomaly
detection in networks
Case Study
Network Intrusion Detection
• The two fundamental approaches to ID:
– Misuse detection
– Anomaly detection
• Anomaly detection for ID classified in two ways:
– How normal data is interpreted and modelled
• Host based, network based…
– How similarity is measured
• Statistical profiling, pattern matching, classification,
clustering…
Intrusion Detection Challenges
• Intrusions need to be detected in real time,
before they can damage the system
• Concepts change over time
– New (legitimate) users
– New applications
– Novel attacks
• Attacks are stealthy and disguised as normal
Advantages of Curious Agents for
Network Intrusion Detection
• Curious agents combine three measures to analyse
stimuli (network data):
– Similarity: clustering layer
– Recency: habituating layer
– Frequency: interest layer
• Online, single-pass learners:
– Potential for real-time operation
• Unsupervised learners:
– Potential to adapt to changes in network usage
– Don’t require labelled data
Curious Reflex Agents for
Intrusion Detection
• Approaches tested:
– Self-organising map
– K-means clustering
– Simplified ART
network
Experimental Data:
KDD Cup Dataset
• 1999 KDD Cup intrusion detection dataset:
– 38 attack categories (14 only in the test data) + normal data
– Approx. 40 features
– Used commonly to test algorithms for intrusion detection
• Critiques of KDD Cup data:
– Parent dataset contains simulation artefacts – affect to KDD Cup
data is not known
– Not suitable to evaluate supervised learning methods – curious
agents approach overcome this problem
– Labelling issues, outdated
Experimental Design
• Data pre-processing
– Mapping categorical features
– Normalisation (Formula ??)
•
•
•
•
Number of runs
Validation on training set
Validation on test set
Algorithm parameters
–?
Metrics
• True positive rate:
– A weighted measure
– Percent of first instances of an attack that trigger
agent curiosity above some threshold C
– Higher the better
• False positive rate:
– Percent of all normal data that triggers agent curiosity
above threshold C
– Lower the better
Results and Analysis: Overview
100
80
90.4
83.6
78.8
SOM
60
K-Means
40.1
ART
40
15.1
20
11.9
0
TRUE POSITIVE
FALSE POSITIVE
C = 0.7
SOM
K-Means
ART
sp
y.
te
ar
dr
op
wa
.
re
zc
lie
wa
nt
re
zm .
as
te
r.
po
po
d.
rts
we
ep
.
ro
ot
ki
t.
sa
ta
n.
sm
ur
f.
ph
f.
pe
rl.
la
lo
nd
ad
.
m
od
ul
e.
m
ul
tih
op
.
ne
pt
un
e.
nm
ap
.
bu
ba
ffe
ck
r_
.
ov
er
flo
w.
ftp
gu
_w
es
rit
s_
e.
pa
ss
wd
.
im
ap
.
ip
sw
ee
p.
Results in Detail
WEIGHTED DETECTION OF ATTACKS (%)
100
80
60
40
20
0
Aggregative Detection Rates
Attack Category
Probe
SOM
(%)
99.68
KMEANS
(%)
98.38
ART
(%)
88.47
DOS
82.49
72.77
70.98
U2R
97.73
91.67
91.67
R2L
88.09
80.21
73.96
Overall
91.99
85.76
81.27
FA Rate
40.1
15.1
11.9
Strengths and Limitations
• Strengths:
–
–
–
–
High detection rates for rare attack types
Potential for Real time intrusion detection
Allowance for alarm aggregation
Allowance for tuning detection – false alarm tradeoff
• Limitations:
– False positive rate is too high to be practical
– Parameter settings – can be made adaptive
Conclusions
• Curious agents show potential as an approach to ID:
– Online, single-pass, unsupervised learning
– High detection rate for attacks in KDD data set
• False positive detection rate needs to be decreased
before practical application possible
• Future Directions
–
–
–
–
Parameter adaptation
Semi-supervised feedback
Evaluation with other datasets
Real time implementation