125 Кібербезпека / 4 Курс / 3.1_3.2_4.1_Захист інформації в інформаційно-комунікаційних системах / Лiтература / [Sumeet_Dua,_Xian_Du]_Data_Mining_and_Machine_Lear(BookZZ.org)

218    Data Mining and Machine Learning in Cybersecurity

9.3 Emerging Challenges in Intrusion Detection

In this book, we have discussed a variety of data-mining and machine-learning techniques to improve intrusion detection and prevention. These techniques secure cyberinfrastructures ranging from specific applications to various scales of operating systems, such as host-based or network-based IDS. Researchers have formulated these systems in data-mining and machine-learning models, or in other mathematical forms, based on specific assumptions on the anomalous data and normal data. These assumptions have facilitated the formulation of intrusion detection problems with regard to the objective of detection and the constraints on the data description in the formulation.

Most commercial products contain signature-based detection techniques. These techniques work, because all malicious or misuse behaviors have been profiled in signatures in a set of features. Extracting or selecting the features among the given data set promotes signature matching. However, missing features or insufficient profiling can cause these techniques to miss unknown attacks. The likelihood of missing unknown attacks hampers the abilities of these techniques to combat the miscellaneous novelties of cyber attacks. Anomaly detection techniques, including hybrid systems involving signature-based techniques, have occupied the research domain of intrusion detection in the past years. These techniques assume that, given the profile of all normal behaviors in cyberinfrastructures, outlying behaviors are anomalous. Such profiling techniques statistically aggregate the normal data into feature subsets or data clusters, which enable the flexibility and adaptability of anomaly detection to novel attack paradigms. Unfortunately, such techniques depend on accurate and precise boundaries between normal and anomalous data points.

The current machine-learning classification and clustering methods result in a high false-alarm rate when applied in anomaly detection systems. The high falsepositive rate hampers the application of anomaly detection techniques in real-world data sets. The high false-alarm rate can make an anomaly detection system ineffective. When an IDS detects more false alarms than true attacks, the true attacks are easily lost. In worst-case scenarios, the detected alarms are all false instead of true attacks. Axelsson recommended the upper boundary of the effective false-alarm rate should be around 0.001% (Axelsson, 2000). The low requirement makes the task of reducing false alarms more challenging, especially with the large number of streaming traffic data.

Researchers have discovered a number of anomaly detection techniques in ubiquitous applications that reduce false alarms while maintaining acceptable true positive rates. Most of these techniques focus on specific applications and are restricted in preliminary studies. We attribute their limitations to several challenges emerging in cyberinfrastructures and the underlining restriction of the current researches, such as the lack of a theoretical framework for anomaly detection, the lack of sufficient evaluation data sets, and incomplete evaluation techniques. We will discuss these challenges in the IDS, especially in anomaly detection systems.

Emerging Challenges in Cybersecurity    219

9.3.1 Unifying the Current Anomaly Detection Systems

Since anomaly detection techniques were motivated by various normal and anomalous characteristics in an unstructured way, researchers have not provided a unified framework of anomaly detection systems. Without a structured understanding of the normal and anomalous data sets, the detection problems can be biased, or the formulation may describe the given data set insufficiently. For example, the patterns of network traffic data have been described in traffic flow volume, entropy, traffic matrix, connection frequencies between the hosts of interest, etc. Each description presents an opportunity to discover various parts of the data characteristics, but no researcher has determined a unified description that is invariantly stable in face of a variety of anomalous data sets. The limitation of the ordinary intrusion detection or analysis systems lays in the lack of fundamental comprehension of the nature of the given cyberinfrastructures and of the data obtained in these systems.

This limitation also leads to the disordered theoretical framework in anomaly detection systems. Due to this limitation, few researchers have tried to combine the strengths of data-mining and machine-learning techniques into IDS. This theoretical framework also requires the fundamental discovery and analysis of the correlation between various data-mining and machine-learning techniques, so that an efficient hybrid method is explored. We have discussed similar issues in hybrid detection systems. We also categorized the existing hybrid detection techniques into serial, parallel, and mixture models. From the application studies, we know that no hybrid detection system can guarantee a better detection result than a single misuse-based detection system or anomaly detection system. An accurate hybrid detection system originates from the comprehensive understanding and combination of the proposed framework and the given data set. The statistical and combinatorial study of the designed workflow needs the investigation of data characteristics in depth. Thus, future research should include finding the optimal hybrid of various data mining, machine learning, or detection techniques, correlating machine-learning techniques for different detection objectives, and designing and analyzing intrusion detection evaluation data sets.

9.3.2 Network Traffic Anomaly Detection

As described in Section 9.2, cyber crimes and other malicious uses have emerged as a major concern in cyberspace. To help prevent these uses, researchers monitor networks using techniques such as network anomaly detection, as a part of IDSs to combat cyber attacks. Successfully updating network traffic techniques requires that the network profiling algorithms to be fast and highly scalable. The same requirements apply to the emerging network traffic anomaly detection systems and the solutions to suppressing the false-alarm rate. The wireless networks, VoIP, and mobile communications pose a variety of novel challenges

Emerging Challenges in Cybersecurity    221

quantification. We attribute the cause of such failures to three perspectives: imbalanced data, inappropriate machine-learning methods, and bad evaluation metrics.

Each data-mining and machine-learning method has its special cost function, which measures the learning error differently such that its evaluation should be a respective metric. We discussed the classic machine-learning classification methods in Chapter 2, and noted that most of the machine-learning algorithms perform well when data are balanced. Anomalous data cover a small part of the audit log records or network traffic flows. The imbalanced learning has the respective solutions, such as one-class learning, cost-effective machine learning, sampling methods, and feature selection filters (Stolfo et al., 2000; He and Garcia, 2009). Cost-effective machine learning relies on the assignment of costs to the four detected types: TP, FP, TN, and FN, to obtain the balanced objective function.

The challenge in using this technique is to determine how to find the appropriate cost parameters, and the assignments are strongly application dependent. Sampling methods attempted to provide balanced validation data such that normal machine-learning methods can be effective. The result implies overfitting or smaller coverage due to the repetition of minor samples or the reduction of major samples. We investigated several one-class anomaly classification methods, such as one-class SVM in Chapter 4, and showed these methods can reduce the false-alarm rates fairly, but lead to a low detection rate. Compared to the other proposed imbalanced learning algorithms, the one-class method has no significant advantages.

To address imbalanced learning, many researchers employed ROC and AUC to consider both the false-alarm rate and the true positive detection rate in one curve. However, both of methods may be misleading and incomplete, as we discussed in Chapter 2. A more accurate methodology is needed to evaluate the intrusion systems, especially in imbalanced learning.

9.3.4 Reliable Evaluation Data Sets or Data Generation Tools

To evaluate an IDS or compare the performances of IDSs, we need trusted data sets or data generation tools. Few public available data sets exist for examining IDS application studies. Furthermore, the generation of these data sets has not been reliable in the past. For example, MIT DARPA 1998 and 1999 are the most employed among them. The evaluation has showed that the DARPA data sets are not appropriate to simulate actual network systems or the data set generation tools (McHugh, 2000). The lack of proper evaluation data sets hampers the fair evaluation of IDS detection ability. The design of appropriate evaluation data sets and data generation tools should consider both the normal network traffic conditions and the anomalous traffic flows stealth in the traffic traces.

222    Data Mining and Machine Learning in Cybersecurity

9.3.5 Privacy Issues in Network Anomaly Detection

As discussed in Section 9.2, privacy issues in network anomaly detection can be approached from two methodologies: the identification of useful encrypted traffic packets and/or the privacy preservation problems in distributed anomaly detection.

Cryptography techniques have been applied in networks to solve privacy preservation problems, as well as randomization, permutation, and other data protection methods. Privacy protection processed data, such as encrypted traffic packets, prevent malicious users from accessing private information. The traditional anomaly detection techniques lack the ability to decrypt the encrypted packets. Since the traditional anomaly detection techniques cannot read these valuable encrypted packets, they will remove them and reduce the useful traffic information for anomaly detection. A desired solution would be to maintain these data without compromising the detection ability of IDS.

As discussed in Chapter 8 and in Section 9.2, especially related to MPC and SMC, we can regard privacy preservation as a particular topic in SMC. The distributed sensor networks and collection of data across the network for anomaly detection motivated the development of the privacy-preservation network distributed anomaly detection (Valdya and Clifton, 2004; Zimmermann and Mohay, 2006). Although PPDM and anomaly detection appear as isolated topics in this book, these issues are not separate. Such a privacy-preservation issue originates in the centralized data requirement for the traditional anomaly redetection algorithms. The adaptation of PPDM methods, especially in SMC, to network traffic flows, can potentially solve the privacy-preservation problem in distributed anomaly detection. In the PRISM project (Bianchi et al., 2007, 2008; PRIvacy-aware Secure Monitoring, 2010) (see Section 9.2), this issue was solved in a privacy-preservation network traffic monitoring system. In Pokrajec et al. (2007), techniques have been proposed to assign anomaly scores to test data points and update the anomaly detection system. Practical testing and evaluation are needed for the above-recommended methods.

9.4 Summary

With the unprecedented advances in cyber data collection and utilization, humans face unprecedented challenges in cybersecurity and privacy protection. These challenges extend throughout cyberspace because of the continuous advancements in information techniques. As we present in the book, researchers have proposed a number of cybersecurity solutions using data-mining and machine-learning techniques. These techniques have to be improved to incorporate the emerging challenges in the years ahead. We also found that we must consider cybersecurity and privacy-protection issues when we design and promote innovative tools in cyberspace. We believe that, in the near future, new tools and legislation for privacy protection will significantly enhance the challenges and opportunities for data-mining and machine-learning techniques for cybersecurity.

Emerging Challenges in Cybersecurity    223

References

Axelsson, S. The base-rate fallacy and its implications for the difficulty of intrusion detection.

ACM Transactions on Information and System Security 3 (2000): 186–205.

Bianchi, G. et al. Towards privacy-preserving network monitoring: Issues and challenges. In: The 18th Annual IEEE International Symposium on Personal, Indoor and Mobile Radio Communications, Athens, Greece, 2007.

Bianchi, G., S. Teofili, and M. Pomposini. New directions in privacy-preserving anomaly detection for network traffic. In: Proceedings of the First ACM Workshop on Network Data Anonymization, Alexandria, VA, 2008, pp. 11–18.

Data Loss Prevention Best Practices: Managing Sensitive Data in the Enterprise. A report from IronPort Systems, San Bruno, CA, 2007.

He, H. and E.A. Garcia. Learning from imbalanced data. IEEE Transactions on Knowledge and Data Engineering 21 (9) (2009): 1263–1284.

McHugh, J. Testing intrusion detection systems: A critique of the 1998 and 1999 DARPA intrusion detection. ACM Transactions on Information and System Security 3 (2000): 262–294.

Messmer, E. America’s 10 most wanted botnets. Damballa, Atlanta, GA, 2009.

Mustaque, A., A. Dave et al. Emerging cyber threats report for 2009. Georgia Tech Information Security Center, 2008 GTISC security summit—Emerging cybersecurity threats.

Pokrajec, D., A. LAzarevic, and L.J. Latecki. Incremental local outlier detection for data streams. In: Proceedings of the IEEE Symposium on Computational Intelligence and Data Mining, Honolulu, HI, 2007.

PRIvacy-Aware Secure Monitoring. http://fp7-prism.eu/index.php?option=com_content&task= view&id=20&Itemid=29 (accessed 2010).

Stolfo, S.J., W. Fan, and W. Lee. Cost-based modeling for fraud and intrusion detectors: results from the JAM project. In: DARPA Information Survivability Conference & Exposition, Hilton Head, SC, 2000, pp. 120–144.

Tikk, E., K. Kaska, K. Rünnimeri, M. Kert, A.M. Talihärm, and L. Vihul. Cyber Attacks against Georgia: Legal Lessons Identified. NATO, 2008.

Valdya, J. and C. Clifton. Privacy-preserving outlier detection. In: Proceedings of the Fourth IEEE International Conference on Data Mining, Brighton, U.K., 2004, pp. 233–240.

Virtual Criminology Report 2009: Virtually Here: The Age of Cyber Warfare. McAfee, Santa Clara, CA, 2009.

Zhu, Z., G. Lu, Y. Chen, Z. Fu, P. Roberts, and K. Han. Botnet research survey. In: Annual IEEE International Computer Software and Application Conference, Turku, Finland, 2008, pp. 967–973.

Zimmermann, J. and G. Mohay. Distributed intrusion detection in clusters based on noninterference. In: Proceedings of the Australasian Workshops on Grid Computing and E-Research, Hobart, Tasmania, Australia, 2006, pp. 89–95.