Département Réseau, Sécurité et Multimédia Rapport d'Activités 2008

Dependable Anomaly Detection with DiagnosisResearch Staff : Frédéric Cuppens, Sylvain Gombault, Jean-Pierre Le Narzul –Post. Doc.: Wei WangKeywords : Dependability, Agreement Services, Intrusion detection, Anomaly detectionApplications : Dependable Web Servers, Anomaly Detection SystemPartners & Funding : partially funded by ANR in the framework of the ACI DADDi (Action ConcertéeIncitative)IntroductionMost current intrusion detection systems aresignature-based. The major limitation of thistechnique is its incapacity to detect newattacks, which by definition cannot be in thedatabase of signatures. Facing this problem,anomaly detection is particularly interesting.The main principle of anomaly detection is tobuild a reference model of a given entitybehavior (user, machine, service, orapplication). A deviation from this model isconsidered as an attack attempt.DADDi (Dependable Anomaly Detection withDiagnosis) is an ACI project funded by theANR (2004-2007) that deals with intrusiondetection techniques. The project consortiumincludes 4 academic institutes (Supélec, CRIL,TELECOM Bretagne, IRISA) and one industrialpartner (Orange Labs).The first objective of this ACI is to proposenew anomaly detection explicit approaches.Such approach exhibits several problems. First,it is difficult to define what is explicitlysignificant in the modeled behavior. Then, it isnecessary to take into account the normalevolutions of the observed behavior.Enhancing the explicit approach is thus a firstobjective of this project.As a second objective, DADDi suggests tointroduce an implicit approach based on aclassical approach of the dependabilitydomain: the design diversity. The goal is toforward any request to several modulesimplementing the same functionality, butthrough diverse designs (diversified COTSservers). Any difference between the resultsobtained can be interpreted as a possiblecorruption of one or several modules. In bothcases (explicit and implicit), the dependabilityproperties of the Intrusion Detection System(IDS) are also a main concern. Studying theseproperties is the third objective of this project,in order to bring intrusion tolerance propertiesto the anomaly detector.RealizationFig 1: New attack detection with explicit approachA first part of our work focused on anomalydetection with explicit reference model. Wehave investigated new methods and testedthem over the DARPA 98 traffic database. Wehave proven their efficiency and theirapplication have exceeded the wining entry ofthe KDD 99 data intrusion detection contest.Our contribution in this project is threefold.The first is the necessity to improve machinelearningmethods by adding a new class. Newinstances should be classified since theyshould not be classified as any of the knownclasses present in the learning data set [2].The second contribution consists in introducingsome necessary conditions that should beverified by a rich transformation function. Thislast point was not taken into account duringthe transformation of the DARPA98 into KDD99data sets. As a result, many attacks trafficbecame identical to normal traffic aftertransformation. We have shown that SNMPattacks were classified as normal traffic for thisreason [2]. We have then modified thetransformation function to detect attacks onSNMP traffic, to match the necessaryconditions for this service. By modifying onlythe method of calculation of two attributes, weimproved in a considerable way the rate ofdetection of the attacks on this service. But inspite of these good results the transformationPracom’s Annual Report 2008 45