BayesiaLab: Application Examples of Bayesian networks

Nasser S. Abouzakhar, Gordon Manson
Centre for Mobile Communications Research
University of Sheffield

The growing dependence of modern society on telecommunication and information networks has become inevitable. The increase in the number of interconnected networks to the Internet has led to an increase in security threats and cyber-crimes such as Distributed Denial of Service (DDoS) attacks. Any Internet based attack typically is prefaced by a reconnaissance probe process, which might take just a few minutes, hours, days, or even months before the attack takes place.

The work presented here describes the use of BayesiaLab for learning Bayesian networks in order to detect distributed network attacks as early as possible. This work indicates how probabilistically Bayesian network detects communication network attacks, allowing for generalization of Network Intrusion Detection Systems (NIDSs). It describes the major results achieved from experiments based on real time dataset as well as the observations that explain the achieved results. Learning Agents which deploy Bayesian network approach are considered to be a promising and useful tool in determining suspicious early events of Internet threats and consequently relating them to the following occurring activities.

Figure 1 shows the Bayesian network that has been automatically constructed thanks to the learning algorithms of BayesiaLab. The target variable, activity_type, is directly connected to the variables that heavily contribute to its knowledge such as service and protocol_type.

Figure 1- The developed Bayesian Detector Model

Observation 1: As shown in Figure 2, the most probable activity corresponds to a smurf attack (52.90%), an ecr_i (ECHO_REPLY) service (52.96%) and an icmp protocol (53.21%).

Figure 2 - A priori probability distributions

Observation 2: What would happen if the probability of receiving ICMP protocol packets is increased? Would the probability of having a smurf attack increase? As illustrated in Figure 3, setting the protocol to its ICMP value increases the probability of having a smurf attack from 52.90% to 99.37%.

Figure 3 - Probability distributions given ICMP protocol

Observation 3: Let’s look at the problem from the opposite direction. If we set the probability of portsweep attack to 100%, which represents a reconnaissance process, then the state value of some associated variables would inevitably vary. We note from Figure 4 that the probabilities of the TCP protocol and private service have been increased from 38.10% in figure 2 to 97.49% and from 24.71% in figure 2 to 71.45% respectively. Also, we can notice an increase in the REJ and RSTR flags.

Figure 4 - Probability distributions given portsweep attack

In conclusion, the main advantage of having probabilistic figures as an output in IDSs is the ability to adjust our IDS’s sensitivity. This would allow us to trade off between accuracy and sensitivity, simply by adjusting the probability threshold figures. Furthermore, the automatic detection of telecommunication network anomalies by learning allows distinguishing the normal activities from the abnormal ones. Lastly, this type of analysis would allow network security analysts to see the amount of information being contributed by each variable in the detection model to the knowledge of the target node

For more details regarding this work, please contact Nasser S. Abouzakhar