Français Search

icone Resources

www.bayesia.com does not fully support your browser (Internet Explorer 6).
We suggest upgrading to IE 7 or downloading Firefox for a more enjoyable web experience.

Cyber-crimes detection

The growing dependence of modern society on telecommunication and information networks has become inevitable. The increase in the number of interconnected networks to the Internet has led to an increase in security threats and cyber-crimes such as Distributed Denial of Service (DDoS) attacks. Any Internet based attack typically is prefaced by a reconnaissance probe process, which might take just a few minutes, hours, days, or even months before the attack takes place.

The work presented here describes the use of BayesiaLab for learning bayesian networks in order to detect distributed network attacks as early as possible. This work indicates how probabilistically Bayesian network detects communication network attacks, allowing for generalization of Network Intrusion Detection Systems (NIDSs). It describes the major results achieved from experiments based on real time dataset as well as the observations that explain the achieved results. Learning Agents which deploy Bayesian network approach are considered to be a promising and useful tool in determining suspicious early events of Internet threats and consequently relating them to the following occurring activities.

The bayesian network below has been automatically constructed thanks to the learning algorithms of BayesiaLab. The target variable, activity_type, is directly connected to the variables that heavily contribute to its knowledge such as service and protocol_type.

The developed Bayesian Detector Model

A priori probability distributions

 

Observation 1: As shown in the figure-cons, the most probable activity corresponds to a smurf attack (52.90%), an ecr_i (ECHO_REPLY) service (52.96%) and an icmp protocol (53.21%).

Probability distributions given ICMP protocol

 

Observation 2: What would happen if the probability of receiving ICMP protocol packets is increased? Would the probability of having a smurf attack increase? As illustrated in figure-cons, setting the protocol to its ICMP value increases the probability of having a smurf attack from 52.90% to 99.37%.

Probability distributions given portsweep attack

 

Observation 3: Let's look at the problem from the opposite direction. If we set the probability of portsweep attack to 100%, which represents a reconnaissance process, then the state value of some associated variables would inevitably vary. We note from Figure 4 that the probabilities of the TCP protocol and private service have been increased from 38.10% in figure 2 to 97.49% and from 24.71% in figure 2 to 71.45% respectively. Also, we can notice an increase in the REJ and RSTR flags.

In conclusion, the main advantage of having probabilistic figures as an output in IDSs is the ability to adjust our IDS's sensitivity. This would allow us to trade off between accuracy and sensitivity, simply by adjusting the probability threshold figures. Furthermore, the automatic detection of telecommunication network anomalies by learning allows distinguishing the normal activities from the abnormal ones. Lastly, this type of analysis would allow network security analysts to see the amount of information being contributed by each variable in the detection model to the knowledge of the target node.

For more details regarding this work, please contact Turn on JavaScript!

[1] « Weber P., Jouffe L., Reliability modelling with Dynamic Bayesian Networks, SafeProcess 2003, 5th IFAC Symposium on Fault Detection, Supervision and Safety of Technical Processes, Washington D.C. ».