Presentation on conference Security for Information and Networks (SIN-2015). Abstract: A problem of anomaly behavior detection for network communicating computer is discussed. A novel approach based on dynamic response of computer is introduced. The computer is suggested as a multiple-input multiple-output (MIMO) plant. To characterize dynamic response of the computer on incoming requests a correlation between input data rate and observed output response (outgoing data rate and performance metrics) is used. To distinguish normal and anomaly behavior of the computer a one-class classifier based on feedforward neural network is constructed. In the paper a method of anomaly detection is described and results of model experiments with Web-server are provided. DOI: http://dx.doi.org/10.1145/2799979.2799991

1. Dynamic response recognition by
neural network to detect network
host anomaly activity
Vladimir Eliseev - Infotecs JSC, National Research
University (MPEI)
Yury Shabalin - National Research University
(MPEI), Alfa Bank JSC
The 8th International Conference on Security of Information and Networks
In Technical Cooperation with ACM SIGSAC
September 8-10, 2015 Sochi/Russia

2. Formulation of the problem
• There are many typical
network servers
• Every of them can be
attacked in many known or
unknown ways
• Every server may fail to
operate due to internal
problem far from illegal
actions
The question is:
How to detect server failure in
all cases from the most general
point of view?
Requests
Replies
Attack
2

3. Anomaly detection
General subdivision:
• Attack detection
– Host based
– Network based
• System health sensors
– Specific for vendor
hardware and software
General disadvantages:
1. Separate systems with
different control and
tuning
2. Too complicated to
maintain all of them
3. Need to gather events
in SIEM to analyze
4. There are breaches for
zero-day attacks
3

4. Host based anomaly detection
Pro
• Known attack is recognized
for sure
• Independent from server’s
software and hardware
Contra
• Event of attack is detected
even it has no effect
• System problems and
unknown attacks are not
detected
Pro
• Applicable both for known
and some unknown attacks
• Hardware independent
Contra
• Very specific and sensitive
for application and system
software change or upgrade
Network based anomaly detection
4

5. Normal and anomaly server behavior
• Normal
Typical requests lead to
typical number and size of
replies and typical load
• Defaced
Hacked server produces
less traffic and less load
• Under DoS attack
Typical requests and
attacking traffic together
make higher load and
less number of replies
• Software bug
Typical requests cause
unusual outgoing traffic
and load
Requests
Replies
Requests
DoS attack
Replies
CPU, Mem, I/O
Requests
Replies
CPU, Mem, I/O
CPU, Mem, I/O
Requests
Replies
Hacked earlier CPU, Mem, I/O
5

6. Our idea
Measurement of server operations:
– Incoming traffic (by port and protocol)
– Outgoing traffic (by port and protocol)
– Computer load (CPU, memory, I/O consumption)
Calculate and remember dynamic response of server
(change of outputs to the change of inputs) to
distinguish typical (=normal) response from anomaly.
Incoming
requests
Outgoing
replies
CPU, Mem, I/O
Inputsxi
Outputsyj
6

7. Principals
• Considering network server as a
multidimensional dynamic plant
• Counting amount of traffic but not scanning
its content
• Every network interface of server should be
accounted separately with all open ports
• Network traffic and server performance
metrics are measured in constant time
window base
7

8. Dynamic response calculation
Scalar input/output response of a server from the control
theory point of view:
• Small delay – much less than time window
• Short transient time
• Non-linear behavior
Matrix of Pearson correlation coefficients 𝑅(𝑘) = 𝑟𝑖𝑗 𝑘
𝑛𝑚
where n inputs xi, m outputs yj at time tk and
𝑟𝑖𝑗 𝑘 =
𝑥𝑖 𝑘 − 𝑙 − 𝑥𝑖 𝑘 𝑦𝑗 𝑘 − 𝑙 − 𝑦𝑗 𝑘𝑑−1
𝑙=0
𝑥𝑖 𝑘 − 𝑙 − 𝑥𝑖 𝑘 2 𝑦𝑗 𝑘 − 𝑙 − 𝑦𝑗 𝑘
2𝑑−1
𝑙=0
𝑥𝑖 𝑘 =
1
𝑑
𝑥𝑖(𝑘 − 𝑙)
𝑑−1
𝑙=0
𝑦𝑗 𝑘 =
1
𝑑
𝑦𝑗(𝑘 − 𝑙)
𝑑−1
𝑙=0
8

9. Dynamic response recognition
Need to learn typical correlation matrices. Then it’s
needed to accept known matrices and reject other.
One class classification problem is solved by:
• Support vector machine (SVM)
• Neural network (NN) as auto-associative memory
Requests
Replies
Correlation matrices R(k) at time tk
t
9

10. Neural network approach
for one class classification
𝑒 𝑟 𝑘 = 𝑅 𝑘 − 𝑅∗ 𝑘 = 𝑟𝑖𝑗 𝑘 − 𝑟𝑖𝑗
∗
𝑘
2
𝑁
𝑖=1
𝑀
𝑗=1
1
2
𝑅 𝑘 𝑅∗ 𝑘
Calculated
from real data
Reconstructed
by NN
Reconstruction
error:
Small error: known
input/output response
Otherwise: unknown
input/output response
Neural network
(MLP)
10

11. Experimental stand description
Incoming traffic Outgoing traffic Performance
TCP total TCP total CPU usage
UDP total UDP total Memory usage
HTTP HTTP I/O usage
• VMware Workstation
as VM host
environment
• Windows-based
Apache Web server (1)
• Self-made requests
generator and attack
simulator (2)
• MySQL DBMS (3)
• Wireshark traffic
sniffer (4)
3 input and
6 output variables
=> 3x6 correlation
matrix size
11

12. Training traffic data series (normal)
TCP in
TCP out UDP out
UDP in HTTP in
HTTP out
I/OCPU
Mem
12Time length 2100s, Δt=1s

13. Neural network training
• One class classifier NN structure:
• Regression diagram of NN training (by LM):
13

14. Traffic data series with anomalies
TCP in
TCP out UDP out
UDP in HTTP in
HTTP out
I/OCPU
Mem
14Time length 2100s, Δt=1s

15. Reconstruction error plot
Normal traffic Traffic with anomalies
Two different traffic series reconstruction
error in the same Y axis scale (small scale)
Correlation base width d=3
HTTP input data rate (large scale)
0
1000
2000
3000
4000
5000
6000
1250
1255
1260
1265
1270
1275
1280
1285
1290
1295
1300
1305
1310
1315
1320
1325
1330
1335
1340
1345
1350
Incoming data
With anomaly fragments Normal
Reconstruction error (large scale)
0
1
2
3
4
5
1250
1255
1260
1265
1270
1275
1280
1285
1290
1295
1300
1305
1310
1315
1320
1325
1330
1335
1340
1345
1350
Reconstruction error
With anomaly fragments Normal
Anomalies
Anomaly
Threshold
Threshold
15

16. Discussion
Pro
1. Training is fully automatic
(does not need traffic
labeling)
2. Very high runtime
performance
3. Any server failure causes
alarm (both security and
non-security related)
4. Can fight zero day attacks
5. Data leak detection
Contra
1. Maintenance actions will
cause alarm
2. Not for desktops
3. Hardware and software
upgrade and even
reconfiguration may need to
train classifier once again on
fresh data
4. Attacks with small impact to
measured properties can not
be detected
16

17. Conclusion
• Dynamic plant response approach was adopted
for a network server behavior investigation
• One class neural network classifier for correlation
matrix reconstruction was implemented
• Simulation experiments approved feasibility of
the method
• Potential advantages and disadvantages were
discussed
• Further research should be performed
17

18. Thank you for attention!
Vladimir Eliseev vlad-eliseev@mail.ru
Yury Shabalin yury.shabalin@gmail.com