Section: New Results
Keywords : Intrusion, Outlier.
Intrusion detection: mining common outliers
Participants : Goverdhan Singh, Celine Fiot, Alice Marascu, Florent Masseglia.
In this work, done in collaboration with P. Poncelet (LIRMM), we have focused on Intrusion Detection Systems (IDS). An IDS aims at monitoring the events occurring in a network and analyzing them for trace of possible incidents, which are violations of computer security policies. Continuous analyses are performed in order to detect and stop possible incidents. There are multiple methods which aim at solving this problem, among them the unsupervised clustering. In this context, the unsupervised clustering allows grouping similar behaviours in clusters and, in a second step, finding among them the clusters corresponding to possible incidents. The idea is that the isolated behaviours are considered as possible incidents. The drawback of this method is that normal atypical behaviours may be considered as suspect. In this context, we have proposed the COD (Common Outlier Detection) method. The idea behind this method consist in a possible attack repetition in many systems. Our algorithm performs successive clustering steps for each site. At each step we check the potentially matching outliers between both sites. The clustering algorithm is agglomerative and depends on the maximum dissimilarity ( MD ) that has to be respected between two objects. Let us consider that n , the desired number of alarms, is set to 1 and the usage patterns are distributed as illustrated in figure 1 . Let us also consider that for these sites the cluster labelled D at step 1 is the only one that corresponds to an intrusion attempt. For step one, MD is initialised with a very low value, so the clusters will be as tight and small as possible. Then we check correspondences between outliers of S1 and S2 . Let us consider the clustering results on S1 and S2 at step one in figure 1 . There are four matching of outliers between both sites ( A , B , C and D ). That would lead to 4 alarms (among which only one is true) which is more than desired by the user and . We thus have to increase the clustering tolerance ( i.e. increase MD ) so that bigger clusters can be built. After a few steps, we will find the clusters of step n in figure 1 . The only common outlier is A , which corresponds to the intrusion attempt. Furthermore, this will trigger one alarm, as desired by the user, and there is no need to continue increasing MD until step m .
The network security services of INRIA and our own investigations allow us to confirm the intrusion attempts that have been discovered by our method (including “code injection”, “easter eggs” and “password”).