Lessons Learned from Experimenting with Machine Learning in Intrusion Analysis

Intrusion analysis, i.e., the process of combing through IDS alerts and audit logs to identify real successful and attempted attacks, remains a difficult problem in practical network security defense. The major contributing cause to this problem is the large false-positive rate in the sensors used by IDS systems to detect malicious activities. The goal from this work is to examine whether a machine-learned classifier can help a human analyst filter out non-interesting scenarios reported by an IDS alert correlator, so that analysts' time can be saved. This research is conducted in the open source SnIPS intrusion analysis framework. Our goal is to classify the correlation graphs produced from SnIPS into "interesting" and "non-interesting", where "interesting" means that a human analyst would want to conduct further analysis on the events. We spent significant amount of time manually labeling SnIPS output correlation graphs, and built prediction models using both supervised and semi-supervised learning approaches. Our experiments revealed a number of interesting observations that give insights into the pitfalls and challenges of applying machine learning to intrusion analysis. The experimentation results also indicate that semi-supervised learning is a promising approach towards practical machine learning-based tools that can aid human analysts, when a limited amount of labeled data is available.

The Problem and Our Approach

The IDS sensors that we have to rely on for the intrusion analysis often suffer from a large false-positive rate. For example, we run the well-known open-source IDS system Snort on our departmental network containing just a couple hundred machines and Snort produces hundreds of thousands of alerts every day, most of which happen to be false alarms. The reason for this is well-known: to prevent false negatives, i.e. detection misses from overly specific attack signatures, the signatures that are loaded in the IDS are often as general as possible, so that an activity with even a remote possibility of indicating an attack will trigger an alert. It then becomes the responsibility of a human analyst monitoring the IDS system to distinguish the true alarms from the enormous number of false ones. How to deal with the overwhelming prevalence of false positives is the primary challenge in making IDS sensors useful, given that the amount of attack-relevant data is minuscule compared to the titanic volume of data produced from an enterprise network. The dilemma created by this base-rate fallacy, first pointed out by Axelsson [1], has made it virtually impossible to accurately detect intrusion by a single sensor. Due to the lack of effective techniques to handle the false-positive problem, it is common among practitioners to altogether disable IDS signatures that tend to trigger large number of false positives. In our own campus network, the security analysts did not use the standard Snort signatures at all, but rather resorted to secret attack signatures that are highly specific to their experience and environment, and have small false-positive rates. However, as we were told by the security analysts, the secret signatures can only help capture some "low-hanging fruits" and many attacks are likely missed due to the disabled more generic signatures.

Alert correlation - the reconstruction of high-level incidents from low-level events - has been used to remediate this problem. By looking at multiple observation points and correlate alerts, one can potentially reduce the false-positive and in- crease the confidence in intrusion analysis.

SnIPS is an open source intrusion analysis framework [11] which provides an alert-correlation module [17] and priori- tizing module [19]. The prioritizing module ranks the correlations by calculating a belief value for each hypothesis that occurs in the correlation. The hypotheses are then ranked by the belief value, with higher-belief hypotheses presented to human analysts first.

When the ranked SnIPS correlation graphs are presented to security analysts, the analysts can "browse" the graph to explore its structure as well as the details of the supporting evidence. If the correlation proves significantly interesting, the analysts will conduct further forensics analysis on data that is outside SnIPS, to confirm or rule out the scenario. This process is manual and even with the help of the belief values, the human analyst still needs to look at the evi- dential details of the correlation to determine if it is worth further investigation, as the belief values do not always exactly match the priority determined by the human. Given this, the question is whether anything can be done to fur- ther automate the prioritization process, so that the human analysts' time can be saved.

Throughout our experimentation with SnIPS on our depart- mental network, we found that the user needs to do many repetitive tasks in the analysis of the SnIPS output to determine whether further investigation is warranted. We hypothesize that such repetitive tasks can be inferred through a machine-learning approach, so that the prioritization process can be further automated. We adopt machine learning as a candidate technique to further help prioritizing intrusion analysis since it seems that a human, after examining the SnIPS output, can make a decision on whether to further investigate the incident or not. Thus, there is basis to believe that the SnIPS output can yield a set of predictive features indicating whether a correlation is interesting or not. Furthermore, the fact that a human analyst will have to eventually look at the correlation graph to make the final decision, implies that there will be labeled samples (albeit small in amount) available for machine learning. This would be similar to the approach taken in spam filtering, where machine learning has proved to be quite successful [3, 5, 8].

While it is possible that this prioritization process could also be automated through other means such as a rule-based system, we think it is more cost effective if the machine can learn the rules automatically. In the long run, the machine-learned models could provide insights into how to build a non machine learning-based system to do the job automatically.

There has been a long line of work on applying machine learning in anomaly-based intrusion detection [2, 4, 6, 7, 9, 10, 12, 13, 14, 15, 18]. It has been pointed out that significant challenges exist in applying machine learning in this area [16]. Our application of machine learning has a different goal than these past works. Our machine-learned model will help a human analyst to prioritize output from an intrusion analysis system, which relies upon (multiple) IDS systems. Our method is not to build an intrusion detector through machine learning. Our application of machine learning is justified due to the nature of the problem described above.

Acknowledgment

This material is based upon work supported by U.S. National Science Foundation under grant no. 0954138 and 1018703, AFOSR under Award No. FA9550-09-1-0138, and HP Labs Innovation Research Program. Any opinions, findings and conclusions or recommendations expressed in this material are those of the authors and do not necessarily reflect the views of the National Science Foundation, AFOSR, or Hewlett-Packard Development Company, L.P.

References

[1] Stefan Axelsson. The base-rate fallacy and the difficulty of intrusion detection. ACM Trans. Inf. Syst. Secur., 3(3):186-205, 2000.

1. [2] Dorothy Denning. An intrusion-detection model. IEEE Transactions on Software Engineering, 13(2), 1987.

2. [3] J. Goodman, D. Heckerman, and R. Rounthwaite. Stopping spam. Scientific American, 292(4), 2005.

3. [4] Nico Go rnitz, Marius Kloft, Konrad Rieck, and Ulf Brefeld. Active learning for network intrusion detection. In Proceedings of the 2nd ACM workshop on Security and artificial intelligence, 2009.

4. [5] Paul Graham. Hackers and Painters: Big Ideas from the Computer Age. O'Reilly, 2004.

5. [6] Steven Andrew Hofmeyr. An Immunological Model of Distributed Detection and Its Application to Computer Security. PhD thesis, University of New Mexico, 1999.

6. [7] Wenjie Hu, Yihua Liao, and V. Rao Vemuri. Ro- bust anomaly detection using support vector machines. In Proceedings of the International Conference on Machine Learning (ICML), 2003.

7. [8] G. Hulten and J. Goodman. Tutorial on junk e-mail filtering, 2004.

8. [9] Harlod. S. Javitz and Alfonso Valdes. The NIDES statistical component: Description and justification. Tech- nical report, SRI International, 1993.

[10] PavelLaskov,PatrickDu ssel,ChristinScha fer,and Konrad Rieck. Learning intrusion detection: Supervised or unsupervised? In Image Analysis and Process- ing - ICIAP. Springer Berlin / Heidelberg, 2005.

[11] Xinming Ou, S. Raj Rajagopalan, and Sakthiyuvaraja Sakthivelmurugan. An empirical approach to modeling uncertainty in intrusion analysis. In Annual Computer Security Applications Conference (ACSAC), Dec 2009.

[12] Konrad Rieck. Machine Learning for Application-Layer Intrusion Detection. PhD thesis, Technische Univer- sita t, Berlin, 2009.

[13] Konrad Rieck. Self-learning network intrusion detec- tion. Information Technology IT, 53(3), 2011.

[14] William Robertson, Federico Maggi, Christopher Kruegel, and Giovanni Vigna. Effective Anomaly De- tection with Scarce Training Data. In Proceedings of the Network and Distributed System Security Sympo- sium (NDSS), San Diego, CA USA, 02 2010.

[15] Chris Sinclair, Lyn Pierce, and Sara Matzner. An ap- plication of machine learning to network intrusion de- tection. In Proceedings of the 15th Annual Computer Security Applications Conference, ACSAC, 1999.

[16] Robin Sommer and Vern Paxson. Outside the closed world: On using machine learning for network intrusion detection. In 31st IEEE Symposium on Security and Privacy (S&P), 2010.

[17] Sathya Chandran Sundaramurthy, Loai Zomlot, and Xinming Ou. Practical IDS alert correlation in the face of dynamic threats. In the 2011 International Confer- ence on Security and Management (SAM'11), Las Ve- gas, USA, July 2011.

[18] Zheng Zhang, Jun Li, C. N. Manikopoulos, Jay Jor- genson, and Jose Ucles. Hide: a hierarchical network intrusion detection system using statistical preprocess- ing and neural network classification. In Proceedings IEEE Workshop on Information Assurance and Secu- rity, 2001.

[19] Loai Zomlot, Sathya Chandran Sundaramurthy, Kui Luo, Xinming Ou, and S.Raj Rajagopalan. Prioritiz- ing intrusion analysis using DempsterShafer theory. In 4TH ACM Workshop on Artificial Intelligence and Se- curity (AISec), 2011.