ACTIDS: An Active Strategy For Detecting And Localizing Network Attacks Eitan Menahem, Yuval Elovici and Nir Amar Deutsche and Telekom Laboratories and Information Science Engineering Dept., Ben-Gurion University Be’er Sheva, 84105, Israel {eitanme,amarn,elovici}@bgu.ac.il Gabi Nakibly National EW Research & Simulation Center Rafael – Advanced Defense Systems Ltd. Haifa, Israel gabin@rafael.co.il ABSTRACT In this work we investigate a new approach for detecting at- tacks which aim to degrade the network’s Quality of Service (QoS). To this end, a new network-based intrusion detec- tion system (NIDS) is proposed. Most contemporary NIDSs take a passive approach by solely monitoring the network’s production traffic. This paper explores a complementary approach in which distributed agents actively send out pe- riodic probes. The probes are continuously monitored to detect anomalous behavior of the network. The proposed approach takes away much of the variability of the network’s production traffic that makes it so difficult to classify. This enables the NIDS to detect more subtle attacks which would not be detected using the passive approach alone. Further- more, the active probing approach allows the NIDS to be effectively trained using only examples of the network’s nor- mal states, hence enabling an effective detection of zero- day attacks. Using realistic experiments, we show that an NIDS which also leverages the active approach is consider- ably more effective in detecting attacks which aim to degrade the network’s QoS when compared to an NIDS which relies solely on the passive approach. Categories and Subject Descriptors C.2.0 [Computer-Communication Networks]: security and protection; I.2.6 [Learning]: Concept and parameters Learning Keywords Anomaly detection, Active Probing, One-Class Learning 1. INTRODUCTION Network intrusion detection systems (NIDS) are key in the security architecture of many organizations. A typical NIDS inspects traffic flowing into, out of, or inside the tar- Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full cita- tion on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or re- publish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from permissions@acm.org. AISec’13, November 4, 2013, Berlin, Germany. Copyright 2013 ACM 978-1-4503-2488-5/13/11 ...$15.00. http://dx.doi.org/10.1145/2517312.2517323 get network while attempting to isolate a malicious activity. Broadly speaking, an NIDS tries to identify two types of malicious activities. The first type includes attacks carried over network traffic that target end nodes. One such exam- ple is a worm that aims to infect and take control over end nodes. Another example is a reconnaissance activity that scans active IP addresses or opens ports at some end nodes. The second type of attack targets the network itself. At- tacks of this type include exhaustion of a link’s bandwidth by overwhelming it with traffic as well as unauthorized mod- ification of a network’s routing process. The ultimate goal of such attacks is to degrade the QoS provided by the network to its users. Traditionally, NIDSs are broadly classified based on the style of detection they use. Some systems rely on a pre- cise description of the malicious activity, i.e., knowledge- based (signature-based) detection. Other systems rely on statistical modeling of the network’s normal state and re- gard significant deviations from this state as attacks, i.e., anomaly-based detection. The current paper addresses the problem of detecting QoS degrading attacks which target the network itself, and fur- ther focuses on attack classes which have not yet been seen before, i.e., zero-day attacks. In order detect new attacks classes, an IDS should not rely on the description of known attacks (e.g., DNS poisoning or OSPF attacks), their specific features (e.g., increased number of failed TCP connections) or even on monitoring known attacks surfaces (e.g., DNS cache or routing table), since a new attack class might ex- ploit the vulnerabilities of previously unexplored attack sur- faces, which might have significantly different features from those of previous attacks. Consequently, the knowledge- based IDS approach is not suitable for the task at hand. Hence, in the rest of the paper we focus on the anomaly- based detection approach. Most anomaly-based NIDS take a passive approach. They rely exclusively on monitoring the network’s production traf- fic and extracting the relevant features that indicate the pro- gression of an attack. However, experience has shown that the immense variability of network traffic is a major stum- bling block of the NIDS [40]. Such variability is demon- strated in many of the network’s traffic features and con- sequently makes them very difficult to predict over short time scales (seconds to hours) and furthermore presents dif- ficulties in detecting anomalies generated by the network attacks. In addition, a passive NIDS needs to process all 55