2.6. Elementos constituyentes del Centro Infantil
2.6.5. Estructura y Áreas del Centro Infantil
We have presentedamethodreducing falsealarmrate ofanomalydetection-basedintrusion detectionsystems.The techniquesmooths detectors’output simultaneouslyovertimeand space,whichimprovesthe estimateoftrueanomaly score.
Wehaveprovedundermildassumptionsthatthemethodreducesunstructuredfalsepositivescausedbystochasticityof thenetworktraffic.TheexperimentsalsoshowedreductionofthestructuredFPs,whilenothavingmajornegativeeffectin theremainingcases.
The methodhasbeenevaluated usinglarge-numberofsamples fromtwodomainswith diversesets ofanomalyde- tectors.FurthermorethemethodisacriticalcomponentofCognitiveThreatAnalytics[32]—anonlinemalwaredetection security-as-a-serviceproductdeliveredbyCisco,whichanalyzesmorethan10billionsofrequestsperday.Thisillustrates one ofthekey advantagesofourmethod: simplicityand flexibility. Italsoshowsthat themethodisusablein real-life productionIDSsystems.
Acknowledgment
Appendix A. ExamplesofNetFlowrecordandHTTPlogs
Table A.5
ExampleofoneNetFlowrecordcontaininginformationabout bothcommunicationparticipants(sourceanddestinationIP andport),timeofthecommunication,protocolused,bitwise ORofallTCPflags,typeofservice(tos),numberofpackets andbytestransferredinbothdirections.
Feature Example of values
start-time 1440870672 duration 5 protocol TCP source ip 192.168.1.2 destination ip 208.80.154.224 source port 1604 destination port 443 TCP flags .AP.SF type of service 0 number of packets 1201 number of bytes 1.8 M Table A.6
ExampleofHTTPlog.ThisisoneoftheHTTPlogscreatedwhendownloadingawikipedia page.EachpagedownloadgeneratesmoreHTTPlogssinceallthepageresourceshavetobe downloaded.Torenderthepagefromtheexamplethebrowsergeneratedadditional20HTTP logs,containingpagestyles,scripts,pictures,etc.Intheexamplethecsscprefixesdenotethe clienttoserverandservertoclientcommunicationrespectively,sothesc-bytesrepresentthe amountofbytesdownloadedbytheclientandcs-bytestheamountofuploadedbytestothe server.Therestofthefeaturesisself-explanatory.
Feature Value example
x-timestamp-unix 1440870672 sc-http-status 200 sc-bytes 16671 cs-bytes 0 cs-uri-scheme https cs-host en.wikipedia.org cs-uri-port 1604 cs-uri-path /wiki/Anomaly_detection cs-uri-query
cs-username Martin Grill
x-elapsed-time 5
s-ip 208.80.154.224
c-ip 192.168.1.2
Content-Type text/html; charset=UTF-8 cs(Referer) https://www.google.com/
cs-method GET
cs(User-Agent) Mozilla/5.0 (Macintosh; Intel Mac OS X 10_10_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.157 Safari/537.36
References
[1]K.Scarfone,P.Mell,Guidetointrusiondetectionandpreventionsystems(idps),Tech.Rep.800-94,NIST,USDept.ofCommerce,2007.
[2]K.Julisch,M.Dacier,Miningintrusiondetectionalarmsforactionableknowledge,in:ProceedingsoftheEighthACMSIGKDDInternationalConference onKnowledgeDiscoveryandDataMinin,ACM,2002,pp. 366–375.
[3]K.Julisch,Clusteringintrusiondetectionalarmstosupportrootcauseanalysis,ACMTrans.Inf.Syst.Secur.6 (4)(2003)443–471. [4] M.Rehák,M.Grill,Categorisationoffalsepositives:notallnetworkanomaliesarebornequal,unpublishedlecture,2014. [5] CiscoSystems,CiscoIOSNetFlow,http://www.cisco.com/go/netflow,2007.
[6]D.E.Denning,Anintrusion–detectionmodel,IEEETrans.Softw.Eng.2(1987)222–232.
[7]W.Lee,S.J.Stolfo,P.K.Chan,E.Eskin,W.Fan,M.Miller,S.Hershkop,J.Zhang,Realtimedatamining-basedintrusiondetection,in:DARPAInformation SurvivabilityConference&ExpositionII,2001.DISCEX’01,Proceedings,vol. 1,IEEE,2001,pp. 89–100.
[8]L.Ertoz,E.Eilertson,A.Lazarevic,P.-N.Tan,V.Kumar,J.Srivastava,P.Dokas,Minds-minnesotaintrusiondetectionsystem,in:NextGenerationData Mining,2004,pp. 199–218.
[9]E.A.Nadaraya,Onestimatingregression,TheoryProbab.Appl.9 (1)(1964)141–142. [10]G.S.Watson,Smoothregressionanalysis,Sankhya,Ser.A(1964)359–372.
Fig. A.9.AdditionalvisualizationtotheFig. 5ofthehorizontalscanandcorrespondingresponsescontainedinthemanuallylabeleddatasetdescribedin Section4.1.1inthecontextspaceoftherestoftheLAMSmodelsdefinedinTable 1.Eachpointontheindividualscatterplotsrepresents onescanrequest (cross)orscanresponse(dot).Thecolorcorrespondstoobtainedanomalyscorewithredbeingthemostanomalousandbluebeingtheleast.Sincethe MINDSmodelusesfourfeaturestodefineitscontextwehaveusedtheMultidimensionalscalingtobeabletoshowthedatainthreedimensionalplot (thereforetherearenoaxislabels).ThefiguresshowthatsimilarlytotheLakhinamodel(Fig. 5),Xu-sourceandTAPSmodelshavetheresponsesspread acrossaregionoflowanomalyscoreandtherequestslimitedinasmallregionofhighanomaly.FortheXu-destinationtherequestsarespreadinthe contextspacebutstillmaintaininghighanomalyscore.ForthisparticularbehaviortheMINDSmodelastheonlyoneincreasesanomalyscoreofapartof theresponsesandreducestheanomalyscoreoftherequests.(Forinterpretationofthereferencestocolorinthisfigurelegend,thereaderisreferredto thewebversionofthisarticle.)
[11]L.Devroye,A.Krzy ˙zak,AnequivalencetheoremforL1convergenceofthekernelregressionestimate,J.Stat.Plan.Inference23 (1)(1989)71–82. [12]M.Rehák,Multiagenttrustmodelingforopennetworkenvironments,DoctoralThesis,CzechTechnicalUniversityinPrague,2008.
[13]R.O.Duda,P.E.Hart,D.G.Stork,PatternClassification,2ndedition,JohnWiley&Sons,NewYork,2001.
[14]F.Pouzols,A.Lendasse,Adaptivekernelsmoothingregressionusingvectorquantization,in:2011IEEEWorkshoponEvolvingandAdaptiveIntelligent Systems(EAIS),2011,pp. 85–92.
[15]J.Friedman,T.Hastie,R.Tibshirani,TheElementsofStatisticalLearning,SpringerSer.Stat.,vol. 1,Springer,Berlin,2001. [16]I.K.Fodor,Asurveyofdimensionreductiontechniques,2002.
[17]I.Guyon,A.Elisseeff,Anintroductiontovariableandfeatureselection,J.Mach.Learn.Res.3(2003)1157–1182. [18]E.B.Claise,CiscoSystemsNetFlowServicesExportVersion9,2004.
[19]T.Fawcett,Anintroductiontorocanalysis,PatternRecognit.Lett.27 (8)(2006)861–874.
[20]M.Rehak,M.Pechoucek,M.Grill,J.Stiborek,K.Bartoš,P.Celeda,Adaptivemultiagentsystemfornetworktrafficmonitoring,IEEEIntell.Syst.3(2009) 16–25.
[21]S.Garcia,M.Grill,J.Stiborek,A.Zunino,Anempiricalcomparisonofbotnetdetectionmethods,Comput.Secur.45(2014)100–123.
[22]A.Lakhina,M.Crovella,C.Diot,Diagnosingnetwork-widetrafficanomalies,in:ACMSIGCOMMComputerCommunicationReview,vol.34,ACM,2004, pp. 219–230.
[23]A.Lakhina,M.Crovella,C.Diot,Mininganomaliesusingtrafficfeaturedistributions,in:ACMSIGCOMMComputerCommunicationReview,vol.35, ACM,2005,pp. 217–228.
[24]T.Pevny,M.Rehak,M.Grill,Detectinganomalousnetworkhostsbymeansofpca,in:2012IEEEInternationalWorkshoponInformationForensicsand Security(WIFS),2012,pp. 103–108.
[25]K.Xu,Z.-L.Zhang,S.Bhattacharyya,Profilinginternetbackbonetraffic:behaviormodelsandapplications,in:ACMSIGCOMMComputerCommunication Review,vol.35,ACM,2005,pp. 169–180.
[26]A.Sridharan,T.Ye,S.Bhattacharyya,Connectionlessportscandetectiononthebackbone,in:Performance,Computing,andCommunicationsConfer- ence,2006.IPCCC2006.25thIEEEInternational,IEEE,2006,10 pp.
[27]M.Grill,I.Nikolaev,V.Valeros,M.Rehak,Detectingdgamalwareusingnetflow,in:2015IFIP/IEEEInternationalSymposiumonIntegratedNetwork Management(IM),2015,pp. 1304–1309.
[28]T.G.Dietterich,Ensemblemethodsinmachinelearning,in:MultipleClassifierSystems,in:LNCS,vol. 1857,Springer,2000,pp. 1–15. [29]R.Polikar,Ensemblebasedsystemsindecisionmaking,IEEECircuitsSyst.Mag.6 (3)(2006)21–45.
[30]L.Kuncheva,CombiningPatternClassifiers:MethodsandAlgorithms,Wiley,2004.
[31]P.F.Evangelista,M.J.Embrechts,B.K.Szymanski,Datafusionforoutlierdetectionthroughpseudo-roccurvesandrankdistributions,in:International JointConferenceonNeuralNetworks,2006.IJCNN’06,IEEE,2006,pp. 2166–2173.
[32] Cisco Systems, CTA cisco cognitive threat analytics on cisco cloud web security, http://www.cisco.com/c/en/us/solutions/enterprise-networks/ cognitive-threat-analytics,2014–2015.
[33]M.Grill,M.Rehak,Malwaredetectionusinghttpuser-agentdiscrepancyidentification,in:2014IEEEInternationalWorkshoponInformationForensics andSecurity(WIFS),2014,pp. 221–226.
[34] J.Wyke,Thezeroaccessbotnet–miningandfraudformassivefinancialgain,SophosTechnicalPaper,https://www.sophos.com/en-us/medialibrary/PDFs/ technical%20papers/Sophos_ZeroAccess_Botnet.pdf,2012.
[35]G.P.Spathoulas,S.K.Katsikas,Reducingfalsepositivesinintrusiondetectionsystems,Comput.Secur.29 (1)(2010)35–44.
[36]J.Viinikka,H.Debar,L.Mé,A.Lehikoinen,M.Tarvainen,Processingintrusiondetectionalertaggregateswithtimeseriesmodeling,Inf.Fusion10 (4) (2009)312–324,specialissueonInformationFusioninComputerSecurity.
[37]T.Pietraszek,Usingadaptivealertclassificationtoreducefalsepositivesinintrusiondetection,in:RecentAdvancesinIntrusionDetection,Springer, 2004,pp. 102–124.
[38]D.Bolzoni,S.Etalle,Aphrodite:ananomaly-basedarchitectureforfalsepositivereduction,preprint,arXiv:cs/0604026.
[39]Z.Tian,W.Zhang,J.Ye,X.Yu,H.Zhang,Reductionoffalsepositivesinintrusiondetectionviaadaptivealertclassifier,in:InternationalConferenceon InformationandAutomation,2008.ICIA2008,IEEE,2008,pp. 1599–1602.
[40]E.Hooper,Anintelligentdetectionandresponsestrategytofalsepositivesandnetworkattacks,in:FourthIEEEInternationalWorkshoponInformation Assurance2006.IWIA2006,IEEE,2006,pp. 20–31.
[41]J.Sabater,C.Sierra,Reviewoncomputationaltrustandreputationmodels,Artif.Intell.Rev.24 (1)(2005)33–60.
[42]J.Sabater,C.Sierra,Reputationandsocialnetworkanalysisinmulti-agentsystems,in:ProceedingsofAAMAS’02,Bologna,Italy,2002,pp. 475–482. [43]S.Ramchurn,N.Jennings,C.Sierra,L.Godo,Devisingatrustmodelformulti-agentinteractionsusingconfidenceandreputation,Appl.Artif.Intell.
18 (9–10)(2004)833–852.
[44]C.Castelfranchi,R.Falcone,Principlesoftrustformas:cognitiveanatomy,socialimportance,andquantification,in:Proceedingsofthe3rdInternational ConferenceonMultiAgentSystems,IEEEComputerSociety,1998,p. 72.
[45]A.Josang,E.Gray,M.Kinateder,Simplificationandanalysisoftransitivetrustnetworks,WebIntelligenceandAgentSystems4 (2)(2006)139–162. [46]T.D.Huynh,N.R.Jennings,N.R.Shadbolt,Anintegratedtrustandreputationmodelforopenmulti-agentsystems,J.AutonomousAgentsandMulti-Agent
Systems13 (2)(2006)119–154.
[47]M.Rehak,M.Pechoucek,Trustmodelingwithcontextrepresentationandgeneralizedidentities,in:CooperativeInformationAgentsXI,in:LNAI/LNCS, vol. 4676,Springer-Verlag,2007.
[48]M.Rehák,M.Pˇechouˇcek,M.Grill,K.Bartos,Trust-basedclassifiercombinationfornetworkanomalydetection,in:M.Klusch,M.Pˇechouˇcek,A.Polleres (Eds.),CooperativeInformationAgentsXII,in:Lect.NotesComput.Sci.,vol. 5180,Springer,Berlin,Heidelberg,2008,pp. 116–130.
1424 IEEE TRANSACTIONS ON INFORMATION FORENSICS AND SECURITY, VOL. 9, NO. 9, SEPTEMBER 2014