Throughout this section, it will be clear from the context whether ri rj refers to a specific link or to the corresponding action of the IDS. The second example network in Figure 2 is Fig. Internet2 network topology with four attackers access routers and four target systems inspired from the Abilene network4 and has similar features as the first network.
Both networks are rather small in order to allow to conduct tests more efficiently. However, larger network topologies can also be supported without any difficulty since our approach is not hampered by scaling issues. Subsequent changes in the underlying topology due to link failures do not endanger the worst-case bound guaranteed by the mixed-strategy saddle- point equilibrium since they merely limit the ability of the attacker to reach the designated target systems.
We assume first that the devices are available on all links and can be activated at any time. Alternatively, the strategies derived can also be applied in the simultaneous operation of multiple devices on a sampling basis. Furthermore, we assume that the routing tables do not change during the operation of the network, i.
The optimal strategies5 in this case follow from the mixed Nash equilibrium [9] of the resulting zero-sum matrix game. First, we modify the previous scenario by introducing the notion of imperfect or faulty detectors.
This behavior reflects the fact that different kinds of hardware devices available to the network operator may operate at different detection rates, for example due to different hardware equipment or signature databases. These changes in the detection rates are modeled as finite-state Markov- chains as described in Section 2. Specifically, each monitor is associated with two states detecting and not-detecting. It can readily be observed that due to the static routing within the chosen network, the location of the monitors may be restricted to a selection of links which comprise a minimum cut between A and D.
Once a packet has traveled two hops and arrives at one of the routers r3 or r4 , there is only one possible path to ti. In real-life networks, it is possible that, even though each attack path has the same length three hops , packets arriving at the ingress nodes r5 , r6 will not be routed over the same outgoing link. For example, this is the case for flow-based resource reservation architectures or multi-protocol label switching MPLS domains often encountered in QoS-aware architectures.
For the sake of reducing the number of environment states to preserve the simplicity of our security game we will, however, assume that all packets arriving at node ri will be routed over the same outgoing link ri rj but this routing configuration changes from time to time for load balancing purposes or due to failures.
As a result, we obtain four possible environment states corresponding to the four routing configurations in the example network. As stated in Section 2, we characterize the routing configuration changes on the network as a finite-state Markov chain.
Therefore, we relax our requirement that only one sniffer may be placed at a time. We investigate through simulations the effect of deploying multiple sniffers utilizing the optimal mixed randomized strategies obtained in the previous cases.
The observant reader will notice that the number of possible states for the attacker and the IDS as well as for the environment was kept rather small in all of the above scenarios for instructive reasons and test data generation.
Possible scalability issues arising from large player action spaces can be dealt with using a hierarchical approach and clustering schemes. We will go into further detail on such issues in Section 6. At this point, we find it useful to reiterate an important assumption. Natu- rally, the network carrier or service provider implementing the IDS will be aware of the current routing configuration or detector states at all times. However, it is vital to bear in mind that we are dealing with rational and intelligent attackers.
Therefore, we assume that the attacker is also aware of the routing configuration or detector capabilities as a worst-case scenario. Considering the various tools available to users for tracing the packet routes, this assumption is in fact not far-fetched. In practice, after deciding on an attack ai tj , the attacker can run a route trace from ai to the chosen target system to find out over which path his attack packets will be sent. Similarly the attacker can also deduce the capa- bilities of the detectors to some extent.
Hence, if a static deployment of sniffers were used, the attacker would be able to adjust his strategy accordingly. In addition, let the IDS deploy a sniffer at Dj. In the simple case of Section 3. In all of the other scenarios we compute the optimal strategies of the players offline using a modified value iteration algorithm described in [12]. The optimal attacker and IDS strategies calculated for the given set of parameters and the scenario in Section 3.
NeSSi was designed with the objective of extending conven- tional network simulation tools by incorporating features which allow detailed examination and testing of security-related network algorithms. The main focus of NeSSi is to provide a realistic packet-level simulation environment for the developed algorithms.
Hence, NeSSi plays a significant role as a testbed for the development of a network-level IDS which needs to efficiently detect and elimi- nate various malware such as viruses, worms, and trojans as they are traversing the network before reaching their designated target. JIAC is a service-based middleware architecture based on the agent paradigm.
Hence, agents are used within the simulator for modeling and implementing the network entities such as routers, clients, and servers. The underlying JIAC agent platform provides a rich and flexible basis for implementing and testing of various methods and algorithms in NeSSi. It allows for combining the partial knowledge of the agents residing in the network for identifying and eventually eliminating IP- based threats by monitoring the structure of the encountered IP traffic and the behavior of potentially compromised target systems.
The ambitious goal of the ongoing research in our work is to be able to detect previously unknown threats through learning schemes and agent-based software monitors. Currently, we are striving to make NeSSi available to the research community by releasing it under an open source license. The front-end of NeSSi consists of a graphical user interface that allows the creation of arbitrary IP network topologies.
The communication between clients, servers, and routers takes place by real IPv4 packet transmission. This is realized using communication services between the agents. Thus, the results obtained through the simulation tool are applicable in real IP networks and can later be directly transferred. Moreover, different types of routing protocols encountered in real-life IP networks, static as well as dynamic, are supported in NeSSi.
As part of NeSSi, a sniffer agent is implemented which can be deployed on a set of links. As discussed in the previous sections, it is not feasible to deploy such monitors on all links of the network; rather, the locations at which the monitors will be placed have to be carefully selected, taking into account the incurred costs as well as the adaptive behavior of the attacker.
We utilize the NeSSi framework for testing our game-theoretic approach for monitor placement as part of an IDS and describe the obtained simulation results in the next section. Specifically, we examine how beneficial it is for each player to utilize the optimal strategy by comparing and contrasting its results with the ones of uniformly distributed attacks and monitor deployments as well as static monitor placement at a single link.
Each simulation consists of a period of or time steps in which the attacker and the IDS update their actions, i. Here we do not specify the time interval between steps but assume that it is long enough to satisfy the information assumptions made ear- lier.
It is worth noting that the malware packets sent on the network simulated in NeSSi are real UDP packets and are captured by a realistic sniffer implemen- tation using pattern matching algorithms and a malware signature database to filter out the packets. First, we simulate Scenario 3. The results are depicted in the left graph of Figure 3. The link numbers on the x-axis refer to the specific links with the respective labels in Figure 2 while the number of total and captured packets as well as time intervals when the detector is active on the respective link are plotted on the y-axis.
Since both players use optimal strategies, some links are not even used, i. This result is compared with the scenario where Performance of optimal IDS strategy under optimal attack distribution Performance of uniform IDS strategy under optimal attack distribution total packets captured packets sniffer deployment Number Number total packets captured packets sniffer deployment 0 0 5 10 15 20 5 10 15 20 Link Number Link Number Fig.
As expected, the optimal strategy performs better than the uniform one in terms of the malware packets captured or filtered out. We next relax the assumption of perfect detectors and consider the case in Section 3. The graph in Figure 4 again depicts the number of total and captured packets as well as time intervals when the detector is active versus the link numbers which refer to the respectively labeled links.
We observe that the detection rate is much worse than in the previous scenario due to imperfect detectors and exploitation of their defects by the attackers. However, running the same scenario under uniform random attacks leads to a drastic increase in the aggregate number of filtered packets, as shown in the right-hand graph of Figure 4.
As a result, we conclude that if the attackers find a way of exploiting the defects of the sniffers, the IDS performance degrades significantly even when an optimal strategy is deployed. Next, we study the scenario described in Section 3.
The routing configuration on the network changes every two time steps in accordance with the state transition probabilities. In the simulations, we observe that the time average of the routing states matches well with the theoretical invariant distribution. Authors: Advanced Search Include Citations. DMCA A. LNCS Citations: 2 - 1 self. Abstract Abstract. Learning and classification of malware behavior.
Russel, S. Artificial intelligence: A modern approach. Prentice Hall. Samfat, D. Schmidt, A. Enhancing security of linux-based android devices. Monitoring smartphones for anomaly detection. Shabtai, A. Detecting malicious applications on android by applying machine learning classifiers to static features Poster.
Honolulu, Hawaii. Knowledge-based temporal abstraction in clinical domains. Journal in Computer Virology, 8 3 , — Detection of malicious code by applying machine learning classifiers on static features: A state-of-the-art survey. Information Security Technical Report, 14 1 :1— Google android: A state-of-the-art review of security mechanisms.
Intrusion detection on mobile devices using the knowledge based temporal-abstraction method. Journal of Systems and Software, 83 8 , — Shannon, C. The mathematical theory of communication. The Bell system Technical Journal, 27 3 , — Shih, D. Security aspects of mobile phone virus: A critical survey. Yap, T. A mobile phone malicious software detection model with behavior checker.
Lecture Notes in Computer Science, , 57— Yin, H. Panorama: Capturing system-wide information flow for malware detection and analysis.
In ACM conference on computer and communications security. Download references. You can also search for this author in PubMed Google Scholar. Correspondence to Asaf Shabtai. Reprints and Permissions. J Intell Inf Syst 38, — Download citation. Received : 22 August Revised : 27 October Accepted : 17 November Published : 06 January Issue Date : February Anyone you share the following link with will be able to read this content:.
Sorry, a shareable link is not currently available for this article. Provided by the Springer Nature SharedIt content-sharing initiative. Skip to main content. Search SpringerLink Search. Abstract This article presents Andromaly—a framework for detecting malware on Android mobile devices.
Notes 1. Also known as Detection Rate in the intrusion detection community. Also known as False Alarm Rate in the intrusion detection community. References Adam, P. Article Google Scholar Buennemeyer, T. Article Google Scholar Chaudhuri, A. Article Google Scholar Domingos, P. Article Google Scholar Enck, W. Article Google Scholar Endler, D. Article Google Scholar Golub, T. Article Google Scholar Griffin, K. Article Google Scholar Imam, I. Article Google Scholar Jacoby, G.
Article Google Scholar John, G. Article Google Scholar Leavitt, N. Article Google Scholar Lee, W. Google Scholar Menahem, E. Google Scholar Piercy, M. Article Google Scholar Quinlan, J. Google Scholar Rieck, K.
0コメント