You are here

Service Behavior Profiling and Probabilistic Inference for Network Anomaly Detection

[Project Closed] From Jun. 2006 to Jun. 2009 @ Department of Information Management, National Taiwan University as PhD student under the supervision of Dr. Yeali S. Sun with the CyLab and School of Computer Science, Carnegie Mellon University as Visiting Scholar under the supervision of Dr. Hui Zhang.

Problem and Goal. It is difficult to perform early detection of network attack. I propose an early detection system with respect to examining the undergoing communication protocol and service between the attacker and victim host to identify anomalies.

Ideas. An attacker can remotely send malicious messages to the vulnerable service and gain the execution right to control the victim. As we know, a benign software would take normal procedure to communication with the server to accomplish a network task collaboratively via certain predefined network protocols. Malware takes similar actions to communicate with the vulnerable server, but not exactly the same as normal ones. In our observation, we find some distinguishable communication behavior that is different from normal ones. We focus on the abnormal communication procedure to profile the anomaly behavior to figure out the sign of the attack (i.e., attack symptom) when the attack and the victim undergo sequences of compromising actions and that are inherent to the exploit attack.

Design. We design a multiple-level behavior tracking mechanism to track and correlate the communication protocols and network services. We notice that such profiling approach can find lots of irregular communications; however not all of them are attacks. Hence, we further develop a probabilistic inference model based on the observed attack symptoms to infer the confidence level of attack existence. The inference model can decrease the number of false positives and increase the detection accuracy. Our prototype system, Gestalt, shows that our design and implementation is reasonable.

Probabilistic Inference Model. A complex attack may undergo a series of activities. One must consider both the pieces of evidence and their sequence. The inference model is to compute and gradually update the belief of whether an attack is taking place based on the sequences of symptom observed. The attack assessment is compute incrementally as the additional attack symptoms are detected in the stateful inspection system.


  • Shun-Wen Hsiao, Yeali S. Sun, Meng Chang Chen, and Hui Zhang, “Behavior Profiling for Robust Anomaly Detection,” in Proc. 2010 IEEE International Conference on Wireless Communications, Networking and Information Security (WCNIS), Beijing, China, Jun. 2010, pp. 465-471. (EI)
  • Shun-Wen Hsiao, Yeali S. Sun, Meng Chang Chen, and Hui Zhang, “Cross-Level Behavioral Analysis for Robust Early Intrusion Detection,” in Proc. IEEE International Conference on Intelligence and Security Informatics (ISI), Vancouver, Canada, May 2010, pp. 95-100. (EI)
Copyright 2013 © Advanced Networking Technologies and Services Group, ALL RIGHT RESERVED.