Enhancing Intrusion Detection by
Correlation of Modularly Hashed
Sketches
Jirsík Tomáš, Drašar Martin, Vizváry Martin
AIMS 2014, Brno, 3rd July 2014
Network Traffic
Jirsík, Drašar, Vizváry ·Enhancing Intrusion Detection by Correlation of Modularly Hashed Sketches 2 / 35
Network Traffic
Jirsík, Drašar, Vizváry ·Enhancing Intrusion Detection by Correlation of Modularly Hashed Sketches 3 / 35
Network Traffic
Jirsík, Drašar, Vizváry ·Enhancing Intrusion Detection by Correlation of Modularly Hashed Sketches 4 / 35
Network Traffic
Jirsík, Drašar, Vizváry ·Enhancing Intrusion Detection by Correlation of Modularly Hashed Sketches 5 / 35
Network Traffic
Jirsík, Drašar, Vizváry ·Enhancing Intrusion Detection by Correlation of Modularly Hashed Sketches 6 / 35
Sketch
Jirsík, Drašar, Vizváry ·Enhancing Intrusion Detection by Correlation of Modularly Hashed Sketches 7 / 35
Sketch
Jirsík, Drašar, Vizváry ·Enhancing Intrusion Detection by Correlation of Modularly Hashed Sketches 8 / 35
Sketch
Jirsík, Drašar, Vizváry ·Enhancing Intrusion Detection by Correlation of Modularly Hashed Sketches 9 / 35
Sketch
Jirsík, Drašar, Vizváry ·Enhancing Intrusion Detection by Correlation of Modularly Hashed Sketches 10 / 35
Sketch
Jirsík, Drašar, Vizváry ·Enhancing Intrusion Detection by Correlation of Modularly Hashed Sketches 11 / 35
Sketch
Jirsík, Drašar, Vizváry ·Enhancing Intrusion Detection by Correlation of Modularly Hashed Sketches 12 / 35
Sketch
Jirsík, Drašar, Vizváry ·Enhancing Intrusion Detection by Correlation of Modularly Hashed Sketches 13 / 35
Sketch
Jirsík, Drašar, Vizváry ·Enhancing Intrusion Detection by Correlation of Modularly Hashed Sketches 14 / 35
Sketch
Jirsík, Drašar, Vizváry ·Enhancing Intrusion Detection by Correlation of Modularly Hashed Sketches 15 / 35
Sketch
Jirsík, Drašar, Vizváry ·Enhancing Intrusion Detection by Correlation of Modularly Hashed Sketches 16 / 35
Sketch
Jirsík, Drašar, Vizváry ·Enhancing Intrusion Detection by Correlation of Modularly Hashed Sketches 17 / 35
Sketch
Jirsík, Drašar, Vizváry ·Enhancing Intrusion Detection by Correlation of Modularly Hashed Sketches 18 / 35
Sketch
Jirsík, Drašar, Vizváry ·Enhancing Intrusion Detection by Correlation of Modularly Hashed Sketches 19 / 35
Sketch
Jirsík, Drašar, Vizváry ·Enhancing Intrusion Detection by Correlation of Modularly Hashed Sketches 20 / 35
Modular Hashing
192 168 1 1
Jirsík, Drašar, Vizváry ·Enhancing Intrusion Detection by Correlation of Modularly Hashed Sketches 21 / 35
Modular Hashing
192 168 1 1
a2 6d c1 c1
Jirsík, Drašar, Vizváry ·Enhancing Intrusion Detection by Correlation of Modularly Hashed Sketches 22 / 35
Modular Hashing
192 168 1 1
a2 6d c1 c1
a26dc1c1
Jirsík, Drašar, Vizváry ·Enhancing Intrusion Detection by Correlation of Modularly Hashed Sketches 23 / 35
Modular Hashing
SRC IP DST IP DST PORT
Jirsík, Drašar, Vizváry ·Enhancing Intrusion Detection by Correlation of Modularly Hashed Sketches 24 / 35
Modular Hashing
SRC IP DST IP DST PORT
34bf 7a03 f2
Jirsík, Drašar, Vizváry ·Enhancing Intrusion Detection by Correlation of Modularly Hashed Sketches 25 / 35
Modular Hashing
SRC IP DST IP DST PORT
34bf 7a03 f2
34bf7a03f2
Jirsík, Drašar, Vizváry ·Enhancing Intrusion Detection by Correlation of Modularly Hashed Sketches 26 / 35
Partial detections
Source network scans
0
10
20
30
40
50
1 2 4 8 16 32 64
0
20
40
60
80
100
AverageNumber
ofObservedSourceIPadresses
AnomalyScore
Number of Connections
Average Unsuccessful
Connections on Port TCP/22
Average Unsuccessful
Connections on Port TCP/3389
Anomaly Score
Jirsík, Drašar, Vizváry ·Enhancing Intrusion Detection by Correlation of Modularly Hashed Sketches 27 / 35
Partial detections
Destination network scans
0
1
2
3
4
5
6
16 32 64 128 256 512 1024 2048
0
20
40
60
80
100
AnomalyScore
Number of Connections
Avg. Unsuccessful
Connections on
Port TCP/22
Avg. Unsuccessful
Connections on
Port TCP/3389
Anomaly Score
Jirsík, Drašar, Vizváry ·Enhancing Intrusion Detection by Correlation of Modularly Hashed Sketches 28 / 35
Partial detections
Number of connections
0
0.5
1
1.5
2
2.5
8 16 32 64 128 256
0
20
40
60
80
100
AverageNumber
ofObservedSourceIPAdresses
Number of Connections
Average Connections
to Port TCP/22
Average Connections
to Port TCP/3389
Anomaly Score
Jirsík, Drašar, Vizváry ·Enhancing Intrusion Detection by Correlation of Modularly Hashed Sketches 29 / 35
Detection algorithm
Accumulation phase
+
=
17 0 52 23 8 36 61 0
42 4 13 82 0 0 55 30
61 4 65 105 8 36 116 30
Jirsík, Drašar, Vizváry ·Enhancing Intrusion Detection by Correlation of Modularly Hashed Sketches 30 / 35
Detection algorithm
Analysis phase
+
=
17 0 52 23 8 36 61 0
42 4 13 82 0 0 55 30
61 4 65 105 8 36 116 30
Jirsík, Drašar, Vizváry ·Enhancing Intrusion Detection by Correlation of Modularly Hashed Sketches 31 / 35
Detection algorithm
Combination phase
SIP DPORT Value
A1 B1 X1
A1 B2 X2
⊕
DPORT DIP Value
B1 C1 Y1
B1 C2 Y2
=
SIP DIP DPORT Value
A1 C1 B1 X1 + Y1
A1 C2 B1 X1 + Y2
Jirsík, Drašar, Vizváry ·Enhancing Intrusion Detection by Correlation of Modularly Hashed Sketches 32 / 35
Detection algorithm
Aggregation phase
+
=
17 0 52 23 8 36 61 0
42 4 13 82 0 0 55 30
30613688252442
Jirsík, Drašar, Vizváry ·Enhancing Intrusion Detection by Correlation of Modularly Hashed Sketches 33 / 35
Evaluation
Anomalies Connection Accumulation Combination Reference methods
TCP/22 2679 (116) 10045 (264) 26408 (551) (47)
TCP/3389 53 (20) 2175 (1079) 0 (878)
SNS Source Network Scan Detection
DNS Destination Network Scan Detection
Connection Abnormal Number of Connections Detection
Variance Low Traffic Variance Detection
Accumulation Accumulation of SNS, Connection, Variance
Combination Combination of SNS, DNS, Connection, Variance
Jirsík, Drašar, Vizváry ·Enhancing Intrusion Detection by Correlation of Modularly Hashed Sketches 34 / 35
Summary
— Presented algorithm based on k-ary sketches is
suitable tool for correlation of events with different
dimensions.
— This algorithm performs better than reference
methods deployed in production.
— It does not require much processing power and a
constant amount of memory.
Jirsík, Drašar, Vizváry ·Enhancing Intrusion Detection by Correlation of Modularly Hashed Sketches 35 / 35
Thank you for your attention.
I’d be happy to answer your questions.
Jirsík Tomáš, Drašar Martin,
Vizváry Martin