A Hierarchical Framework for Classifying and

U. OF MICHIGAN TECH. REPORT CGR 07-13

1

A Hierarchical Framework for Classifying and Assessing Internet Traffic Anomalies Olivier Contant, Patrick Macnamara, Stéphane Lafortune, and Demosthenis Teneketzis Department of Electrical Engineering and Computer Science College of Engineering Technical Report CGR-07-13 University of Michigan Ann Arbor, MI, USA Last Revision: 12 November 2007

Abstract We present ALARM (HierarchicAL AppRoach for AnoMaly Detection), a hierarchical approach for correlation and prioritization of alerts in distributed networks. The goal is to monitor, classify, correlate and assess a large number of alerts generated at spatially distributed sites on the Internet. The alerts correspond to anomalies and hence potential unknown threats. To facilitate our analysis, we hierarchically decompose the network. At each node of the hierarchy, we use multi-criteria decision making (MCDM), specifically the Electre Tri method, to assign a risk index to each anomaly to assess the threat level of an attack. To the best of our knowledge, this is the first application of MCDM methods to aggregate, correlate and prioritize alerts in distributed networks. The framework of MCDM is well-suited to the growing complexities encountered in alert aggregation and correlation. Each anomaly receives a different risk index for each attack profile that one may want to monitor, such as worms or denials of service. These risk indices are then spatially- and time-correlated. We demonstrate our framework using historical worm and distributed denial of service (DDoS) data from the Abilene Internet2 Backbone Network. Index Terms network monitoring, network-level security and protection, performance monitors, anomaly detection, multi-criteria decision making

I. I NTRODUCTION As networks have become more and more prevalent with the growth of the Internet, security threats to them have appeared in the form of viruses, worms, and distributed denial of service (DDoS) attacks. Intrusion Detection Systems (IDSs) have been developed to monitor and analyze all incoming and outgoing network activity. Their goal is to identify suspicious traffic patterns that may represent attacks to a particular service running on a system, or attempts to break into or compromise a system. Intrusion detection is an active area of research; see, e.g., [27] and the references therein. Intrusion detection methods are generally separated in two distinct categories [3], [11], [18], [21]. The first, misuse detection, looks for signatures of attacks that have been previously detected and rigorously described. This method is limited to identified attacks and sensitive to small variations of attacks. The second method, anomaly detection, analyzes network traffic for deviations from the normal behavior that are marked as abnormalities. The main difficulty of this approach is the modeling of the normal behavior, which can evolve over time, and the level of abstraction of the model. This directly determines the accuracy of the intrusion detection and the rate of false positives. Furthermore, analyzing, learning, and storing normal network behaviors is by no means a trivial task. The advantages and disadvantages inherent in the two approaches have been confirmed in [16] based on evaluations of characteristics of several misuse and anomaly detection systems. The detection of anomalies in networks such as the Internet is a worldwide concern and a difficult problem. Although some anomalies are simply due to updates or legitimate changes of network behaviors, attacks or intrusions targeting the users of information systems are principally the cause of these anomalies. A prompt action to such abnormalities is key to maintaining the good health of the system and the services provided by the system. Therefore, the early diagnosis of anomalies is critical to ensure the security of today’s main communications medium. In recent years, the focus was on developing IDSs and many of these systems are now widely available. Conventional anomaly IDSs are concerned with detecting anomalies and raising alerts based on predetermined thresholds. Due to the increasing size of networks, sets of IDSs are deployed in these large environments. A direct consequence is the increase of alert and false alert occurrences generated by these sets of IDSs. Security experts are now facing the unmanageable task of interpreting colossal amounts of alerts. Techniques to infer attack scenarios or profiles become necessary to assist the alert analysis. In this paper, we present ALARM (HierarchicAL AppRoach for AnoMaly Detection), a hierarchical approach for correlation and prioritization of alerts in distributed networks. The goal is to monitor, classify, correlate and assess a large number of alerts generated at spatially distributed sites on the Internet. The alerts correspond to anomalies and hence potential unknown This work was performed while all authors were are the University of Michigan. O. Contant is currently at Microsoft Corp. and P. Macnamara at the University of Rochester.


2

threats. To facilitate our analysis, we hierarchically decompose the network. At each node of each level of the hierarchy, we use multi-criteria decision making (MCDM), specifically the Electre Tri method, to assign a risk index to each anomaly to assess the threat level of an attack. To the best of our knowledge, this is the first application of MCDM methods to aggregate, correlate and prioritize alerts in distributed networks. The framework of MCDM is well-suited to the growing complexities encountered in alert aggregation and correlation. Each anomaly receives a different risk index for each attack profile that one may want to monitor, such as worms or denials of service. These risk indices are then spatially- and time-correlated. For the sake of simplicity, we limit the experimentation to worms and distributed denials of service. This paper is organized as follows. Section II discusses related work. The hierarchical approach is presented in detail in Section III. The Electre Tri Method and its role in our framework is discussed in Section IV. The specific criteria used to classify and assess worms and denials of service are discussed in Section V. The experimental results and their analysis are presented in Section VI. Finally, Section VII draws some conclusions. The appendix provides an overview of MCDM as well as an illustrative example of the calculations involved in Electre Tri. II. R ELATED W ORK Much work has been done in the detection of anomalies, but few have focused on their classification. Most of the work has been restricted to the detection of specific types of anomalies, including portscans (see [20]), worms (see [22]), denial of service (DoS) attacks (see [17], [19], [41]) and DDoS attacks (see [28], [44]). There have been several attempts at a general approach to anomaly classification. In [6], the authors use wavelet analysis of IP flow and Simple Network Management Protocol (SNMP) measurements not only to detect anomalies, but also to expose distinct characteristics of various classes of anomalies. In [24], the authors use a clustering algorithm to separate different anomaly types into distinct clusters, allowing for the automatic classification of anomalies and the discovery of new anomaly types. The authors of [39] correlate the detected anomaly with the pattern of SNMP Management Information Base (MIB) variables associated with various anomaly types. The authors of [23] use rule-based heuristics to distinguish different types of anomalies in sampled traffic. While the above methods classify various anomalies, they do not determine a measure of the threat a particular anomaly poses to the network’s security. Our approach is hierarchical and generates a risk index for various types of anomalies at various levels of a network. Such an approach allows network administrators to see that a small local portion of the network is at high risk of a particular attack, while the entire network is not. Our approach is related to alert correlation techniques (see [40] and the references therein), which aim to reduce the total number of alerts generated by many different anomaly-based and signature-based IDSs. In our context, the network administrator is able to view the status of the network at a higher level of abstraction. III. OVERVIEW OF H IERARCHICAL A PPROACH FOR A NOMALY D ETECTION The goal of ALARM, our hierarchical approach, is to classify and assess a large number of alerts generated at spatially distributed sites on the Internet by anomaly-based IDSs. Each site can generate more than a thousand alerts per day. Our objective is to assign a risk index to each anomaly to assess the threat associated with the abnormality. The approach assigns a different risk index for each general type of attack monitored at each node of the hierarchy. We use as a reference the network topography of the Abilene Internet2 Backbone Network (see Fig. 11 ), which is composed of eleven routers distributed across the continental United States. Figure 2 represents the hierarchical structure of the Abilene network. The elementary nodes are at level 0. Level 0 nodes are clustered in three macro nodes at level 1. The next level, level 2, represents the whole network. The risk indices, generated at each node, assess the threat for their respective levels, i.e., local, regional, or national. Figure 1 shows a map of the eleven routers of the Abilene Network overlayed with its hierarchical decomposition. We now present an overview of the components involved at each level of the process. Figure 3 represents the complete architecture with the various levels and their associated components. The “Raw Data” level is the first level in our approach. It is formed of the alert monitoring and data format units. Next, level 0 consists of risk index creation and time correlation units. Levels 1 and above are each composed of spatial correlation, risk index creation and time correlation units. The Raw Data level is responsible for the interaction with anomaly-based IDSs and for formatting the upcoming alerts into inputs for level 0. We assume that: i) packets are monitored at each node of the network and stored with an adequate sample rate, i.e., approximately 1 every 100 packets is monitored; ii) raw data is available with the following five parameters: source and destination IP addresses, source and destination ports, and time stamp; and iii) alerts are triggered by third party IDSs and communicated to the lowest level of the hierarchy. The Alert Monitoring Unit collects at each individual node the alerts that are received by anomaly-based IDSs and the various parameters of the alerts. The Data Format Unit extracts the information from the alerts and the raw data, e.g., NetFlow data2 , to compute the various inputs needed at level 0 for the risk index creation. Level 0 is in charge of calculating the time-correlated risk index with respect to a specific attack profile. It consists of the Risk Creation Unit and the Time Correlation Unit. First, the Risk Creation Unit computes a risk index based on the information 1 Source: 2 Cisco’s

http://abilene.internet2.edu/ NetFlow tools have the ability to collect, store, and present detailed network information; see [10].


3

Fig. 1.

Abilene Internet2 Backbone Network

Fig. 2.

Fig. 3.

Hierarchical Structure of Abilene

Components of the Hierarchical Structure


4

gathered at the raw data level. We use a Multi-Criteria Decision Making (MCDM) approach, see [14], [15], [35], [42], [45], specifically the Electre Tri method, to compute the risk index. (See Section IV for a review of MCDM and the Electre Tri method.) The Time Correlation Unit outputs a time-correlated risk index based on current and previous risk indices. Levels l, l > 1, output a spatially and time-correlated risk index. The raw data level and level 0 involve elementary nodes. In contrast, each macro node in levels 1 and above is composed of several child nodes. It is therefore necessary to consider the time-correlated risk indices and the topology of the child nodes. Each macro node at level 1 and above contains a Spatial Correlation Unit, a Risk Creation Unit, and a Time Correlation Unit. The Spatial Correlation Unit calculates a correlated risk index for each macro node taking into account the number of child nodes and the nature of their interconnections. Then, the Risk Creation Unit generates a risk index for that level using the Electre Tri MCDM method. The Time Correlation Unit is similar to the one in lower levels except that the time window is increasing as the node level increases. A larger time window is necessary at higher levels to account for the potential fluctuations that spread over time among a large number of nodes. As described above, each level contains a risk index creation and time correlation unit. In addition, levels 1 and above contain a spatial correlation unit. These components are described below. A. Risk Index Creation Using MCDM methods, numerous and often conflicting criteria can be combined to classify a particular attack into predefined categories. In this approach, each category represents a risk index, ranging from 0 to 1. The criteria that the MCDM component uses to calculate a risk index are often related to each other in a complex way and may sometimes conflict. The goal of MCDM is to locate these potential conflicts and determine a solution. The specific MCDM method used by the risk index creation unit of ALARM is Electre Tri. At each level of our framework, Electre Tri is used to correlate and prioritize the alerts based on their temporal and spatial distributions. The risk index creation unit computes a risk index for each alert and for each given attack type. To the best of our knowledge, this is the first application of MCDM methods to aggregate, correlate and prioritize alerts in distributed networks. See Section IV for a discussion of Electre Tri and the appendix for a review of MCDM as well as a more detailed discussion of Electre Tri. B. Time Correlation The time correlation unit outputs a new risk index based on the current and previous risk indices, as follows. T Ci,l (k) =

Tl X

ω n Ri,l (k − Tl + n),

(1)

n=0

where T Ci,l (k) corresponds to the time-correlated risk index of node i at level l at time k. Ri,l (k) is the risk index associated with node i at level l at time k; Tl is the number of time steps considered in the correlation at level l; and ω is the time correlation weight, ω ≥ 1. Thus, more recent risk indices will have a larger weight. Next, the time-correlated index is normalized as follows: T CNi,l (k) =

T Ci,l (k) , PTl RMl × ( n=0 ωn )

(2)

where T CNi,l (k) is the normalized time-correlated risk index of node i at level l at time k, and RMl is the maximum risk index achievable in level l. C. Spatial Correlation Level 0 child nodes communicate their normalized time-correlated risk indices to level 1 macro nodes. At the level 1 macro nodes, the time-correlated risk indices of level 0 are spatially-correlated. We define Si,l the set of child nodes of macro node il (node i at level l) as follows: {nl−1 : macro node il is parent of child node nl−1 } if l ≥ 1 Si,l = (3) {il } if l = 0. Moreover, we define N to be the set of all nodes and Nl to be the set of nodes in level l: Nl = {n ∈ N : node n is in level l}.

(4)

Let |Si,l | be the number of elements in the set Si,l . Let Kml−1 , ml−1 ∈ Si,l , be the number of links between node ml−1 and nodes nl−1 ∈ Nl−1 \ ml−1 . The spatial correlation SCi,l (k) of node i at level l at time k is defined as follows: X SCi,l (k) = T CNnl−1 (k)ρKnl−1 |Snl−1 |, (5) nl−1 ∈Si,l


5

Criteria (scenario and level dependent)

Alternative (input data)

Risk Index normalized to [0,1]

Electre Tri

Profiles Veto thresholds Preference thresholds Indifference thresholds Criterion weights Parameters

Fig. 4.

Electre Tri Inputs and Outputs

where l > 0 and ρ is the spatial correlation weight, ρ ≥ 1. The spatial correlation SCi,l (k) is computed as the weighted sum of the normalized time-correlated risk indices of the child nodes of macro node i, l. The index of each child node is weighted by the number of its own child nodes as well as a factor raised to the number of links connected directly to that node. For example, the spatial correlation of the national network (level 2, node 1) of the Abilene Network shown in Fig. 1 would be calculated as follows. S1,2 consists of three nodes which correspond to the western, midwestern, and eastern portions of the network. The west coast node has 4 child nodes, the midwest 4, and the east 3. The east coast node has 2 links to other level 1 nodes; the midwest has 4 and the west has 2. Thus, SC1,2 would be the following: SC1,2 (k) = T CN1,1 (k)ρ2 (3) + T CN2,1 (k)ρ4 (4) + T CN3,1 (k)ρ2 (4) . And finally, the normalized spatial correlation SCNi,l (k) of node i at level l at time k is computed by: SCNi,l (k) =

SCi,l (k) , P T RMl−1 × ( nl−1 ∈Si ρKnl−1 |Snl−1 |)

(6)

l

where T RMl is the maximum time-correlated risk index achievable at level l. Thus, with T RM1 equal to 1, the normalized spatial correlation of our example above would be the following: SCN1,2 (k) =

SC1,2 (k) . 7ρ2 + 4ρ4

IV. U SE OF E LECTRE T RI M ETHOD FOR R ISK I NDEX G ENERATION At each node of ALARM, Electre Tri is used to generate a risk index for each attack type being monitored. Electre Tri is an MCDM method which uses an outranking relation to assess the degree by which an alternative a, or a particular attack scenario, outranks a profile, or a reference alternative, bh . Using this outranking relation, one can then conclude that a outranks bh if enough criteria confirm that a is at least as good as bh while no criteria are opposed to that in a “too strong way.” Each alternative a consists of a vector of values on a set of criteria. Thus, the profiles are simply the values on each criterion which are used as a reference when classifying a particular alternative into a category. In ALARM, these categories are used to represent different risks of a generic type of attack. Figure 4 shows the key inputs and outputs of each Electre Tri module, which corresponds to the risk index creation unit of Fig. 3. A separate Electre Tri module is used for each generic attack type considered, such as a worm or a DDoS. The main input to each Electre Tri component is a vector of values on the criteria. The set of criteria used are dependent not only on the level of the hierarchy but also the generic attack type being monitored. See Section V for the criteria we use for the detection of worms and DDoS. The output is a risk index for an attack type which is normalized to [0, 1]. In addition, a set


6

Fig. 5.

Electre Tri Example

of parameters are used to “tune” the output. These parameters consist of the profiles, the thresholds, the criteria weights and the cutting level. The role of these parameters in the Electre Tri calculations is discussed in the following subsection. For a review of MCDM in general as well as an illustrative calculation using Electre Tri, see the appendix. A. The Electre Tri Algorithm Electre Tri, cf. [15], [29]–[31], [36], [42], [43], is a multi-criteria classification method built on the outranking relation concept which is based on two interlocked relations, concordance and discordance. Using the outranking relation, one can conclude that an “alternative” ai outranks another “alternative” ap if enough criteria confirm that ai is “at least as good as” ap (concordance), while no criteria are opposed to that in a “too strong way” (discordance). Electre Tri then uses the outranking relation to assign alternatives to predefined categories. Referring to Fig. 5, let G = {1, 2, . . . , m} be the set of indices of criteria g1 , g2 , . . . , gm . Let B = {1, 2, . . . , p} be the set of indices of profiles b1 , b2 , . . . , bp . These profiles, or reference alternatives, demarcate the categories C1 , C2 , . . ., Cp , Cp+1 , where bh , h = 1, 2, . . . , p, corresponds to the upper bound of category Ch and lower bound of category Ch+1 . Without loss of generality, we will assume that preferences increase with the value on each criterion. In the Electre Tri components of ALARM, each category represents a risk index. The risk associated with category Ch increases with h. Moreover, the risk is normalized such that C1 corresponds to a risk index of 0 and Cp+1 corresponds to 1. Figure 5 shows an example that we will use throughout this section. In this example, we have ten profiles which delineate eleven categories over five criteria. Category C1 represents the lowest possible risk, 0, while C11 represents the highest possible risk, 1. Two alternaties, a1 and a2 shown with dashed lines in Fig. 5, represent two sets of inputs to the algorithm of Electre Tri for which risk indices need to be computed. The assignment of alternatives to categories is done in two steps. See Fig. 6 for an overview of the procedure. First, an outranking relation S that characterizes how alternatives compare to limits of categories is constructed. Second, the relation S is assessed in order to assign each alternative to a specific category. The outranking relation S validates or not the assertion “a is at least as good as bh ”, i.e., aSbh or “a outranks bh ”. The indifference and preference thresholds, qj (bh ) and pj (bh ), respectively, give some flexibility on the evaluation of gj (a) with respect to the profile, see [34]. The thresholds qj (bh ), pj (bh ), and vj (bh ), and the functions gj (a) and gj (bh ) are defined as follows: Definition 4.1: The function gj (a) (or gj (bh )) represents the value of a (or bh ) on criterion gj . Definition 4.2: The indifference threshold qj (bh ) denotes the largest difference gj (a)-gj (bh ) which preserves indifference between a and bh on criterion gj . Stated another way, it is the largest amount by which the value of the alternative on criterion gj exceeds the value of the profile bh on gj such that neither a outranks bh or bh outranks a on criterion gj . Definition 4.3: The preference threshold pj (bh ) indicates the smallest difference gj (a)-gj (bh ) compatible with a preference in favor of a on criterion gj . Stated another way, it is the smallest amount by which the value of the alternative on criterion gj exceeds the value of the profile bh on gj such that a outranks bh on criterion gj . Definition 4.4: The veto threshold vj (bh )denotes the smallest difference gj (bh )-gj (a) incompatible with the assertion aSbh on criterion gj . Stated another way, it is the smallest amount by which the value of the profile bh on criterion gj exceeds the value of the alternative on gj such that a does not outrank bh on criterion gj . The outranking relation S is then built in the following six steps. Step 1) Compute the partial concordance indices cj (a, bh ) and cj (bh , a). A partial concordance index cj (a, bh ) is calculated to assess the statement “a outranks bh ” with respect to a unique criterion gj . The same logic holds for cj (bh , a). The definition of cj (a, bh ) is as follows: if gj (a) ≤ gj (bh ) − pj (bh )

(7)


7

Fig. 6.

Overview of Electre Tri Method

then cj (a, bh ) = 0; if gj (bh ) − pj (bh ) < gj (a) ≤ gj (bh ) − qj (bh ) then cj (a, bh ) =

(8)

[gj (a) − gj (bh ) + pj (bh )] ; [pj (bh ) − qj (bh )]

if gj (bh ) − qj (bh ) < gj (a)

(9)

then cj (a, bh ) = 1; The definition of cj (bh , a) is as follows: if gj (a) ≥ gj (bh ) + pj (bh )

(10)

then cj (bh , a) = 0; if gj (bh ) + qj (bh ) ≤ gj (a) < gj (bh ) + pj (bh ) then cj (bh , a) =

(11)

[gj (bh ) − gj (a) + pj (bh )] ; [pj (bh ) − qj (bh )]

if gj (a) < gj (bh ) + qj (bh )

(12)

then cj (bh , a) = 1. Step 2) Compute the global concordance indices c(a, bh ) and c(bh , a). The global concordance index c(a, bh ) assesses all partial concordance indices, i.e., all statements “a outranks bh ” with respect to all criteria and their respective weight coefficient kj . The weight allows one to give more or less importance to each criterion. The same logic holds for c(bh , a). The definitions of c(a, bh ) and c(bh , a) are as follows: P j∈F kj cj (a, bh ) P c(a, bh ) = (13) j∈F kj P j∈F kj cj (bh , a) P (14) c(bh , a) = j∈F kj where kj is the weight coefficient defined for each criterion. Step 3) Compute the partial discordance indices dj (a, bh ) and dj (bh , a). The partial discordance index dj (a, bh ) assesses the degree of opposition of the criterion gj to the statement “a outranks bh ”. The same logic holds for dj (bh , a). The index dj (a, bh ) is computed as follows: if gj (a) > gj (bh ) − pj (bh )

(15)

then dj (a, bh ) = 0; if gj (bh ) − vj (bh ) < gj (a) ≤ gj (bh ) − pj (bh ) then dj (a, bh ) =

(16)

[gj (bh ) − gj (a) − pj (bh )] ; [vj (bh ) − pj (bh )]

if gj (bh ) − vj (bh ) ≥ gj (a)

(17)


8

then dj (a, bh ) = 1. The index dj (bh , a) is computed as follows: if gj (a) ≤ gj (bh ) + pj (bh )

(18)

then dj (bh , a) = 0; if gj (bh ) + pj (bh ) < gj (a) ≤ gj (bh ) + vj (bh ) then dj (bh , a) =

(19)

[gj (a) − gj (bh ) − pj (bh )] ; [vj (bh ) − pj (bh )]

if gj (a) > gj (bh ) + vj (bh )

(20)

then dj (bh , a) = 1. Step 4) Compute the degree of credibility indices σ(a, bh ) and σ(bh , a) to obtain a “fuzzy” outranking relation. The degree of credibility σ(a, bh ) of the outranking relation “a outranks bh ” is based on the global concordance and partial discordance indices (c(a, bh ) and dj (a, bh ), ∀j ∈ G). The same logic holds for σ(bh , a). We have: Y 1 − dj (a, bh ) (21) σ(a, bh ) = c(a, bh ) 1 − c(a, bh ) j∈G1

where G1 = {j ∈ G : dj (a, bh ) > c(a, bh )}; σ(bh , a) = c(bh , a)

Y 1 − dj (bh , a) 1 − c(bh , a)

(22)

j∈G2

where G2 = {j ∈ G : dj (bh , a) > c(bh , a)}. Step 5) Obtain “crisp” outranking relation from credibility indices by using a predefined cutting level λ. According to the degree of credibility, a decision is made based on a predefined “cutting level” λ which is the minimum value the credibility degree must take to satisfy the statement aSbh , i.e., “a outranks bh ”. Thus, we have: σ(a, bh ) ≥ λ ⇒ aSbh .

(23)

In other words, the cutting level λ converts the “fuzzy” outranking relation into a “crisp” relation. Step 6) Assign the alternative to a category. The final step in the Electre Tri MCDM approach is to assign the alternative a to a category. However, before we can do this, we must define the following binary relations: Definition 4.5: [Indifference [I]] aIbh ⇔ aSbh ∧ bh Sa Definition 4.6: [Preference []] • a bh ⇔ aSbh ∧ ¬bh Sa • a ≺ bh ⇔ ¬aSbh ∧ bh Sa Definition 4.7: [Incomparability [R]] aRbh ⇔ ¬aSbh ∧ ¬bh Sa The alternative a can then be assigned to a category through either the pessimistic or optimistic assignment procedure: The pessimistic assignment procedure: a) Compare a successively to bi , for i = p, p − 1, . . . , 0. b) Let bh be the first profile such that aSbh . Then assign a to category Ch+1 . The optimistic assignment procedure: a) Compare a successively to bi , for i = 1, 2, . . . , p. b) Let bh be the first profile such that bh a. Then assign a to category Ch . Note that in the experiments of Section VI, the pessimistic assignment procedure is used. The assignment of an alternative to a predefined category is not necessarily an easy task and the difficulties are shown in Fig. 5. An alternative a1 is presented and its score on each criterion appears in the dotted line. The profiles b1 and b2 are shown in solid lines with their scores on each criterion. From the visual observation, we can easily deduce: a1 b1 and a1 ≺ b2 . Consequently, alternative a1 is assigned to category C2 under either assignment procedure. Next, we consider alternative a2 with its score in the dotted line on each criterion. The profiles b5 , b6 , and b7 are shown in solid lines. The score a2 varies from b3 to b8 . The assignment cannot be estimated and must be calculated with the outranking relation of Electre Tri. This will lead to an assignment that might be established as follows: a2 Sb5 , ¬b5 Sa2 , a2 Sb6 , b6 Sa2 , ¬a2 Sb7 and b7 Sa2 . Thus, from


9

Defns. 4.5, 4.6 and 4.7, we can determine that a2 b5 , a2 Ib6 and a2 ≺ b7 . Consequently, alternative a2 is categorized as C6 under the pessimistic assignment procedure and C7 under the optimistic. In summary, the model will assign each alternative to one of the eleven categories regardless of the complexity of the alternative’s scores and the accuracy of the outranking relation. Appendix B presents a quantitative example of the Electre Tri algorithm. V. A PPLICATION OF E LECTRE T RI TO I NTERNET T RAFFIC With ALARM, we can divide the 65535 ports into 20 known services and 1 unknown service, and monitor them for different types of attacks. For the sake of simplicity, we only consider two types of attacks: worms and DDoS. The criteria of the MCDM modules need to be adapted to the specific attack under consideration. In this section, we lay out the criteria we have used for these attack types in our experiments of Section VI. The purpose of this section is to give insight into how to select criteria for an attack type and link our methods to an application. However, more sophisticated criteria could be used. A. Level 0 Worm Criteria The following criteria are used to detect a worm anomaly. 1) Traffic increase percentage (as given by the anomaly-based IDS) 2) Number of unique source IP addresses that transmit to 2 to 3 unique destination IP addresses, adjusted for variations in average levels of traffic between nodes 3) Number of unique source IP addresses that transmit to 4 to 6 unique destination IP addresses, adjusted for variations in average levels of traffic between nodes 4) Number of unique source IP addresses that transmit to 7 to 10 unique destination IP addresses, adjusted for variations in average levels of traffic between nodes 5) Number of unique source IP addresses that transmit to more than 10 unique destination IP addresses, adjusted for variations in average levels of traffic between nodes The alert monitoring unit receives the alerts with the associated increase percentage in the monitored service. We use the percentage increase in traffic as a criterion and create 11 categories of risk indices from best to worst, i.e., from 0, no risk of attack, to 1, high risk of attack. The categories are delimited by the profiles. In the case of worm attacks, we expect to see an increase of traffic in a particular service, which is captured by criterion 1, and a large number of unique source IP addresses that transmit to multiple destination IP addresses, which is captured by criteria 2–5. Indeed, a worm is a self-propagating program that scans and attacks a large number of destinations every minute to find potential targets. The scans and attacks are not necessarily occurring in the same network. A typical worm would have an allocated percentage of its scans within its network and the rest of the scans outside the network. This percentage and allocation is decided by the hacker. Therefore, we use four criteria that record the distribution of scans and attacks by unique sources with respect to a targeted service. The risk associated with an attack is directly dependent on the number of unique sources involved and the aggressiveness of the scans. Therefore, it is important to monitor the balance between number of unique sources and number of scans per unique source. Moreover, since networks at different elementary nodes may have different average levels of normal traffic, criteria 2–5 are adjusted to account for this fact. B. Level 0 Distributed Denial of Service Criteria The following criteria are used to detect a distributed denial of service anomaly. 1) Traffic increase percentage (as given by the anomaly-based IDS) 2) Total number of unique source IP addresses, adjusted for variations in average levels of traffic between nodes 3) Number of unique source IP addresses that transmit to 1 unique destination IP addresses, adjusted for variations in average levels of traffic between nodes As in the case of a worm attack, we expect to see an increase in traffic in a particular service, which is captured by criterion 1, and a large number of sources that transmit to only one destination, which is captured by criteria 2–3. Thus, with a DDoS, we expect to see a surge in traffic as many sources target one host. We use these criteria to create 11 categories of risk indices from best to worst. C. Level 1+ Criteria In 1) 2) 3) 4) 5)

the macro nodes, the following criteria are considered for both worm and DDoS attacks. Normalized spatial correlation Percentage of child nodes with normalized time correlations greater than 0.15 Percentage of child nodes with normalized time correlations greater than 0.30 Percentage of child nodes with normalized time correlations greater than 0.45 Percentage of child nodes with normalized time correlations greater than 0.60


10

6) Percentage of child nodes with normalized time correlations greater than 0.75 7) Percentage of child nodes with normalized time correlations greater than 0.90 The first criterion is the normalized spatial correlation which is computed according to Equations 5 and 6. The next six criteria record the distribution of the risk indices of child nodes. We used these criteria to ensure that the risk of a macro node would rise and fall with the threat faced by all of its child nodes. As with level 0, these criteria are used to form 11 categories of risk from best to worst. VI. E XPERIMENTAL R ESULTS AND A NALYSIS Several experiments were performed to conduct a demonstration of ALARM. We used historical data from the Abilene Network to examine the response of our hierarchical approach to the Zotob worm, which appeared in August 2005, a DDoS attack, which occurred in January 2005, and a worm that appeared on the Internet Relay Chat (IRC) service during April 2006. We implemented our approach in Matlab, as illustrated in Fig. 3. Our objective was to illustrate how the approach classifies and assesses anomalies of differing risk, type and extent. To simplify our analysis, we did not actually use alerts from anomaly-based IDSs. Thus, we are essentially assuming that the anomaly-based IDSs are generating alerts during every time interval. If no alert is generated during a time interval, then the risk determined by ALARM would be zero. Thus, our experiments generate the worst-case risk indices for each attack type. A. Data Sets To evaluate our hierarchical approach, we used Cisco NetFlow data collected from the Abilene Internet2 backbone network. These data sampled the traffic at a rate of 1 out of every 100 packets. The captured traffic data contained such information as the source and destination IP addresses, source and destination port numbers, protocol type, number of packets in the flow and the number of bytes. Note that in the Abilene data, the last 11 bits of the IP addresses were zeroed out for privacy reasons. This was not a significant concern. We wrote code in C++ to process the data and calculate the statistics necessary for our hierarchical approach. B. Zotob Worm Attack - August 2005 On August 9, 2005, Microsoft released critical security bulletin MS05-039 (see [1], [2]), revealing a vulnerability in the Plug-and-Play of Windows 2000. Five days later on August 14th, a worm utilizing this exploit was released, discovered, and named Zotob. In the days later, more variants were released and discovered. The worm received considerable attention in the news media since computers owned by CNN and ABC crashed. Moreover, the U.S. Congress, The New York Times, General Electric and the San Francisco International Airport were among those affected by the worm and its variants (see [26], [32], [37]). According to [26], Zotob and its variants accounted for approximately $500 million in worldwide damages. While this is not the costliest attack on record, it is significant as it was the first major worm outbreak since MyDoom in January 2004 [37]. We used data from the Abilene Network to analyze our approach’s response to this worm outbreak. We analyzed 18 days of traffic on port 445 in intervals of 5 minutes from August 10, 2005 to August 27, 2005. As the first criterion is the percentage increase in traffic as given by the IDS, we used the time frame from August 11, 2004 to August 28, 2004 as the “normal” traffic. Thus, we estimated the first criterion as the percentage increase in the number of packets transmitted from 2004 to 2005. However, since we did not have traffic data for August 19-20, 2004, we were forced to set all the criteria to zero for the corresponding days. See Fig. 7 for the values of the criteria used for all nodes of the Abilene Network. The anomaly is clearly present in the data. We now present the worm attack risk indices generated by ALARM. The results for all nodes and levels are displayed in a set of figures. Figures 8, 9 and 10 show the correlated risk indices over time for the level 1 nodes and their children. Figure 11 illustrates the risk indices of the level 2 node and its children. Each unit of time represents one hour. This example demonstrates the power of our approach. First, this anomaly is clearly classified as a worm attack. Second, our technique gives a measure of the threat of this worm. Third, by decomposing the network into levels, our approach is able to assess the risk associated with this attack at different levels of granularity. From the plots, we can see that the threat associated with this anomaly was less on the west coast routers (level 1 node 3, see Fig. 10) than it was in the rest of the country. However, the attack still had widespread effect and this is confirmed by the high risk generated at the national node (level 2 node 1, see Fig. 11). Thus, with our approach, we can determine whether an anomaly is global or localized in its effect. Moreover, increased threat of attack in a local node could give warning to network security administrators to take protective action at other nodes. In addition, when we used the criteria and profiles for a DDoS attack, ALARM generated the DDoS risk of zero.


11

Fig. 7.

Fig. 8.

Input Worm Criteria for All Abilene Routers

Worm Risk Indices for Level 1 Node 1 and Children (East)

C. Distributed Denial of Service Attack - January 2005 On Jan 16, 2005, a DDoS anomaly occurred on the Abilene Network, lasting the entire day. The number of packets transmitted to one IP address from multiple sources surged dramatically. All of the new traffic consisted of 48 byte packets being transmitted from either port 1024 or port 3072 to the destination port 80 (web http traffic). The anomaly was the most severe at the NYCM, WASH, and CHIN routers. The anomaly appeared at most, but not all, of the remaining Abilene routers. However, the anomaly at these routers was much more short-lived, lasting only 15 minutes. We considered a three day period from January 15, 2005 through January 17, 2005, divided into five minute intervals. In addition, we used the three day period from January 8, 2005 through January 10, 2005 as the “normal” traffic. Thus, the first criterion was calculated as the percentage increase in packets from one time step in the normal traffic to the corresponding time a week later. See Fig. 12 for plots of the criteria generated for all the routers. The output of ALARM is what we would expect. See Figs. 13, 14, 15 and 16. Again, this example exhibits the advantages of our approach. First, this anomaly is clearly classified as a DDoS. Second, our approach gives a measure of the threat associated with this particular attack. And third, it is able to analyze the threat at different levels. The approach shows that the risk of a denial of service attack is very high at the east coast routers (see Fig. 13). The risk at the midwest- and west-coast routers is low (see Figs. 14 and 15). Thus, at the national level, we can see that the threat associated with this attack is medium to low.


Fig. 9.

Fig. 10.

12

Worm Risk Indices for Level 1 Node 2 and Children (Midwest)

Worm Risk Indices for Level 1 Node 3 and Children (West)

These results are intuitive since we know this anomaly was mostly confined to the east coast nodes. Moreover, when we used the criteria and profiles for a worm attack, ALARM generated a risk index of zero at all nodes. Thus, our approach was able to distinguish easily between the two anomaly types we considered. D. IRC Worm - April 2006 We examined the NetFlow data for the month of April 2006 on the Abilene Internet2 Backbone Network. We searched for anomalies using the distributed weighted multi-dimensional scaling (dwMDS) method of [12], [33]. This is a distributed algorithm that reduces high-dimensional data in a low-dimensional subspace. Moreover, we searched for anomalies by manually examining the traffic data on different services such as web http traffic and Internet Relay Chat (IRC). We searched for anomalous behavior by calculating the following statistics for each 5 minute interval on each router of the Abilene Network: • Number of Packets Transmitted • Number of Bytes Transmitted • Number of Unique Sources • Number of Unique Sources Transmitting to 1 Unique Destination • Number of Unique Sources Transmitting to 2 − 3 Unique Destinations


Fig. 11.

13

Worm Risk Indices for Level 2 Node 1 and Children (National)

Fig. 12.

Input DDoS Criteria for All Abilene Routers

Number of Unique Sources Transmitting to 4 − 6 Unique Destinations Number of Unique Sources Transmitting to 7 − 10 Unique Destinations • Number of Unique Sources Transmitting to > 10 Unique Destinations The majority of the anomalies consisted of port scans that are typical in a large network such as Abilene. However, we did detect a worm on the IRC service (ports 6660 to 6667). Since the Abilene data only contains traffic statistics and no payload information, we cannot know for sure the nature of this anomaly. However, we classify it as a worm for two reasons. First, the amount of traffic on the service surges dramatically. Figure 17 shows the traffic on the IRC Service for April 2006. This traffic clearly is anomalous in the last nine to ten days of the month. Moreover, we saw a large increase in the number of unique sources transmitting to multiple unique destinations. This behavior is indicative of a worm’s goal to replicate itself and attempt to infect as many new hosts as possible. After investigating the IRC worm, we determined that it appeared on three separate occasions during the month of April 2006. It first appeared for a brief time at 4:25 AM on April 1, lasting for only about 70 minutes. It then reappeared on April 21 around 4:40 PM and lasted much longer, for about 3.5 days. It appeared again on April 25 around 6:30 PM, lasting until the end of the month. Figure 18 shows the worm criteria which were input into ALARM. We estimated the first criterion, the percentage increase in traffic, by approximating the “normal” traffic for each router as the average number of packets during • •


Fig. 13.

Fig. 14.

14

DDoS Risk Indices for Level 1 Node 1 and Children (East)

DDoS Risk Indices for Level 1 Node 2 and Children (Midwest)

each 5 minute interval of the week starting on April 2, 2006. Next, we input these criteria into ALARM to see how well it would classify and assess the threat of a worm during the entire month. See Figs. 19, 20, 21 and 22 for the risk indices generated by ALARM for the entire month at all nodes of our hierarchy. First, all three occurrences of the worm, as we determined manually, were clearly classified as a worm. Moreover, in spite of the indeterminacy of the first criterion, ALARM never became confused. In other words, the worm risk was zero whenever the IRC worm was not occurring. In addition, our framework was able to distinguish between the different amount of risk associated with different networks and regions. Namely, it was able to show that the worm was weakest on the east coast and strongest in the midwest. Additionally, in Fig. 19, the risk for the entire east coast region is zero throughout the entire month. Even when the risk of each node is roughly 0.4, ALARM still outputs zero. The risk is zero because the threat associated with each child is low enough such that there is no significant threat to the whole region. However, it would be possible to set up the criteria and “tune” the parameters to generate a higher risk in this case. VII. C ONCLUSIONS We have proposed ALARM, a novel hierarchical approach to classify, prioritize and assess multiple anomalies. The spatially distributed nodes receive alerts from various anomaly-based IDSs. A time-correlated risk index, which assesses the potential


Fig. 15.

Fig. 16.

15

DDoS Risk Indices for Level 1 Node 3 and Children (West)

DDoS Risk Indices for Level 2 Node 1 and Children (National)

threat of an attack, is computed for each alert at each node of the hierarchy. The creation of the risk index is based on the Electre Tri MCDM method. Each child node communicates its risk level to its parent node. The parent nodes compute spatially and time-correlated risk indices that evaluate the attack risk for a geographical region larger than that of their child nodes. The risk indices of parent nodes are generated by the MCDM approach. This hierarchical approach assesses the potential threat of an attack at local, regional, national, and worldwide nodes. To the best of our knowledge, this is the first time that MCDM methods have been applied to the classification and prioritization of anomalies. The results of the experimentation are promising. Our approach provides an effective tool in assisting security experts to identify new threats. The method we proposed is not limited to the use of the criteria mentioned in this paper. The removal, addition, or update of the criteria can be done in a straightforward manner. Moreover, the profiles and thresholds of the MCDM approach can be easily tuned for different attack types. ALARM is versatile, extendable, and scalable to any network or modular system. A PPENDIX R EVIEW AND E XAMPLE OF M ULTI -C RITERIA D ECISION M AKING At each node of our framework, an MCDM method is used to compute a risk index for each attack profile. Using the MCDM method, numerous criteria can be used to classify a particular attack into predefined categories. The criteria that the


16

Fig. 17.

April 2006 Traffic on IRC Service (Number of Packets)

Fig. 18.

Input IRC Worm Criteria for All Abilene Routers

MCDM tool uses to calculate a risk index are often related to each other in a complex way and may sometimes conflict. The goal of MCDM is to locate those potential conflicts and determine a solution. In this section, we present the basic notions in MCDM and the Electre Tri approach. A. Basic Notions in Multi-Criteria Decision Making All individuals want to make good decisions, i.e., decisions that have positive results or reliable outcomes. Reliable outcomes are more likely to occur if a good decision making process is used. Decision makers need guidance in assessing and reassigning the various alternatives with which they are faced in decision problems. In most cases individuals make choices based on various


Fig. 19.

Fig. 20.

17

IRC Worm Risk Indices for Level 1 Node 1 and Children (East)

IRC Worm Risk Indices for Level 1 Node 2 and Children (Midwest)

criteria which are predetermined by experts on the problem. Since most of the criteria are of a qualitative nature, decision-makers have to make decisions based on both quantitative data and subjective judgements. Problem formulations or “problematics” are divided in three distinct categories: choice, sorting, and ranking, cf. [4], [5], [42]. The main difference between these problematics is how the alternatives are assessed — i.e., relative versus absolute classification. In relative classification [4], [42], alternatives are compared with one another and are classified according to the outcome of the comparison. Choice and ranking problems are based on relative classification of alternatives. Figures 23 and 24 illustrate the choice and ranking problematics. In the choice problematic, a small subset of alternatives is selected. In the ranking problematic, the set of alternatives is divided into equivalent classes that are later ranked according to preferences. In absolute classification of alternatives [4], [42], [45], each alternative is individually compared, via its intrinsic value, to predefined norms and references, and hence not directly compared to other alternatives. Alternatives are “similar” or “not similar” to a reference profile and “adequate” or “not adequate” to some norms. A set of categories is defined based on norms. Categories are rank-ordered from better to worse. Each alternative is assigned to one of the categories based on certain criteria and norms. Therefore the assignment of an alternative does not depend on other alternatives. The sorting problematic, cf. [45], is based on absolute classification and is depicted in Fig. 25. Multi-criteria problem methods are divided into compensation and outranking methods, see [38]. The compensation method


Fig. 21.

Fig. 22.

18

IRC Worm Risk Indices for Level 1 Node 3 and Children (West)

IRC Worm Risk Indices for Level 2 Node 1 and Children (National)

attributes a weight to each criterion and calculates a global score for each measure, in the form of a weighted arithmetic average of the scores attributed to that measure for the different criteria. A measure is the value of an alternative or reference alternative with respect to a particular criterion. The calculation of the weighted average permits a compensation between criteria. The outranking method is used when no global score can be produced. The method consists of all possible comparisons of one value or measure with others, e.g., “does Measure A outrank Measure B with respect to criterion X?”, “does Measure A outrank Measure B with respect to criterion Y?”, etc. The answers are either yes, no, or quantified as a value between 0 (no) and 1 (yes). In the latter case, the value is characterized based on notions of weak and strong preferences and a threshold criterion. The method allows a veto threshold to be included for each criterion. The veto notion adds safety against values that are not desired with respect to the criterion. The output is “Measure A is at least as good as Measure B, with respect to a majority of criteria, and is not too bad in relation to the other criteria”. Known frameworks of the outranking method are Electre Tri (see [30], [36], [42], [43]), PROAFTN (see [7], [8]), PAIRCLAS (see [13]), and Promethee Tri (see [25]). Electre frameworks were the first ones to present an outranking method, see [9]. Some other methods are derived at different extents from the original Electre methods (see, e.g., [14], [15], [38]). Our choice of Electre Tri is mainly due to its well-established framework, various known applications, and advanced features, such as veto thresholds.


19

Selected alternatives A5

Set of alternatives

A1

A1

A2

A3 A5

A6

A4

A4 A2

Fig. 23.

Rejected alternatives

A3 A6

Problem Formulation: Choice

Best A5

A1

Set of alternatives

A1

A2

A3

A3

A6

A6 A5

A4 A2

A4 Worst

Fig. 24.

Problem Formulation: Ranking

B. An Illustrative Example of Electrre Tri In this section, we present an example that illustrates the various steps of the Electre Tri Algorithm presented in Section IV-A (see also [30]). Let us consider three alternatives a1 , a2 and a3 evaluated on five criteria g1 , g2 , g3 , g4 and g5 . Let us suppose that the direction of preference on each criterion is increasing and that minimum and maximum values on all criteria are 0 and 100, respectively. The evaluation matrix is given in Table I. In the first part of this example, let us suppose that the alternatives are to be compared to the profile b = (70, 75, 80, 75, 85) using the preferential information given in Table II. Comparison of a1 and b: 1) The values of the partial concordance indices cj (b, a1 ) and cj (a1 , b) are shown in Table III. 2) The computation of the concordance indices c(b, a1 ) and c(a1 , b) is given by Equations (24) and (25), respectively. 1 + 0.4 + 1 + 1 + 1 = 0.88 5 1+1+1+1+1 c(b, a1 ) = =1 5

c(a1 , b) =

(24) (25)

Best Set of alternatives

A1

A2

A3 A5

Category 1:

A5,A1

Category 2:

A3,A6

Category 3:

A2

A6

A4 Category 4:

A4 Worst

Fig. 25.

Problem Formulation: Sorting


20

TABLE I E VALUATION M ATRIX g1 75 28 45

a1 a2 a3

g2 67 35 60

g3 85 70 55

g4 82 90 68

g5 90 95 60

TABLE II P REFERENCE PARAMETERS g1 1 5 10 30

kj qj (b) pj (b) vj (b)

g2 1 5 10 30

g3 1 5 10 30

g4 1 5 10 30

g5 1 5 10 30

3) The values of the discordance indices dj (b, a1 ) and dj (a1 , b) are shown in Table IV. 4) For the computation of the credibility indices σ(b, a1 ) and σ(a1 , b), we note that: dj (b, a1 ) = dj (a1 , b) = 0, ∀j ∈ F.

(26)

Therefore, we obtain, according to Equations (21) and (22), σ(a1 , b) = c(a1 , b) = 0.88

(27)

σ(b, a1 ) = c(b, a1 ) = 1.

(28)

5) To determine the preference relation between a1 and b when λ = 0.75 we note that σ(a1 , b) ≥ λ ⇒ a1 Sb,

(29)

σ(b, a1 ) ≥ λ ⇒ bSa1 .

(30)

Therefore, we conclude that a1 Ib. Comparison of a2 and b: 1) The values of the partial concordance indices cj (b, a2 ) and cj (a2 , b) are shown in Table V. 2) The computation of the concordance indices c(b, a2 ) and c(a2 , b) is given by Equations (31) and (32), respectively. 0+0+0+1+1 = 0.4 5 1+1+1+0+0 c(b, a2 ) = = 0.6 5 3) The values of the discordance indices dj (b, a2 ) and dj (a2 , b) are shown in Table VI. 4) The credibility indices σ(b, a2 ) and σ(a2 , b) are: c(a2 , b) =

(31) (32)

σ(a2 , b) = 0 as dj (a2 , b) = 1, for j = 1, 2

(33)

σ(b, a2 ) = 0.6 as dj (b, a2 ) < c(a2 , b), ∀j ∈ F.

(34)

and 5) To determine the preference relation between a2 and b when λ = 0.75, we note that TABLE III PARTIAL C ONCORDANCE I NDICES cj (b, a1 ) AND cj (a1 , b) cj (a1 , b) cj (b, a1 )

g1 1 1

g2 0.4 1

g3 1 1

g4 1 1

g5 1 1

TABLE IV D ISCORDANCE I NDICES dj (b, a1 ) AND dj (a1 , b) dj (a1 , b) dj (b, a1 )

g1 0 0

g2 0 0

g3 0 0

g4 0 0

g5 0 0


21

TABLE V PARTIAL C ONCORDANCE I NDICES cj (b, a2 ) AND cj (a2 , b) g1 0 1

cj (a1 , b) cj (b, a1 )

g2 0 1

g3 0 1

g4 1 0

g5 1 0

TABLE VI D ISCORDANCE I NDICES dj (b, a2 ) AND dj (a2 , b) g1 1 0

dj (a2 , b) dj (b, a2 )

g2 1 0

g3 0 0

g4 0 0.25

g5 0 0

σ(a2 , b) < λ ⇒ ¬a2 Sb

(35)

σ(b, a2 ) < λ ⇒ ¬bSa2 .

(36)

and Therefore, we conclude that a2 Rb. Comparison of a3 and b: 1) The values of partial concordance indices cj (b, a3 ) and cj (a3 , b) are shown in Table VII. 2) The computation of the concordance indices c(b, a3 ) and c(a3 , b) is given by Equations (37) and (38), respectively. 0 + 0 + 0 + 0.6 + 0 = 0.12 5 1+1+1+1+1 c(b, a3 ) = =1 5 3) The values of the discordance indices dj (b, a3 ) and dj (a3 , b) are shown in Table VIII. 4) The credibility indices σ(b, a3 ) and σ(a3 , b) are: c(a3 , b) =

σ(a3 , b) = 0.12

1 − 0.75 1 − 0.25 1 − 0.75 1 − 0.75 ≈0 1 − 0.12 1 − 0.12 1 − 0.12 1 − 0.12

(37) (38)

(39)

and σ(b, a3 ) = c(b, a3 ) = 1 as dj (b, a3 ) = 0, ∀j ∈ F.

(40)

5) To determine the preference relation between a3 and b when λ = 0.75 we note that σ(a3 , b) < λ ⇒ ¬a3 Sb

(41)

σ(b, a3 ) < λ ⇒ bSa3 .

(42)

and Therefore, we conclude that a3 ≺ b. In the second part of this example, we assign the three alternatives to one of the three categories. Table IX presents the profiles b1 , b2 (= b of the first part of the example) with respect to the criteria g1 , g2 , g3 , g4 , g5 . Table X presents the credibility indices, and Table XI the preference relations between the alternatives a1 , a2 , a3 and the profiles b1 , b2 . The pessimistic assignment procedure results in the following assignments: • a1 is assigned to C3 because a1 Sb3 does not hold but a1 Sb2 holds, TABLE VII PARTIAL C ONCORDANCE I NDICES cj (b, a3 ) AND cj (a3 , b) cj (a1 , b) cj (b, a1 )

g1 0 1

g2 0 1

g3 0 1

g4 0.6 1

g5 1 1

TABLE VIII D ISCORDANCE I NDICES dj (b, a3 ) AND dj (a3 , b) dj (a3 , b) dj (b, a3 )

g1 0.75 0

g2 0.25 0

g3 0.75 0

g4 0 0

g5 0.75 0


22

TABLE IX D EFINITION

g1 g2 g3 g4 g5

OF

P ROFILES

b1 50 48 55 55 60

b2 70 75 80 75 85

TABLE X C REDIBILITY I NDICES σ(ai , bp )

a1 a2 a3

σ(ai , b1 ) 1 0.6 1

σ(b1 , ai ) 0 0 0.6

σ(ai , b2 ) 0.88 0 0

σ(b2 , ai ) 1 0.6 1

a2 is assigned to C1 because a2 Sb3 , a2 Sb2 and a2 Sb1 do not hold but a2 Sb0 holds, and a3 is assigned to C2 because a3 Sb3 and a3 Sb2 do not hold but a3 Sb1 holds. The optimistic assignment procedure results in the following assignments: • a1 is assigned to C3 because b0 a1 , b1 a1 and b2 a1 do not hold but b3 a1 , holds, • a2 is assigned to C3 because b0 a2 , b1 a2 and b2 a2 do not hold but b3 a2 , holds, and • a3 is assigned to C2 because b0 a3 and b1 a3 do not hold but b2 a3 , holds. We notice that a2 is assigned to C3 by the optimistic assignment procedure, and to C1 by the pessimistic assignment procedure since a2 is incomparable to both profiles b1 and b2 . •

•

ACKNOWLEDGMENTS This research was supported in part by NSF grant CCR-0325571. The authors would like to thank Alfred Hero, Neal Patwari, and Manish Karir for numerous useful discussions. They also acknowledge the assistance of Eileen Hidayetoglu and Eric Zinn in the implementation of ALARM. R EFERENCES [1] “Microsoft security bulletin MS05-039,” Aug. 2005. [Online]. Available: http://www.microsoft.com/technet/security/bulletin/MS05-039.mspx [2] “What you should know about Zotob,” Aug. 2005. [Online]. Available: http://www.microsoft.com/security/incident/zotob.mspx [3] S. Axelsson, “Research in intrusion-detection systems: A survey,” Department of Computer Engineering, Chalmers University of Technology, Goteborg, Sweden, Tech. Rep. 98–17, Dec. 1998. [4] C. A. Bana e Costa, “Absolute and relative evaluation problematiques: The concept of neutral level and the MCDA robot technique,” in Multicriteria Decision Making: Methods, Algorithms and Applications, M. Cerny, D. Gluckaufova, and D. Loula, Eds. Prague: Czechoslovak Academy of Sciences, 1992. [5] ——, “Les problématiques de l’aide a` la décision : Vers l’enrichissement de la trilogie choix-tri-rangement,” RAIRO/ Recherche Opérationnelle, vol. 30, no. 2, pp. 191–216, 1996. [6] P. Barford, J. Kline, D. Plonka, and A. Ron, “A signal analysis of network traffic anomalies,” in Proc. 2nd ACM SIGCOMM Workshop on Internet Measurement - IMW’02. New York, NY, USA: ACM Press, 2002, pp. 71–82. [7] N. Belacel, “Multicriteria assignment method PROAFTN: Methodology and medical application,” European Journal of Operational Research, vol. 125, no. 1, pp. 175–183, 2000. [8] N. Belacel and M. R. Boulassel, “Multicriteria fuzzy classification procedure PROCFTN: Methodology and medical application,” Fuzzy Sets and Systems, vol. 141, no. 2, pp. 203–217, 2004. [9] R. Benayoun, B. Roy, and B. Sussman, “ELECTRE: Une méthode pour guider le choix en présence de points de vue multiples,” SEMA-METRA International, Direction Scientifique,” Note de Travail 49, 1966. [10] Cisco Systems Inc., “NetFlow services and applications,” July 2002, White Paper. [Online]. Available: http://www.cisco.com/warp/public/cc/pd/iosw/ioft/neflct/tech/napps wp.htm [11] R. Coolen and H. Luiijf, “Intrusion detection: Generics and state-of-the-art,” Research and Technology Organisation, NATO, Neuilly-sur-Seine, France, Tech. Rep. RTO-TR-049, Jan. 2002. [12] J. A. Costa, N. Patwari, and I. Alfred O. Hero, “Distributed weighted-multidimensional scaling for node localization in sensor networks,” ACM Trans. Sen. Netw., vol. 2, no. 1, pp. 39–64, 2006. [13] M. Doumpos and C. Zopounidis, “A multicriteria classification approach based on pairwise comparisons,” European Journal of Operational Research, vol. 158, no. 2, pp. 378–389, Oct. 2004. TABLE XI P REFERENCE R ELATIONS BETWEEN ai

a1 a2 a3

b1 R

b2 I R ≺

AND bp


23

[14] J. Figueira, S. Greco, and M. Ehrgott, Eds., Multiple Criteria Decision Analysis: State of the Art Surveys, ser. International Series in Operations Research & Management Science. Boston, Dordrecht, London: Springer Verlag, 2005, vol. 78. [15] J. Figueira, V. Mousseau, and B. Roy, “ELECTRE methods,” in Multiple Criteria Decision Analysis: State of the Art Surveys, J. Figueira, S. Greco, and M. Ehrgott, Eds. Boston, Dordrecht, London: Springer Verlag, 2005, pp. 133–162. [16] J. W. Haines, R. P. Lippmann, D. J. Fried, E. Tran, S. Boswell, and M. A. Zissman, “1999 DARPA intrusion detection system evaluation: Design and procedures,” Lincoln Laboratory, Massachusetts Institute of Technology, Lexington, MA, USA, Tech. Rep. TR 1062, Feb. 2001. [17] A. Hussain, J. Heidemann, and C. Papadopoulos, “A framework for classifying denial of service attacks,” in Proc. 2003 Conf. on Applications, Technologies, Architectures, and Protocols for Computer Communications. New York, NY, USA: ACM Press, 2003, pp. 99–110. [18] A. K. Jones and R. S. Sielken, “Computer system intrusion detection: A survey,” Computer Science Department, University of Virginia, Charlottesville, VA, USA, Tech. Rep., 1999. [19] J. Jung, B. Krishnamurthy, and M. Rabinovich, “Flash crowds and denial of service attacks: characterization and implications for CDNs and web sites,” in Proc. 11th International Conf. on Wolrd Wide Web - WWW’02. New York, NY, USA: ACM Press, 2002, pp. 293–304. [20] J. Jung, V. Paxson, A. W. Berger, and H. Balakrishnan, “Fast portscan detection using sequential hypothesis testing,” in Proc. 2004 IEEE Symposium on Security and Privacy, May 2004, pp. 211–225. [21] R. A. Kemmerer and G. Vigna, “Intrusion detection: A brief history and overview,” IEEE on Computers, vol. 35, no. 4, pp. supl.27–supl.30, Apr. 2002. [22] H.-A. Kim and B. Karp, “Autograph: toward automated, distributed worm signature detection,” in Proc. 13th USENIX Security Symposium. Berkeley, CA, USA: USENIX Association, Aug. 2004, pp. 271–286. [23] M.-S. Kim, H.-J. Kang, S.-C. Hong, S.-H. Chung, and J. W. Hong, “A flow-based method for abnormal network traffic detection,” in Proc. 2004 IEEE/IFIP Network Operations and Management Symposium, vol. 1, Seoul, South Korea, Apr. 2004, pp. 599–612. [24] A. Lakhina, M. Crovella, and C. Diot, “Mining anomalies using traffic feature distributions,” ACM SIGCOMM Computer Communication Review, vol. 35, no. 4, pp. 217–228, Oct. 2005. [25] C. Macharis, J. Springael, K. De Brucker, and A. Verbeke, “PROMETHEE and AHP: The design of operational synergies in multicriteria analysis: Strengthening PROMETHEE with ideas of AHP,” European Journal of Operational Research, vol. 153, no. 2, pp. 307–317, 2004. [26] M. McManus, “Zotob: a malware event in warp speed [cost damage],” Comput. Econ. Rep., Int. Ed. (USA), vol. 27, no. 10, p. 15, Oct. 2005. [27] L. Mé and C. Michel, “Intrusion detection: A bibliography,” Supélec, Rennes, France, Tech. Rep. SSIR-2001-01, Sept. 2001. [28] J. Mirkovic and P. Reiher, “D-WARD: A source-end defense against flooding denial-of-service attacks,” IEEE Trans. on Dependable and Secure Computing, vol. 2, no. 3, pp. 216–232, Jul.-Sept. 2005. [29] V. Mousseau, J. Figueira, and J.-P. Naux, “Using assignment examples to infer weights for ELECTRE TRI method: Some experimental results,” European Journal of Operational Research, vol. 130, pp. 263–275, 2001. [30] V. Mousseau, R. S´lowiński, and P. Zielniewicz, “ELECTRE TRI 2.0a: Methodological guide and user’s documentation,” Université Paris-Dauphine, Paris, France, Tech. Rep. 111, 1999, document du LAMSADE. [31] A. Ngo The and V. Mousseau, “Using assignment examples to infer category limits for the ELECTRE TRI method,” Journal of Multi-Criteria Decision Analysis, vol. 11, no. 1, pp. 29–43, 2002. [32] M. Overton, “Zo-to-business [network worm],” Virus Bull. (UK), pp. 4–6, Oct. 2005. [33] N. Patwari, I. Alfred O. Hero, and A. Pacholski, “Manifold learning visualization of network traffic data,” in MineNet ’05: Proceeding of the 2005 ACM SIGCOMM workshop on Mining network data. New York, NY, USA: ACM Press, 2005, pp. 191–196. [34] B. Roy, “Main sources of inaccurate determination, uncertainty and imprecision in decision models,” Mathematical and Computer Modelling, vol. 12, no. 10–11, pp. 1245–1254, 1989. [35] ——, Multicriteria Methodology for Decision Aiding, ser. Nonconvex Optimization and its Applications. Springer Verlag, 1996, vol. 12. [36] B. Roy and D. Bouyssou, Aide Multicritère a` la Décision: Méthodes et Cas. Paris: Economica, 1993. [37] B. Schneier, “The Zotob storm,” IEEE Secur. Privacy, vol. 3, no. 6, p. 96, Nov.-Dec. 2005. [38] T. J. Stewart, “A critical survey of the status of multiple criteria decision making theory and practice,” OMEGA - The International Journal of Management Science, vol. 20, no. 5–6, pp. 569–586, 1992. [39] M. Thottan and C. Ji, “Anomaly detection in IP networks,” IEEE Trans. on Signal Processing, vol. 51, no. 8, pp. 2191–2204, Aug. 2003. [40] F. Valeur, G. Vigna, C. Kruegel, and R. A. Kemmerer, “A comprehensive approach to intrusion detection alert correlation,” IEEE Trans. on Dependable and Secure Computing, vol. 1, no. 3, pp. 146–168, Jul.-Sept. 2004. [41] H. Wang, D. Zhang, and K. G. Shin, “Change-point monitoring for the detection of DoS attacks,” IEEE Trans. on Dependable and Secure Computing, vol. 1, no. 4, pp. 193–208, Oct.-Dec. 2004. [42] W. Yu, “Aide multicritère a` la décision dans le cadre de la problématique du tri: Concepts, méthodes et applications,” Ph.D. dissertation, University of Paris Dauphine, 1992. [43] ——, “ELECTRE TRI : Aspects méthodologiques et manuel d’utilisation,” Université Paris-Dauphine,” Document du LAMSADE 74, 1992. [44] J. Yuan and K. Mills, “Monitoring the macroscopic effect of DDoS flooding attacks,” IEEE Trans. on Dependable and Secure Computing, vol. 2, no. 4, pp. 324–335, Oct.-Dec. 2005. [45] C. Zopounidis and M. Doumpos, “Multicriteria classification and sorting methods: A literature review,” European Journal of Operational Research, vol. 138, no. 2, pp. 229–246, 2002.