Information Systems Technology

• Information Systems Technology Home ›
• Publications ›
• Staff Biographies ›
• Speech Corpora ›
• Computer Network Operations Corpora ›
• DARPA Intrusion Detection Evaluation ›
• Software Tools ›

Publication Abstract

Cunningham, R. K., Hernandez, N., YAMA: Simplifying Computer Network Intrusion Detection Experiment Analysis, 11 September 2006.

Abstract

Computer network intrusion detection performance analysis requires precise labeling of all traffic into two and perhaps three categories, so that the false alarm and detection rates can be correctly measured. In the first category is “background traffic” and is related to the mission of those using the network. In the second category is “attack traffic.” When an experiment is performed on- line with an intrusion detection system, it may also be important to identify traffic that originates from that system. Today doing this is tedious and difficult, requiring analysis by personnel with a deep understanding of multiple protocols.

In a now-famous April Fool’s day RFC, The Security Flag in the IPv4 Header, Bellovin jokingly proposed solving this by requiring attackers set an evil bit. Attackers demurred. As a result, controlled evaluations cannot use such an in- packet flag either, as it introduces an unwanted artifact into the testing procedure. Much better is to use a tool that can mark packets after the fact, but doing this is extremely difficult. As Bellovin noted: “Firewalls, packet filters, intrusion detection systems, and the like often have difficulty distinguishing between packets that have malicious intent and those that are merely unusual.”

All of those devices have the difficult problem of marking packets given only the contents of the packet and perhaps the configuration of the network. Controlled experiments have a significant advantage—the intent of each user action is known, so a tool can be built to associate user actions and mark produced packets. Doing this is difficult—a single user action produces multiple sessions using different protocols, and the total number of packets produced can easily range into the thousands.

YAMA (Your Able Marking Aide) is a tool that can correctly label sessions and packets associated with that set of actions, given a network configuration (domain names, IP addresses, and a web page corpora) and a set of user actions. YAMA’s implementation currently includes processing modules for web traffic. Packets associated with a user visiting a web page can be correctly labeled, including the domain name service lookup of the IP address, loading of pictures, multiple frames, and advertisements. An evaluation of the tool using data from Alexa’s “Top 100 Sites” show that nearly all sessions and packets can be correctly associated with the action of visiting the web site.

Keywords: Intrustion Detection Evaluation, Computer Networks, Evil Bit

This work is sponsored by the United States Air Force under Air Force Contract FA8721-05-C-0002. Opinions, interpretations, conclusions and recommendations are those of the author and are not necessarily endorsed by the United States Government.

top of page