CAMNEP is a research prototype of a network intrusion detection system. It is based on a collaboration of a community of detection agents, each of which embodies an existing anomaly detection model. The agents use extended trust modeling, a technique established in a multiagent research field to improve the quality of classification provided by individual models. The agents process unsampled data acquired by dedicated high-performance NetFlow aggregation cards.
Its main features are:
CAMNEP falls into the class of Network Behavior Analysis systems, as it detects the attacks only using the statistics about the network traffic. This, together with the use of anomaly detection paradigm, ensures that the system respects the privacy of the users (content of the network traffic is not examined), is robust with respect to traffic encryption and does not rely on a set of rules to describe the existing attacks, making it suitable for detection of zero-day attacks.
In order to illustrate the capabilities of the system from the user (e.g. network administrator or incident analyst) perspective, we will present the analysis of one particular attack detected by the system. Specifically, we will present how a TCP vertical scan attack (SYN and CONNECT scan) can be detected.
The main concept introduced by the system is the trustfulness of the flow (a value in the [0,1] interval, aggregated from the individual trustfulness as reported by the agents), which is determined for each flow. The system then uses this value to build a histogram of the traffic in each observation interval over the trustfulness spectrum. Trustfulness is an estimate of flow legitimacy. The flows that are accumulated at the left side of the histogram are therefore classified as malicious, while the bulk of the legitimate traffic is on the right side of distribution.
When an administrator detects a significant peak of untrusted traffic in the histogram, it can quickly perform the analysis using the characteristics of the traffic as presented by the system, use the structured visualization or embedded event analysis tool.
The principal functionality of the system is its ability to process the raw NetFlow data, aggregate them in a meaningful manner and classify them by their trustfulness. This means that the administrator can concentrate its attention to the set of flows identified by the system as untrusted. In our pilot deployment on a university campus, this meant that instead of analyzing 50 000 lines of data (one for each flow), or observing only the aggregate values for the whole line, the operator can efficiently investigate less than 5 incidents that occurred in a given period, such as inbound/outbound scans, DoS attacks, major P2P activities or brute force attacks on password-protected systems.
The system is based on a combination of existing open-source solutions, such as A-Globe multi-agent platform, nfsen NetFlow collector and Prefuse and Walrus visualization tools with innovative components used for unsampled data acquisition and attack detection.
* Data acquisition is performed using a FlowMon card based on a Combo 6 platform. The use of purpose-built, FPGA-based hardware platform allows the system to perform unsampled acquisition of NetFlow data on multi Gb/sec lines.
Attack detection is performed by a set of detection agents, using a multi-stage collaboration process based on extended trust modeling. The trust modeling stage of the algorithm gathers the anomaly scores assigned by individual anomaly models (embedded into respective agents), combines the anomalies into a single anomaly value per flow and allows each agent to update its trust model with the anomalies of current set of flows. The trust models then return the trustfulness of each flow, which is based on the anomaly of similar flows in the past and is combined to obtain final system output.
CAMNEP is a joint research effort between the Agent Technology Center, Department of Cybernetics, Czech Technical University in Prague and Institute of Computer Science, Masaryk University, with support from CESNET.
Its development and associated research has been supported by European Research Office of the US Army under Contract No. N62558-07-C-0001 and Czech Ministry of Education grants 1M0567, 6840770038 (CTU) and 6383917201 (CESNET).