ISP anomaly detection for home users

REU Project 2004

Problem Statement

Similar to a credit card company watching for suspect transactions, we consider an anomaly detection system for home users. In this project, students will develop a mechanism which allows an ISP to evaluate consumer usage patterns and identify deviations from these patterns to detect possible hostile activity. Theses basic patterns should include layer 4 information, direction of traffic flows, and time of day usage patterns. Students are required to have programming knowledge in any object-oriented language.

Background Information The participants need to be familar with intrusion detection systems, in particular anomaly detection and network programming. Study the following materials:

Intrusion Detection and anomaly detection

Intrusion Detection FAQ
What You Need to Know About Intrusion Detection Systems
Intrusion Detection: Reducing Network Security Risk by Recourse Technologies [December 24, 2001]
ISPs take on DDoS attacks, Computerworld, NOVEMBER 19, 2003
Victor-Valeriu Patriciu, Liviu Rusu, Iustin Priescu, Data Mining Approaches for Intrusion Detection in Email System Internet-Based
Min Qin and Kai Hwang, Anomaly Intrusion Detection by Internet Datamining of Traffic Episodes
Anomaly Detection: The Required Complement To Intrusion Detection
Balachander Krishnamurthy, Subhabrata Sen, Yin Zhang, Yan Chen, "Sketch-based change detection: methods, evaluation, and applications", Internet Measurement Workshop, Proceedings of the 2003 ACM SIGCOMM conference on Internet measurement.
Esphion's netDeFlect® A solution for intelligent traffic anomaly detection and analysis in networks
"packet filtering" in Guide to Firewalls and Network Security, Greg Holden, Thompson Publishing, 0-619-13039-3.
"intrusion detection" in Guide to Network Defenses and Countermeasures, Greg Holden, Thompson Publishing, 0-619-13124-1.

Network Programming

Beej's Guide to Network Programming
Java Network Programming FAQ
Network Programming with Java 2 Platform, Standard Edition 1.4 (J2SE)
Examples from Java Network Programming
Java Network Programming, Elliotte Rusty Harold, O'Reilly, 1-56592-227-1

Possible Approach

Develop a Java program that will build a dynamic database of consumer usage patterns
Develop a Java program that will identify deviations from the consumer usage patterns in order to detect hostile activities.
Develop test data for simulation

Expected Outcomes

Understanding of intrusion detection systems and anomaly detection
Write a survey of intrusion detection systems, describing the different types
Develop Java programs that will build the dynamic database of consumer usage patterns and identify deviations in order to detect hostile activities
Simulate activity on an ISP to determine hostile activities
Write a project report including the programs and results of the simulation

Tentative Timetable

Tentative schedule for Summer 2004 (May 24 -July 30) is as follows:

Week	Day	Activity	Project
1	Monday	Breakfast, Faculty introduction, Welcome meeting Campus and facility tours Library resources	Survey Literature
	Tuesday-Friday	Introduction to computer networks (training session)	"
	Friday night	Welcome party at CS department
2	Monday	Project adjustment	Design solution
	Tuesday-Friday	Students work on projects Research seminar Mentor-student meetings (at least twice per week)	"
	Saturday	Field trip 1
3-5	Monday-Friday	Students work on projects Mentor-student meetings (at least twice per week)	Code prototype
6	Monday	Mid-semester reports by students; Assessment 1	preliminary testing
	Tuesday-Thursday	Students work on projects Research seminar Mentor-student meetings (at least twice per week)	"
	Saturday	Field trip 2
7-9	Monday-Friday	Students work on projects Mentor-student meetings (at least twice per week)	Coding and debugging
10	Monday-Thursday	Mentor-student meetings (at least twice per week) Research seminar	"
	Friday	Final reports /seminars; Assessment 2
	Friday night	Farewell party at CS department

Facilities Required

PC for coding (either Java or C++)
secure lab for testing