Rack of Ethernet switches.

Textual Analysis for Network Attack Recognition
Textual Analysis Tools

Textual Analysis — Background

Author attribution, the analysis of written texts in an attempt to measure distinctive patterns of words or word sequence use, is an area that has gotten quite a bit of attention. Maybe this area can help solve this problem.

Consider the problem of comparing various English language texts. There will be similarities and differences, and these might suggest common authorship, or different authorship on the same theme. To an even greater degree than the logged attack sequences, the similarity will be imperfect. No author uses identical distributions of words or multi-word phrases in two works (or at least no author would be popular or probably even published given such drearily repetitive output).

For example, Mark Twain, Rudyard Kipling and Joseph Conrad wrote at approximately the same time, so there will be similarities in their use of English. They also had some themes in common — both Twain's Huckleberry Finn and Kipling's Kim were tales of a boy's grand adventure. Similarly, both Kipling's Kim and Conrad's Heart of Darkness feature adventure and intrigue in exotic settings. Kipling's Captains Courageous and Conrad's Lord Jim are both nautical stories. But there will also be distinctive differences:

First, Twain's fiction was largely set in south-central or far western America, Kipling's were largely set in greater India, and Conrad's Heart of Darkness was set in equatorial Africa. So, each author's set of works will include distinctive place names and terminology.

Second, both Twain and Kipling wrote at least partly in local vernacular, using literal transcriptions of the pronunciations and grammars of south-central American and the Cockney of British soldiers stationed in India, so their writing styles are very distinct from strictly English-language authors of that period. (and they are orthographic nightmares to automatically analyze, leading to my not using their vernacular works here!)

Third, people study literature and earn degrees for work analyzing the differences in vocabulary and phrasing that would still be present when two authors wrote about the same thing. Their vocabularies will vary, and so will their sentence structures. The problem of author attribution is the attempt to decide who wrote a previously unknown work. This is what we are trying to accomplish with log analysis — does this attack sequence appear "similar enough" to a known cluster of general attack forms to suggest attribution to some previously seen attacker?

However, we are looking for tools to automate the process. The previous page presented some examples of similar or identical network attacks, but they were based on skilled human analysis as were the above (unskilled) human comments on similarities and differences among 19th century literature.

Some potentially useful measures of the similarity of two texts have been defined. They are based on breaking each text into subsequences and then measuring the similarity between the subsequence sets.

The texts are broken into sets called n-grams, n-tuples, or more meaningfully, w-shingles, overlapping subsequences of w tokens. For example, Kipling's The Man Who Would Be King begins:

The Law, as quoted, lays down a fair conduct of life, and one not easy to follow. I have been fellow to a beggar again and again under circumstances which prevented either of us finding out whether the other was worthy.

Punctuation and capitalization are removed and the shingles formed as overlapping subsequences. Let's say we are forming 6-shingles:

the law as quoted lays down
    law as quoted lays down a
        as quoted lays down a fair
           quoted lays down a fair conduct
	          ....

This is continued to form the list of shingles. The set formed by the first sentence contains:

the law as quoted lays down
law as quoted lays down a
as quoted lays down a fair
quoted lays down a fair conduct
lays down a fair conduct of
down a fair conduct of life
a fair conduct of life and
fair conduct of life and one
conduct of life and one not
of life and one not easy
life and one not easy to
and one not easy to follow

It seems inappropriate to form a shingle spanning the end of one sentence and the beginning of the next. They are different thoughts, and further into the text you would be forming shingles spanning from one paragraph to the next, or even one chapter to the next. It isn't fair to claim that Kipling wrote the non-grammatical phrase "one not easy to follow I" or the Yoda-like utterance "easy to follow I have been" just because he happened to use the first few words to finish one sentence and then the remainder to start some later sentence (or paragraph, or even chapter). So, the subsequent 6-shingles in the set should skip to the start of the next sentence:

i have been fellow to a beggar
have been fellow to a beggar again
been fellow to a beggar again and
... and so on ...

So, with English texts we really should do some pre-processing to break the text into sentences. This leads to difficulty caused by orthography and uncertainty about just how to deal with quoted text. To create a contrived example, how would you most meaningfully deal with nested quotes of this form:

Bagheera warned Mowgli, "Shere Khan has often said 'I will kill the man-cub.'"

Furthermore, is "man-cub" a single token or is it two tokens joined by a dash? Are the nominative "Bagheera" and the possessive "Bagheera's" to be treated as distinct tokens, or as equivalent because they are inflected forms of the same word? If they are treated as equivalent, then what about the nominative "I" versus the accusative or objective "me" versus the possessive "my"?

Those are questions of linguistics, not statistics. My approach in the initial development and testing based on literary example texts has been to attempt to preprocess the texts to do something fairly reasonable and say "close enough". Removing all punctuation after splitting into sentences means:

The good news is that we don't have to worry about any of this when analyzing login guess sequences, as each sequence is treated as one long "sentence".

The Street Called Straight, in Damascus, Syria.

The Street Called Straight in Damascus, Syria, a subject of some of Twain's non-fiction writing. Click here for some of my pictures of places along Twain's Innocents Abroad.

Textual Analysis — Measures of Similarity

Resemblance, or Jaccard's Coefficient

Let's say we have two documents, and A and B are their two sets of unique w-shingles for some shingle size w. The resemblance, also called Jaccard's Similarity Coefficent, can be estimated as the ratio of the magnitudes of the intersection and union of their w-shingle sets. To what extent are they built from the same w-shingles? This will range from 0 (entirely disjoint) to 1 (identical shingle sets).

| A ∩ B |
r(A,B)    =    ----------------------
| A ∪ B |

The Sørensen-Dice Similarity Coefficient

Sørensen's Similarity Coefficient is also known as the Czekanowski Index. Multiplied by two you get Dice's Coefficient, a value in the range 0 through 1:

| A ∩ B |
S(A,B)    =    ----------------------
| A | + | B |
 
2 | A ∩ B |
D(A,B)    =    ----------------------
| A | + | B |

Containment

The Containment of one shingle set within another indicates the inclusion of set A within set B, or the extent to which A is composed of elements of B.

| A |
C(A,B)    =    ----------------------
| A ∩ B |

Hamming Distance

The Hamming Distance is the minimum number of substitutions required to change one string into a string of equal length. I cannot use the Hamming Distance as the login sequences are not of equal length. However....

Levenshtein distance

The Levenshtein distance is also called the edit distance, is the minimum number of operations needed to transform one sequence into the other, where the operations are insertion, deletion, and substitution. The Unix diff command produces editor-like output similar to a description of the Levenshtein distance.

Vector Space Model

One problem with the above measures is that they are based on sets of unique w-shingles within documents. All shingles have equal weight regardless of how many times they appear in a document. A Vector Space Model, or term vector model, provides a way of modeling the distribution of shingle uses.

Start with a corpus, a collection of input texts. I used a number of classic works from Project Gutenberg, edited to extract the text from the boilerplate header and final notes, and processed to regularize the orthography and split it into one sentence per line (at least approximately, given the above discussion of orthographic difficulties). Simple shell scripts and awk programs can then form the shingle sets and calculate the resemblance, Dice's coefficient, and containment.

For the vector space model, form the list of all unique shingles found in the corpus. This list can be in any order, alphabetical or lexicographical is fine and makes this set the output of the fairly trivial sort -u command.

Let's say there are n unique shingles. Then for document number i we form a vector of n floating point numbers:
Vi = { v1, v2, ..., vn }
where vj is the percentage of the shingles of document i identical to shingle j from the union set. The vector is then normalized so its magnitude is 1.

A vector space similarity measure is then the dot product of the vectors for two documents.

Similiarity Measure Results on English Text

The corpus from Project Gutenberg is as follows. For these examples of English prose, increased shingle size quickly leads to sets of mostly unique shingles — that is, shingles that appear just once within the text. Roughly half the 2-shingles and over 70% of the 3-shingles within each work appear just once, This causes most of the similarity measures to quickly drop to near zero. The vector space model is the only one that seems to be of much use for discovering textual similarities.

Author Work Words Percentage of w-shingles appearing once only
w=1 w=2 w=3 w=4 w=5
Joseph Conrad Heart of Darkness 38533 15.61 64.07 92.57 98.72 99.69
Lord Jim 130220 9.11 51.85 86.88 97.35 99.39
The Secret Sharer 16659 18.16 67.09 93.30 98.64 99.51
— total — 185412 7.67 48.39 84.88 96.89 99.30
Charles Dickens Bleak House 355382 5.01 39.94 79.36 95.11 98.60
A Christmas Carol 29201 17.28 66.34 92.89 98.03 98.88
The Cricket on the Hearth 31634 15.61 65.10 92.84 98.28 99.33
David Copperfield 357111 5.05 38.14 77.61 94.67 98.67
Great Expectations 185259 6.75 43.92 81.79 95.88 98.95
A Tale of Two Cities 136306 8.27 50.42 86.62 97.05 98.99
— total — 1094893 2.92 30.87 71.21 92.38 98.08
Rudyard Kipling The Second Jungle Book 64301 10.53 56.72 88.98 97.24 99.07
Captains Courageous 52926 15.15 66.37 94.02 98.92 99.70
Just-So Stories 29012 12.88 54.79 82.80 91.29 94.46
Kim 106110 11.41 56.19 89.25 97.70 99.33
The Light That Failed 71581 12.26 57.55 90.30 98.06 99.49
The Jungle Book 51090 10.59 56.58 88.75 97.22 98.96
The Man Who Would Be King 14238 20.05 71.03 95.16 98.96 99.72
— total — 389258 6.51 44.41 82.44 95.77 98.65
W. Somerset Maugham The Moon and Sixpence 74974 10.03 51.75 86.25 96.84 99.18
Of Human Bondage 259615 5.25 38.09 76.24 93.25 98.20
— total — 334589 4.73 36.40 75.06 92.92 98.12
H.G. Wells The First Men in the Moon 68675 11.61 57.37 89.50 97.96 99.63
The Invisible Man 48890 13.37 59.77 90.04 97.74 99.36
The Island of Doctor Moreau 43743 13.44 59.57 90.19 97.78 99.35
The Time Machine 32473 15.53 62.89 91.38 98.25 99.55
The War of the Worlds 60213 12.31 58.74 89.92 98.02 99.56
— total — 253994 6.64 45.85 83.05 96.25 99.18

Within-Author Results

Measures for shingles of just one or two tokens tend to be nearly 1 for comparisons within a single author. Below are the vector space measures for 3-shingles and 5-shingles.

Joseph Conrad

                   Heart  LordJi Secret   3-shingles
Heart of Darkness  1.0000 0.8445 0.9035
Lord Jim           0.8445 1.0000 0.8760
The Secret Sharer  0.9035 0.8760 1.0000

                   Heart  LordJi Secret   5-shingles
Heart of Darkness  1.0000 0.1012 0.1566
Lord Jim           0.1012 1.0000 0.1406
The Secret Sharer  0.1566 0.1406 1.0000

Charles Dickens

                           BleakH CCarol Cricke DavidC GreatE TaleOf   3-shingles
Bleak House                1.0000 0.9767 0.9764 0.9515 0.9616 0.7210
A Christmas Carol          0.9767 1.0000 0.9947 0.9779 0.9839 0.7306
The Cricket on the Hearth  0.9764 0.9947 1.0000 0.9779 0.9836 0.7307
David Copperfield          0.9515 0.9779 0.9779 1.0000 0.9648 0.7212
Great Expectations         0.9616 0.9839 0.9836 0.9648 1.0000 0.7208
A Tale of Two Cities       0.7210 0.7306 0.7307 0.7212 0.7208 1.0000

                           BleakH CCarol Cricke DavidC GreatE TaleOf   5-shingles
Bleak House                1.0000 0.3853 0.3795 0.2170 0.2477 0.2390
A Christmas Carol          0.3853 1.0000 0.6325 0.3815 0.4245 0.3128
The Cricket on the Hearth  0.3795 0.6325 1.0000 0.3760 0.4179 0.3095
David Copperfield          0.2170 0.3815 0.3760 1.0000 0.2474 0.2404
Great Expectations         0.2477 0.4245 0.4179 0.2474 1.0000 0.2454
A Tale of Two Cities       0.2390 0.3128 0.3095 0.2404 0.2454 1.0000

Rudyard Kipling

                           2ndJun CptnsC JustSo Kim    LightT Jungle MWWBKg   3-shingles
The Second Jungle Book     1.0000 0.9071 0.9121 0.8806 0.8955 0.9160 0.9384
Captains Courageous        0.9071 1.0000 0.9220 0.8909 0.9095 0.9193 0.9450
Just-So Stories            0.9121 0.9220 1.0000 0.8942 0.9136 0.9254 0.9530
Kim                        0.8806 0.8909 0.8942 1.0000 0.8805 0.8915 0.9216
The Light That Failed      0.8955 0.9095 0.9136 0.8805 1.0000 0.9104 0.9378
The Jungle Book            0.9160 0.9193 0.9254 0.8915 0.9104 1.0000 0.9497
The Man Who Would Be King  0.9384 0.9450 0.9530 0.9216 0.9378 0.9497 1.0000

                           2ndJun CptnsC JustSo Kim    LightT Jungle MWWBKg   5-shingles
The Second Jungle Book     1.0000 0.2308 0.3162 0.1974 0.2128 0.2477 0.3401
Captains Courageous        0.2308 1.0000 0.3257 0.1982 0.2109 0.2439 0.3332
Just-So Stories            0.3162 0.3257 1.0000 0.2712 0.2989 0.3390 0.4829
Kim                        0.1974 0.1982 0.2712 1.0000 0.1828 0.2096 0.2920
The Light That Failed      0.2128 0.2109 0.2989 0.1828 1.0000 0.2256 0.3098
The Jungle Book            0.2477 0.2439 0.3390 0.2096 0.2256 1.0000 0.3589
The Man Who Would Be King  0.3401 0.3332 0.4829 0.2920 0.3098 0.3589 1.0000

W. Somerset Maugham

                       MoonSx HumanB
The Moon and Sixpence  1.0000 0.9298   3-shingles
Of Human Bondage       0.9298 1.0000

                       MoonSx HumanB
The Moon and Sixpence  1.0000 0.2216   5-shingles
Of Human Bondage       0.2216 1.0000

H. G. Wells

                           1stMen Invisi Island TimeMa WarWor   3-shingles
The First Men in the Moon  1.0000 0.8835 0.8935 0.9034 0.8843
The Invisible Man          0.8835 1.0000 0.9019 0.9074 0.8921
The Island of Dr Moreau    0.8935 0.9019 1.0000 0.9187 0.9000
The Time Machine           0.9034 0.9074 0.9187 1.0000 0.9077
The War of the Worlds      0.8843 0.8921 0.9000 0.9077 1.0000

                           1stMen Invisi Island TimeMa WarWor   5-shingles
The First Men in the Moon  1.0000 0.1003 0.1035 0.1092 0.0903
The Invisible Man          0.1003 1.0000 0.1225 0.1289 0.1062
The Island of Dr Moreau    0.1035 0.1225 1.0000 0.1345 0.1095
The Time Machine           0.1092 0.1289 0.1345 1.0000 0.1164
The War of the Worlds      0.0903 0.1062 0.1095 0.1164 1.0000

The results for the works of Charles Dickens best show what was expected — his Christmas stories A Christmas Carol and Cricket on the Hearth are the most similar to each other. Their 5-shingle vector space similarity was 0.6325. His A Tale of Two Cities, with an entirely different setting and topic, the French Revolution, seems to differ the most from his other works.

The vector space similarity measure seems to be the only measure useful for English prose similarity, but the next page tries all the measures on the network attack signature data.

Given the common early termination of individual attack threads, the resemblance and even the containment measures may be of use.


To The Security Page