anomaly based intrusion detection system using naive bayesian and hidden markov models by jonathan...

Anomaly Based Intrusion Detection SystemUsing Naive Bayesian and Hidden Markov Models

By Jonathan LallyID: 12211753Email: [email protected]

What is an IDS?

What is an IDS

Goals

Identify

Prevent

Learn

Location

Misuse DetectorsAnalyses Signatures

◦IP address◦Port and count◦Packet flags

Misuse Detectors

Advantages• Known attacks• Quick

Disadvantages• Regular patches• Adaptive attackers

Anomaly Detectors

Knows user habits

Flags odd behaviour

Blocks persistently flagged connections

Anomaly Detectors

Advantages◦Powerful

Blocks Unknown Attacks

Disadvantages◦Slow◦False Positives◦Training

Hidden Markov ModelFinite State Analysis

Hidden Markov ModelWatches State Transitions

Advantages◦Accurate

Disadvantages◦Slow◦Memory Usage

Naive Bayesian ModelProbability distribution of packet

type

Average connection: < 3RSTs, 8 SYNs, 48 ACKs, 1 FIN/ACKs, 40

PSH/ACKs >

DoS attack: < 0 RSTs, 100 SYNs, 0 ACKs, 0 FIN/ACKs,

0 PSH/ACKs >

Naive Bayesian ModelAdvantages

Fast Effective

Disadvantages High False positives

My Experiment

Hybrid Naive Bayesian Model with Hidden Markov Model

Previous ExperimentsNaive Bayesian based IDS

Vijayasarathy, R., Raghavan, S. V., & Ravindran, B. in “A system approach to network modeling for DDoS detection using a Naìve Bayesian classifier” 2011.

Hidden Markov Model Rangadurai Karthick, R., Hattiwale, V. P., &

Ravindran, B. In “Adaptive network intrusion detection system using a hybrid approach” in 2012

This Experiment: Time based Training data

anomaly based intrusion detection system using naive bayesian and hidden markov models by jonathan...

Documents

hidden markov model

location slide

flagged connections

count packet flags slide

hidden markov models

misuse detectors advantages

nave bayesian classifier

system approach