fuzzy network profiling for intrusion detection
DESCRIPTION
Fuzzy Network Profiling for Intrusion Detection. Dickerson, J.E.; Dickerson, J.A. Fuzzy Information Processing Society, 2000. NAFIPS. 19th International Conference of the North American , 2000 Reporter : Chien-Chung Su. Agenda. Introduction System Architecture Implementation example - PowerPoint PPT PresentationTRANSCRIPT
Fuzzy Network Profiling for Fuzzy Network Profiling for Intrusion DetectionIntrusion Detection
Dickerson, J.E.; Dickerson, J.A. Fuzzy Information Processing Society, 2000. NAFIPS. 19th International Conference of the
North American , 2000
Reporter : Chien-Chung Su
AgendaAgenda
IntroductionSystem ArchitectureImplementation exampleConclusion
IntroductionIntroduction
Intrusion Detection System– A process to identifying network activity that
can lead to the compromise of a security policyTwo primary form
– Misuse Detection Matching known patterns of hostile activity against
database of past attacks
– Anomaly Detection Applying statistical measures or artificial
knowledge to compare current activity against historical knowledge of network utilization
System Architecture (1/5)System Architecture (1/5)
Fuzzy Intrusion Recognition Engine(FIRE)– Anomaly-based intrusion detection system– Applying Fuzzy Theory– Applying simple data mining technique
System Architecture (2/5)System Architecture (2/5)A Local Area Local
Network DataCollector(NDC)
Raw data
Network Data Processor(NDP)
Mined data
Fuzzy Threat Analyzer(FTA)
Fuzzy Alerts
System Architecture (3/5)System Architecture (3/5)
Network Data Collector(NDC)– Grab all packets that cross the wire and stores
them to disk– To help avoid packet loss in the data collection
system, it is important that the tasks performed by the NDC be very limited
System Architecture (4/5)System Architecture (4/5)
Network Data Processor(NDP)– Perform a kind of data mining on the collected
packets– Compare the current data with the historical
mined data to create the “normalized” value that reflect how the new data differs from what was observed in the past
System Architecture (5/5)System Architecture (5/5)
Fuzzy Threat Analyzer(FTA)– A fuzzy rules can incorporate one or more
fuzzy inputs– Depending on the fuzzy values, the fuzzy rules
designer can make the types of intrusions they can detect either very general or very specific
Implementation example (1/4)Implementation example (1/4)
What metrics we wants?– SrcIP , DstIP , SrcPort , DstPort– TCP flags , data length– Data content– Time the packet was sent
Example– sdp = (SrcIP , DstIP ,SrcPort , DstPort)– Represents the existence of a TCP channel(whether
successful or not) between two IP end points
Implementation example (2/4)Implementation example (2/4)
Define fuzzy variables– COUNT– UNIQUENESS– VARIANCE
Membership Function
1
2
LOW MED-LOW MED MED-HIGH HIGH
5 10 25 50 100
Implementation example (3/4)Implementation example (3/4)
Design fuzzy rules– Scenario : Network scan– Rules examples
If (COUNT == LOW) && (UNIQUENESS == MED)Then “Network Scan” = MED-LOW
If (COUNT == MED) && (UNIQUENESS == LOW)Then “Network Scan” = LOW
If (COUNT == MED) && (UNIQUENESS == HIGH)Then “Network Scan” = HIGH
If (COUNT of ForeignHosts == HIGH) && (UNIQUENESS of DNS == HIGH)Then “DNS Scan” == HIGH
Implementation example (4/4)Implementation example (4/4)
System issues – Data collection interval– Define fuzzy variables– Data mining techniques– Fuzzy rules
ConclusionConclusion
Intrusion detection with a part of fuzzinessExpert system should be supportedReal-time data mining issues