Machine Learning in Intrusion Detection Systems (IDS)

Download Machine Learning in Intrusion Detection Systems (IDS)

Post on 27-Dec-2015

214 views

Category:

Documents

2 download

Embed Size (px)

TRANSCRIPT

<ul><li> Slide 1 </li> <li> Machine Learning in Intrusion Detection Systems (IDS) </li> <li> Slide 2 </li> <li> 2 papers: Artificial Intelligence &amp; Intrusion Detection: Current &amp; Future Directions [AIID] J. Frank Applying Genetic Programming to Intrusion Detection [GP] M. Crosbie, G. Spafford </li> <li> Slide 3 </li> <li> AIID What is intrusion detection? What are the issues in Intrusion Detection? Data collection Data reduction Behavior Classification Reporting Response </li> <li> Slide 4 </li> <li> AIID AI methods are used to help solve some issues For data classification: Classifier systems Neural Network Decision Tree Feature Selection </li> <li> Slide 5 </li> <li> AIID Data Reduction Data Filtering Feature Selection Data Clustering </li> <li> Slide 6 </li> <li> AIID Behavior Classification Expert Systems Anomaly Detection Rule-Based Induction </li> <li> Slide 7 </li> <li> AIID An experiment using Feature Selection Info. about network connections using a Network Security Monitor </li> <li> Slide 8 </li> <li> AIID 3 Search algorithms used: Backward Sequential Search (BSS) Beam Search (BS) Random Generation Plus Sequential Selection (RS) </li> <li> Slide 9 </li> <li> AIID Algorithm performance </li> <li> Slide 10 </li> <li> AIID Error Rate Performance (All) [I, W, T, PS, PD, DS] [T, PD, DS] Best </li> <li> Slide 11 </li> <li> AIID Error Rate Performance (SMTP) [W, T, PS, PD, DS] Best </li> <li> Slide 12 </li> <li> AIID Error Rate Performance (Login) Best [W, T, PS, PD] [T, PD, DS] RGSS </li> <li> Slide 13 </li> <li> AIID Error Rate Performance (Shell) [W, PS, PD, DS] BS &amp; BSS Best [W, T, PS, DS] RS </li> <li> Slide 14 </li> <li> GP (Applying Genetic Programming to Intrusion Detection) An IDS that exploits the learning power of Genetic Programming Two types of security tools : Pro-active Reactive : IDS falls in this catergory </li> <li> Slide 15 </li> <li> GP Components in an IDS Anomaly May indicate a possible intrusion So how do we know for sure? Expert-system Rule-set = model Metrics Comparing metrics &amp; model But If a new intrusion scenario arises modifying the IDS is complicated </li> <li> Slide 16 </li> <li> GP A finer-grained approach IDS gets split into multiple Autonomous Agents </li> <li> Slide 17 </li> <li> GP </li> <li> Slide 18 </li> <li> Using GP for learning Instead of a monolithic static knowledge base The GP paradigm allows evolution of agents that could be placed in a system to monitor audit data GP programs are in a simple meta-language Have primitives that access audit data fields and manipulate them </li> <li> Slide 19 </li> <li> GP Internal agent architecture </li> <li> Slide 20 </li> <li> GP Learning by feedback What do the agents monitor? Inter-packet timing metrics: Total # of socket connections, average time between socket connections, minimum time between socket connections, maximum time between socket connections, destination port, source port Potential intrusions looked for: Port flooding, port-walking, probing, password cracking </li> <li> Slide 21 </li> <li> GP = | outcome suspicion | Penalty = * ranking /100 Fitness = (100 ) - penalty </li> <li> Slide 22 </li> <li> GP Multiple types: Time (long int), port (int), boolean, suspicion (int) Problems with multiple types ADF solution to type safety ADF: Automatically Defined Function To monitor network timing: avg_interconn_time, min_interconn_time, max_interconn_time For port monitoing: src_port, dest_port For privileged port checking: is_priv_dest_port, is_priv_src_port </li> <li> Slide 23 </li> <li> GP Experimental results: </li> <li> Slide 24 </li> <li> Thats it !!! </li> <li> Slide 25 </li> <li> Too old a research idea did not find any current researches in the same field </li> </ul>