machine learning in intrusion detection systems (ids)
TRANSCRIPT
2 papers:
Artificial Intelligence & Intrusion Detection: Current & Future Directions [AIID]– J. Frank
Applying Genetic Programming to Intrusion Detection [GP]– M. Crosbie, G. Spafford
AIID
What is intrusion detection? What are the issues in Intrusion Detection?
– Data collection– Data reduction– Behavior Classification– Reporting– Response
AIID
AI methods are used to help solve some issues
For data classification:– Classifier systems
• Neural Network
• Decision Tree
• Feature Selection
AIID
An experiment using Feature Selection– Info. about network connections using a
Network Security Monitor
AIID
3 Search algorithms used:– Backward Sequential Search (BSS)– Beam Search (BS)– Random Generation Plus Sequential Selection
(RS)
GP (Applying Genetic Programming to Intrusion Detection)
An IDS that exploits the learning power of Genetic Programming
Two types of security tools :– Pro-active– Reactive : IDS falls in this catergory
GP
Components in an IDS– Anomaly
• May indicate a possible intrusion
– So how do we know for sure? Expert-system• Rule-set = model• Metrics• Comparing metrics & model
But …If a new intrusion scenario arises modifying the
IDS is complicated
GP
Using GP for learning– Instead of a monolithic static “knowledge base”– The GP paradigm allows evolution of agents
that could be placed in a system to monitor audit data
– GP programs • are in a simple meta-language
• Have primitives that access audit data fields and manipulate them
GP
Learning by feedback What do the agents monitor?
– Inter-packet timing metrics:
Total # of socket connections, average time between socket connections, minimum time between socket connections, maximum time between socket connections, destination port, source port
– Potential intrusions looked for:Port flooding, port-walking, probing, password cracking
GP Multiple types:
– Time (long int), port (int), boolean, suspicion (int) Problems with multiple types ADF solution to type safety
– ADF: Automatically Defined Function– To monitor network timing:
avg_interconn_time, min_interconn_time, max_interconn_time
– For port monitoing:src_port, dest_port
– For privileged port checking:is_priv_dest_port, is_priv_src_port