Machine Learning in Intrusion Detection Systems

(IDS)

2 papers:

Artificial Intelligence & Intrusion Detection: Current & Future Directions [AIID]– J. Frank

Applying Genetic Programming to Intrusion Detection [GP]– M. Crosbie, G. Spafford

AIID

What is intrusion detection? What are the issues in Intrusion Detection?

– Data collection– Data reduction– Behavior Classification– Reporting– Response

AIID

AI methods are used to help solve some issues

For data classification:– Classifier systems

• Neural Network

• Decision Tree

• Feature Selection

AIID

Data Reduction– Data Filtering– Feature Selection– Data Clustering

AIID

Behavior Classification– Expert Systems– Anomaly Detection– Rule-Based Induction

AIID

An experiment using Feature Selection– Info. about network connections using a

Network Security Monitor

AIID

3 Search algorithms used:– Backward Sequential Search (BSS)– Beam Search (BS)– Random Generation Plus Sequential Selection

(RS)

AIID

Algorithm performance

AIID

Error Rate Performance (All)

[I, W, T, PS, PD, DS]

[T, PD, DS]Best

AIID

Error Rate Performance (SMTP)

[W, T, PS, PD, DS]

Best

AIID

Error Rate Performance (Login)

Best[W, T, PS, PD]

[T, PD, DS]RGSS

AIID

Error Rate Performance (Shell)

[W, PS, PD, DS]BS & BSS

Best

[W, T, PS, DS] RS

GP (Applying Genetic Programming to Intrusion Detection)

An IDS that exploits the learning power of Genetic Programming

Two types of security tools :– Pro-active– Reactive : IDS falls in this catergory

GP

Components in an IDS– Anomaly

• May indicate a possible intrusion

– So how do we know for sure? Expert-system• Rule-set = model• Metrics• Comparing metrics & model

But …If a new intrusion scenario arises modifying the

IDS is complicated

GP

A finer-grained approach

IDS gets split into multiple Autonomous Agents

GP

GP

Using GP for learning– Instead of a monolithic static “knowledge base”– The GP paradigm allows evolution of agents

that could be placed in a system to monitor audit data

– GP programs • are in a simple meta-language

• Have primitives that access audit data fields and manipulate them

GP

Internal agent architecture

GP

Learning by feedback What do the agents monitor?

– Inter-packet timing metrics:

Total # of socket connections, average time between socket connections, minimum time between socket connections, maximum time between socket connections, destination port, source port

– Potential intrusions looked for:Port flooding, port-walking, probing, password cracking

GP

Δ = | outcome – suspicion |

Penalty = Δ * ranking /100

Fitness = (100 – Δ) - penalty

GP Multiple types:

– Time (long int), port (int), boolean, suspicion (int) Problems with multiple types ADF solution to type safety

– ADF: Automatically Defined Function– To monitor network timing:

avg_interconn_time, min_interconn_time, max_interconn_time

– For port monitoing:src_port, dest_port

– For privileged port checking:is_priv_dest_port, is_priv_src_port

GP

Experimental results:

That’s it !!!

Too old a research idea … did not find any current researches in the same field