Machine Learning in Intrusion Detection Systems (IDS)

Download Machine Learning in Intrusion Detection Systems (IDS)

Post on 27-Dec-2015




2 download


Slide 1 Machine Learning in Intrusion Detection Systems (IDS) Slide 2 2 papers: Artificial Intelligence & Intrusion Detection: Current & Future Directions [AIID] J. Frank Applying Genetic Programming to Intrusion Detection [GP] M. Crosbie, G. Spafford Slide 3 AIID What is intrusion detection? What are the issues in Intrusion Detection? Data collection Data reduction Behavior Classification Reporting Response Slide 4 AIID AI methods are used to help solve some issues For data classification: Classifier systems Neural Network Decision Tree Feature Selection Slide 5 AIID Data Reduction Data Filtering Feature Selection Data Clustering Slide 6 AIID Behavior Classification Expert Systems Anomaly Detection Rule-Based Induction Slide 7 AIID An experiment using Feature Selection Info. about network connections using a Network Security Monitor Slide 8 AIID 3 Search algorithms used: Backward Sequential Search (BSS) Beam Search (BS) Random Generation Plus Sequential Selection (RS) Slide 9 AIID Algorithm performance Slide 10 AIID Error Rate Performance (All) [I, W, T, PS, PD, DS] [T, PD, DS] Best Slide 11 AIID Error Rate Performance (SMTP) [W, T, PS, PD, DS] Best Slide 12 AIID Error Rate Performance (Login) Best [W, T, PS, PD] [T, PD, DS] RGSS Slide 13 AIID Error Rate Performance (Shell) [W, PS, PD, DS] BS & BSS Best [W, T, PS, DS] RS Slide 14 GP (Applying Genetic Programming to Intrusion Detection) An IDS that exploits the learning power of Genetic Programming Two types of security tools : Pro-active Reactive : IDS falls in this catergory Slide 15 GP Components in an IDS Anomaly May indicate a possible intrusion So how do we know for sure? Expert-system Rule-set = model Metrics Comparing metrics & model But If a new intrusion scenario arises modifying the IDS is complicated Slide 16 GP A finer-grained approach IDS gets split into multiple Autonomous Agents Slide 17 GP Slide 18 Using GP for learning Instead of a monolithic static knowledge base The GP paradigm allows evolution of agents that could be placed in a system to monitor audit data GP programs are in a simple meta-language Have primitives that access audit data fields and manipulate them Slide 19 GP Internal agent architecture Slide 20 GP Learning by feedback What do the agents monitor? Inter-packet timing metrics: Total # of socket connections, average time between socket connections, minimum time between socket connections, maximum time between socket connections, destination port, source port Potential intrusions looked for: Port flooding, port-walking, probing, password cracking Slide 21 GP = | outcome suspicion | Penalty = * ranking /100 Fitness = (100 ) - penalty Slide 22 GP Multiple types: Time (long int), port (int), boolean, suspicion (int) Problems with multiple types ADF solution to type safety ADF: Automatically Defined Function To monitor network timing: avg_interconn_time, min_interconn_time, max_interconn_time For port monitoing: src_port, dest_port For privileged port checking: is_priv_dest_port, is_priv_src_port Slide 23 GP Experimental results: Slide 24 Thats it !!! Slide 25 Too old a research idea did not find any current researches in the same field


View more >