Presentation is loading. Please wait.

Presentation is loading. Please wait.

WAC/ISSCI 20061 Automated Anomaly Detection Using Time-Variant Normal Profiling Jung-Yeop Kim, Utica College Rex E. Gantenbein, University of Wyoming.

Published byJasper Jennings Modified over 8 years ago

Similar presentations

Presentation on theme: "WAC/ISSCI 20061 Automated Anomaly Detection Using Time-Variant Normal Profiling Jung-Yeop Kim, Utica College Rex E. Gantenbein, University of Wyoming."— Presentation transcript:

1 WAC/ISSCI 20061 Automated Anomaly Detection Using Time-Variant Normal Profiling Jung-Yeop Kim, Utica College Rex E. Gantenbein, University of Wyoming

2 WAC/ISSCI 2006 2 Automated intrusion detection Intrusion detection determines that a system has been accessed by unauthorized parties Detection can be manual or automated  Manual intrusion detection usually requires viewing of logs or user activity: labor-intensive, long reaction time  Automated detection relies on continuous monitoring of system behavior within the system itself

3 WAC/ISSCI 2006 3 Automated intrusion detection Automated detection based on one of two mechanisms  Misuse detection: define a set of “unacceptable” behaviors and raise alert when system behavior matches some member(s) of that set  Anomaly detection: create a profile of typical (“normal”) user behavior and raise alert when a user attempts an activity that does not match his/her profile

4 WAC/ISSCI 2006 4 Defining “normal” behavior To determine normal user behavior, we must:  Identify individual users  Monitor their behavior over time to create a profile of expected activity  Define measures for determining deviation from “normal” Quantitative: network traffic < 20% of capacity Qualititative: file transfer remains within internal network

5 WAC/ISSCI 2006 5 Defining “normal” behavior Using machine intelligence to detect intrusion  Observe sequences of user commands and save as a profile  Analyze new user commands using statistical similarity measures to compare with observed sequences  Classify new behavior as anomalous or consistent with past behavior This approach does not deal with “concept drift” – the varying of command sequences over time

6 WAC/ISSCI 2006 6 Time-variant profiling Assumes that a user will change “normal” activities over time  Profile is dynamically updated as activity changes  Should detect anomalies with fewer false alerts Necessary activities  Continuous monitoring of activity => profile  Partitioning of profile data into meaningful clusters  Characterizing deviation among clusters

7 WAC/ISSCI 2006 7 Time-variant profiling Representing user commands as tokens in an input stream allows the use of string- matching algorithms to characterize patterns over time  FLORA (and variations) uses supervised incremental learning to incrementally update knowledge about a pattern  Examines moving windows of token strings to determine pattern matches

8 WAC/ISSCI 2006 8 Time-variant profiling Clustering is accomplished through regression analysis  Defines cluster “value” as a function of multiple independent variables  Independent variables represent user command sequences from observed behavior

9 WAC/ISSCI 2006 9 Time-variant profiling Detecting deviation uses probabilistic reasoning  Markov modeling  Sequence alignment algorithms (bioinformatics) Needleman-Wunsch (global alignment) Smith-Waterman (local similarity)

10 WAC/ISSCI 2006 10 Current project status Evaluating functionality of string-matching algorithms Developing regression analysis formulae Determining how sequencing algorithms can be matched to a threshold value Future work includes implementing the system and measuring its effect on overall performance

Download ppt "WAC/ISSCI 20061 Automated Anomaly Detection Using Time-Variant Normal Profiling Jung-Yeop Kim, Utica College Rex E. Gantenbein, University of Wyoming."

Similar presentations

Intrusion Detection Systems (I) CS 6262 Fall 02. Definitions Intrusion Intrusion A set of actions aimed to compromise the security goals, namely A set.

Intrusion Detection Systems (I) CS 6262 Fall 02. Definitions Intrusion Intrusion A set of actions aimed to compromise the security goals, namely A set.
Applications of one-class classification

Applications of one-class classification
Loss-Sensitive Decision Rules for Intrusion Detection and Response Linda Zhao Statistics Department University of Pennsylvania Joint work with I. Lee,

Loss-Sensitive Decision Rules for Intrusion Detection and Response Linda Zhao Statistics Department University of Pennsylvania Joint work with I. Lee,
Enhancing Security Using Mobile Based Anomaly Detection in Cellular Mobile Networks Bo Sun, Fei Yu, KuiWu, Yang Xiao, and Victor C. M. Leung. Presented.

Enhancing Security Using Mobile Based Anomaly Detection in Cellular Mobile Networks Bo Sun, Fei Yu, KuiWu, Yang Xiao, and Victor C. M. Leung. Presented.
Decision Making: An Introduction 1. 2 Decision Making Decision Making is a process of choosing among two or more alternative courses of action for the.

Decision Making: An Introduction 1. 2 Decision Making Decision Making is a process of choosing among two or more alternative courses of action for the.
IDS/IPS Definition and Classification

IDS/IPS Definition and Classification
Intrusion Detection Systems and Practices

Intrusion Detection Systems and Practices
Report on Intrusion Detection and Data Fusion By Ganesh Godavari.

Report on Intrusion Detection and Data Fusion By Ganesh Godavari.
EECS 598-2 Presentation Web Tap: Intelligent Intrusion Detection Kevin Borders.

EECS Presentation Web Tap: Intelligent Intrusion Detection Kevin Borders.
Learning Classifier Systems to Intrusion Detection Monu Bambroo 12/01/03.

Learning Classifier Systems to Intrusion Detection Monu Bambroo 12/01/03.
Intrusion detection Anomaly detection models: compare a user’s normal behavior statistically to parameters of the current session, in order to find significant.

Intrusion detection Anomaly detection models: compare a user’s normal behavior statistically to parameters of the current session, in order to find significant.
School of Computer Science and Information Systems

School of Computer Science and Information Systems
seminar on Intrusion detection system

seminar on Intrusion detection system
Algorithms for variable length Markov chain modeling Author: Gill Bejerano Presented by Xiangbin Qiu.

Algorithms for variable length Markov chain modeling Author: Gill Bejerano Presented by Xiangbin Qiu.
Neural Technology and Fuzzy Systems in Network Security Project Progress Group 2: Omar Ehtisham Anwar 2005-02-0129 Aneela Laeeq 2005-02-0023.

Neural Technology and Fuzzy Systems in Network Security Project Progress Group 2: Omar Ehtisham Anwar Aneela Laeeq
Intrusion Detection Systems. Definitions Intrusion –A set of actions aimed to compromise the security goals, namely Integrity, confidentiality, or availability,

Intrusion Detection Systems. Definitions Intrusion –A set of actions aimed to compromise the security goals, namely Integrity, confidentiality, or availability,
Department Of Computer Engineering

Department Of Computer Engineering
Building Survivable Systems based on Intrusion Detection and Damage Containment Paper by: T. Bowen Presented by: Tiyseer Al Homaiyd 1.

Building Survivable Systems based on Intrusion Detection and Damage Containment Paper by: T. Bowen Presented by: Tiyseer Al Homaiyd 1.
Intrusion and Anomaly Detection in Network Traffic Streams: Checking and Machine Learning Approaches ONR MURI area: High Confidence Real-Time Misuse and.

Intrusion and Anomaly Detection in Network Traffic Streams: Checking and Machine Learning Approaches ONR MURI area: High Confidence Real-Time Misuse and.
Lucent Technologies – Proprietary Use pursuant to company instruction Learning Sequential Models for Detecting Anomalous Protocol Usage (work in progress)

Lucent Technologies – Proprietary Use pursuant to company instruction Learning Sequential Models for Detecting Anomalous Protocol Usage (work in progress)

Similar presentations

Ads by Google