Presentation is loading. Please wait.

Presentation is loading. Please wait.

Distributed Network Intrusion Detection An Immunological Approach Steven Hofmeyr Stephanie Forrest Patrik D’haeseleer Dept. of Computer Science University.

Published byJason Berry Modified over 8 years ago

Similar presentations

Presentation on theme: "Distributed Network Intrusion Detection An Immunological Approach Steven Hofmeyr Stephanie Forrest Patrik D’haeseleer Dept. of Computer Science University."— Presentation transcript:

1 Distributed Network Intrusion Detection An Immunological Approach Steven Hofmeyr Stephanie Forrest Patrik D’haeseleer Dept. of Computer Science University of New Mexico Albuquerque, NM { steveah, forrest, patrik}@cs.unm.edu http://cs.unm.edu/~steveah/research.html

2 Introduction Intrusion detection: –Assume that systems are not secure. –Attempt to detect violations of security policy (intrusions) by monitoring and analyzing system behavior. –Construct a model of normal behavior and look for deviations from the model (anomaly detection). Building the model (defining self): –TCP/IP traffic over a broadcast LAN. –Based on Network Security Monitor (NSM). Every computer on the network should participate in IDS: –Distributed detection –Use negative-selection algorithm Diversity of protection: –Permutation masks

3 Background: Defining Self The right approach: –Anomaly detection –Sparsely connected graph –Normal patterns reasonably stable –Attackers highly likely to perturb graph Disadvantages: –Heavyweight –Single point of failure –Not scalable NSM: Network Security Monitor (UCDavis) {Mukherjee et al. Network Intrusion Detection. IEEE Network, pp26-41, 1994}

4 The Biological Viewpoint Self (proteins) = normal datapath triples Nonself (proteins) = triples generated during an attack Universe = Self  Nonself Anomaly detection: –Detection system trained on self –Detection system classifies new triples as self (normal) or nonself (anomalous) NSM: a single monolithic detector matching self (positive detection)

5 How the Immune System Distributes Detection Advantages of distributed negative detection: –Localized (no communication costs) –Scalable –Tunable –Robust (no single point of failure) –Negative selection algorithm minimizes false positives Immune system: Many small detectors matching nonself (negative detection).

6 The Negative Selection Algorithm 1.Randomly generate a detector string. 2.Does the detector string match self? NO YES 3.If no, accept If yes, go to 1. (regenerate). ACCEPT REJECT Results in a set of valid detectors

7 Applying Negative Detection to Network Traffic Representation: –SYN packet triples mapped to 49-bit strings Generalized detection: –Partial matching with r-contiguous bits rule Consequences of Partial Matching: –Advantage: Lightweight (few detectors per host) –Disadvantage: Holes limit detection Holes

8 Problem: Holes limit detection for any partial match rule. Solution: A different permutation mask for each host. Overcoming Holes Result: In the broadcast network, detection is limited by the intersection of all hole sets.

9 Experimental Setup UNM CS subnet of 50 machines on a switched segment. –100 49-bit string detectors per machine Training set (self): –Collected over 43 days –1 266 000 TCP SYN packets –3763 unique binary self strings Normal test set (supposedly self): –Collected over 7 days –182 629 TCP SYN packets –626 unique binary self strings Abnormal test set (nonself): –8 different incidents, 7 real occurrences, 1 synthetic –Real abnormal behavior includes: massive portscanning, limited probing, address-space probing, local host compromise –Synthetic: 200 random connections between internal (LAN) hosts

10 Experimental Results Low false positives: –P(false positive per self string) = 0.000304 –55 strings, but only 10 unique –Effectively: under 2 false alarms per day High detection rates with few detectors –100% successful detection: 8 out of 8 abnormal incidents detected –Only 100 detectors per host Permutation masks improve detection –Up to an order of magnitude improvement –Overcomes hole limitation Normal is reasonably stable.

11 The Problem of Incomplete Self Sets (Suppose the training set is incomplete) Activation threshold: –Detector is not activated on every match. –Must have exceeded x matches before activation. –No time horizon. –Helps with stealth attacks (distributed in time). –Reduced false positives by an order of magnitude. Adaptive activation: –Tune local activation thresholds dynamically. –Whenever a detector matches its first pattern, the activation threshold for that computer is reduced by 1. –Has a time horizon (threshold gradually returns to default value). –Hypothesized to help with distributed coordinated attacks.

12 Experimental Results Intrusions with and without permutation masks

13 Experimental and Theoretical Results: Permutation Masks Overcome the Hole Limit

14 Pushing the Immune Metaphor The analogy thus far: –Distributed networks and immunology – Combining negative detection and network intrusion detection –Diversity via permutation masks For the future: –Distributed generation of detectors –Dynamic detector sets –Adaptation and memory (misuse detection)

Download ppt "Distributed Network Intrusion Detection An Immunological Approach Steven Hofmeyr Stephanie Forrest Patrik D’haeseleer Dept. of Computer Science University."

Similar presentations

Intrusion Detection Systems (I) CS 6262 Fall 02. Definitions Intrusion Intrusion A set of actions aimed to compromise the security goals, namely A set.

Intrusion Detection Systems (I) CS 6262 Fall 02. Definitions Intrusion Intrusion A set of actions aimed to compromise the security goals, namely A set.
V-Detector: A Negative Selection Algorithm Zhou Ji, advised by Prof. Dasgupta Computer Science Research Day The University of Memphis March 25, 2005.

V-Detector: A Negative Selection Algorithm Zhou Ji, advised by Prof. Dasgupta Computer Science Research Day The University of Memphis March 25, 2005.
Loss-Sensitive Decision Rules for Intrusion Detection and Response Linda Zhao Statistics Department University of Pennsylvania Joint work with I. Lee,

Loss-Sensitive Decision Rules for Intrusion Detection and Response Linda Zhao Statistics Department University of Pennsylvania Joint work with I. Lee,
CIFD: Computational Immunology for Fraud Detection

CIFD: Computational Immunology for Fraud Detection
Architecture For An Artificial Immune System S. A. Hofmeyr and S. Forrest.

Architecture For An Artificial Immune System S. A. Hofmeyr and S. Forrest.
Anomaly Detection Steven M. Bellovin https://www.cs.columbia.edu/~smb Matsuzaki ‘maz’ Yoshinobu 1.

Anomaly Detection Steven M. Bellovin Matsuzaki ‘maz’ Yoshinobu 1.
Cyber Threat Analysis  Intrusions are actions that attempt to bypass security mechanisms of computer systems  Intrusions are caused by:  Attackers accessing.

Cyber Threat Analysis  Intrusions are actions that attempt to bypass security mechanisms of computer systems  Intrusions are caused by:  Attackers accessing.
Guide to Network Defense and Countermeasures Second Edition

Guide to Network Defense and Countermeasures Second Edition
Intrusion Detection Systems and Practices

Intrusion Detection Systems and Practices
1 Learning to Detect Objects in Images via a Sparse, Part-Based Representation S. Agarwal, A. Awan and D. Roth IEEE Transactions on Pattern Analysis and.

1 Learning to Detect Objects in Images via a Sparse, Part-Based Representation S. Agarwal, A. Awan and D. Roth IEEE Transactions on Pattern Analysis and.
5/1/2006Sireesha/IDS1 Intrusion Detection Systems (A preliminary study) Sireesha Dasaraju CS526 - Advanced Internet Systems UCCS.

5/1/2006Sireesha/IDS1 Intrusion Detection Systems (A preliminary study) Sireesha Dasaraju CS526 - Advanced Internet Systems UCCS.
1 Intrusion Detection CSSE 490 Computer Security Mark Ardis, Rose-Hulman Institute May 4, 2004.

1 Intrusion Detection CSSE 490 Computer Security Mark Ardis, Rose-Hulman Institute May 4, 2004.
Learning Classifier Systems to Intrusion Detection Monu Bambroo 12/01/03.

Learning Classifier Systems to Intrusion Detection Monu Bambroo 12/01/03.
Unsupervised Intrusion Detection Using Clustering Approach Muhammet Kabukçu Sefa Kılıç Ferhat Kutlu Teoman Toraman 1/29.

Unsupervised Intrusion Detection Using Clustering Approach Muhammet Kabukçu Sefa Kılıç Ferhat Kutlu Teoman Toraman 1/29.
Beyond the perimeter: the need for early detection of Denial of Service Attacks John Haggerty,Qi Shi,Madjid Merabti Presented by Abhijit Pandey.

Beyond the perimeter: the need for early detection of Denial of Service Attacks John Haggerty,Qi Shi,Madjid Merabti Presented by Abhijit Pandey.
Immunity by Design: An Artificial Immune System Paper: Steven A. Hofmeyr, Stephanie Forrest Presentation: Joseph Niehaus.

Immunity by Design: An Artificial Immune System Paper: Steven A. Hofmeyr, Stephanie Forrest Presentation: Joseph Niehaus.
Artificial Immune Systems Our body’s immune system is a perfect example of a learning system. It is able to distinguish between good cells and potentially.

Artificial Immune Systems Our body’s immune system is a perfect example of a learning system. It is able to distinguish between good cells and potentially.
Big Data Analytics and Challenge Presented by Saurabh Rastogi Asst. Prof. in Maharaja Agrasen Institute of Technology B.Tech(IT), M.Tech(IT)

Big Data Analytics and Challenge Presented by Saurabh Rastogi Asst. Prof. in Maharaja Agrasen Institute of Technology B.Tech(IT), M.Tech(IT)
seminar on Intrusion detection system

seminar on Intrusion detection system
Lecture 11 Intrusion Detection (cont)

Lecture 11 Intrusion Detection (cont)

Similar presentations

Ads by Google