Advance in Intrusion Detection Techniques Associate Prof. Fang Xianjin( ) Computer Science & Engineering School of AUST.

Slides:



Advertisements
Similar presentations
1 A B C
Advertisements

AGVISE Laboratories %Zone or Grid Samples – Northwood laboratory
Trend for Precision Soil Testing % Zone or Grid Samples Tested compared to Total Samples.
AP STUDY SESSION 2.
1
& dding ubtracting ractions.
Select from the most commonly used minutes below.
Copyright © 2003 Pearson Education, Inc. Slide 1 Computer Systems Organization & Architecture Chapters 8-12 John D. Carpinelli.
1 Copyright © 2013 Elsevier Inc. All rights reserved. Chapter 4 Computing Platforms.
Processes and Operating Systems
STATISTICS INTERVAL ESTIMATION Professor Ke-Sheng Cheng Department of Bioenvironmental Systems Engineering National Taiwan University.
Addition and Subtraction Equations
Multiplication X 1 1 x 1 = 1 2 x 1 = 2 3 x 1 = 3 4 x 1 = 4 5 x 1 = 5 6 x 1 = 6 7 x 1 = 7 8 x 1 = 8 9 x 1 = 9 10 x 1 = x 1 = x 1 = 12 X 2 1.
Division ÷ 1 1 ÷ 1 = 1 2 ÷ 1 = 2 3 ÷ 1 = 3 4 ÷ 1 = 4 5 ÷ 1 = 5 6 ÷ 1 = 6 7 ÷ 1 = 7 8 ÷ 1 = 8 9 ÷ 1 = 9 10 ÷ 1 = ÷ 1 = ÷ 1 = 12 ÷ 2 2 ÷ 2 =
David Burdett May 11, 2004 Package Binding for WS CDL.
CALENDAR.
The 5S numbers game..
A Fractional Order (Proportional and Derivative) Motion Controller Design for A Class of Second-order Systems Center for Self-Organizing Intelligent.
1 OFDM Synchronization Speaker:. Wireless Access Tech. Lab. CCU Wireless Access Tech. Lab. 2 Outline OFDM System Description Synchronization What is Synchronization?
Media-Monitoring Final Report April - May 2010 News.
Chapter 7: Steady-State Errors 1 ©2000, John Wiley & Sons, Inc. Nise/Control Systems Engineering, 3/e Chapter 7 Steady-State Errors.
Welcome. © 2008 ADP, Inc. 2 Overview A Look at the Web Site Question and Answer Session Agenda.
Break Time Remaining 10:00.
The basics for simulations
EE, NCKU Tien-Hao Chang (Darby Chang)
Turing Machines.
PP Test Review Sections 6-1 to 6-6
Regression with Panel Data
CS 6143 COMPUTER ARCHITECTURE II SPRING 2014 ACM Principles and Practice of Parallel Programming, PPoPP, 2006 Panel Presentations Parallel Processing is.
Operating Systems Operating Systems - Winter 2010 Chapter 3 – Input/Output Vrije Universiteit Amsterdam.
Exarte Bezoek aan de Mediacampus Bachelor in de grafische en digitale media April 2014.
TCCI Barometer March “Establishing a reliable tool for monitoring the financial, business and social activity in the Prefecture of Thessaloniki”
Copyright © 2012, Elsevier Inc. All rights Reserved. 1 Chapter 7 Modeling Structure with Blocks.
1..
Adding Up In Chunks.
FAFSA on the Web Preview Presentation December 2013.
SLP – Endless Possibilities What can SLP do for your school? Everything you need to know about SLP – past, present and future.
MaK_Full ahead loaded 1 Alarm Page Directory (F11)
Facebook Pages 101: Your Organization’s Foothold on the Social Web A Volunteer Leader Webinar Sponsored by CACO December 1, 2010 Andrew Gossen, Senior.
TCCI Barometer September “Establishing a reliable tool for monitoring the financial, business and social activity in the Prefecture of Thessaloniki”
1 Termination and shape-shifting heaps Byron Cook Microsoft Research, Cambridge Joint work with Josh Berdine, Dino Distefano, and.
Artificial Intelligence
1 Joseph Ghafari Artificial Neural Networks Botnet detection for Stéphane Sénécal, Emmanuel Herbert.
Before Between After.
7/16/08 1 New Mexico’s Indicator-based Information System for Public Health Data (NM-IBIS) Community Health Assessment Training July 16, 2008.
: 3 00.
5 minutes.
1 hi at no doifpi me be go we of at be do go hi if me no of pi we Inorder Traversal Inorder traversal. n Visit the left subtree. n Visit the node. n Visit.
Speak Up for Safety Dr. Susan Strauss Harassment & Bullying Consultant November 9, 2012.
1 Titre de la diapositive SDMO Industries – Training Département MICS KERYS 09- MICS KERYS – WEBSITE.
One-Degree Imager (ODI), WIYN Observatory What’s REALLY New in SolidWorks 2010 Richard Doyle, User Community Manager inspiration.
Static Equilibrium; Elasticity and Fracture
Essential Cell Biology
Converting a Fraction to %
Numerical Analysis 1 EE, NCKU Tien-Hao Chang (Darby Chang)
Resistência dos Materiais, 5ª ed.
Clock will move after 1 minute
famous photographer Ara Guler famous photographer ARA GULER.
1 © 2004, Cisco Systems, Inc. All rights reserved. CCNA 1 v3.1 Module 9 TCP/IP Protocol Suite and IP Addressing.
Immunobiology: The Immune System in Health & Disease Sixth Edition
Physics for Scientists & Engineers, 3rd Edition
Select a time to count down from the clock above
Copyright Tim Morris/St Stephen's School
1.step PMIT start + initial project data input Concept Concept.
1 Dr. Scott Schaefer Least Squares Curves, Rational Representations, Splines and Continuity.
1 Non Deterministic Automata. 2 Alphabet = Nondeterministic Finite Accepter (NFA)
Schutzvermerk nach DIN 34 beachten 05/04/15 Seite 1 Training EPAM and CANopen Basic Solution: Password * * Level 1 Level 2 * Level 3 Password2 IP-Adr.
Artificial Immunity-based Intrusion Detection System Associate Prof. Fang Xian-jin Computer School of AUST.
Presentation transcript:

Advance in Intrusion Detection Techniques Associate Prof. Fang Xianjin( ) Computer Science & Engineering School of AUST

Outline Context of computer security problem Brief summaries of computer security system What is IDS? Architecture and Classification of IDS Intrusion detection techniques My current research works Questions and answer

Context of computer security problem 2006 Annual Report by CNCERT/CC

Context of computer security problem 2006 Annual Report by CNCERT/CC

Context of computer security problem From 19th June to 31st December in 2006, 18,912 sample had been captured by CNCERT/CCs honeynet.

Brief summaries of computer security system Multi-layer defense: First layer is static access mechanisms, such as passwords and file permissions. Disadvantages: Limited to provide comprehensive security; Overly restrictive for legitimate users of computer system;

Brief summaries of computer security system Multi-layer defense: second layer is cryptography, which is used for providing secure channels and host authentication Another layer is firewall, which filters out undesirable network traffic in a network system.

Brief summaries of computer security system Multi-layer defense: The latest layer of defense is provided by dynamic protection systems that can detect and prevent intrusion, namely, is known as Intrusion Detection System(IDS).

What is IDS? Mathematical description for IDS: U universe set, S: normal/legitimate/acceptable pattern set (self set ), N: anomalous/illegitimate/unacceptable pattern set (nonself set), S N=U, S N=Ф IDS= f, M), f is a nonlinear classification function, M is detection range of detection system, f: U*×U {normal, anomalous} Nonself Self False positives False negatives UM

IDS Architecture and Classification for IDS Architecture of IDS SensorAnalyzer Knowledge base Response/control Policy/control info Alert Analysis console

IDS Architecture and Classification for IDS Classification of IDS – On the basis of detection techniques: Misuse detection (signature-based): high detection rate high false negative rate, low false positive rate Anomaly detection: low detection rate, high false positive rate – On the basis of data input HIDS NIDS Hybrid IDS

Intrusion Detection Techniques Misuse detection – Method based on Expert system (P-BEST) Firstly, according to experiment, creating knowledge base (attack signature base) Secondly, updating knowledge by using learning and adaptive capacity For example: EMERALD, eXpert-BSM (SRI-international developed)

Intrusion Detection Techniques Misuse detection – Method based on TCP/IP Protocol Analysis Decoding each packet from all kinds of layers of TCP/IP architecture For example: When the value of SYN and FIN of a TCP packet is 1, we can think that a port-scanning attack occurred. Features: High performance, more accurate, anti-evade attack, low resource requirement

Intrusion Detection Techniques Misuse detection – Method based on Pattern-matching For example: SNORT IDS (Open source code software, Sourcefire Company)

Intrusion Detection Techniques Anomaly detection – Statistic and Analysis methodology Creating profile database of normal behavior by analyzing a lot of system data; Adaptively learning normal pattern database; Comparing auditing data on system with normal behavior profile, if comparison result exceed the threshold, an attack event may happened. Conventional statistic models: – Average value and standard deviation model – Markovian model – Time/session/connection sequence model

Intrusion Detection Techniques Anomaly detection – Method based on Artificial Neural Network Creating signature profile of system by learning a lot of samples in training set Predicting the relationship between input data and output data Comparison with threshold

Intrusion Detection Techniques Anomaly detection – Data mining approaches for intrusion detection The key ideas are to use data mining techniques to discover consistent and useful patterns of system features that describe program and user behavior, and use the set of relevant system features to compute (inductively learned) classifiers that can recognize anomalies and known intrusions.

Intrusion Detection Techniques Anomaly detection – Agent-based distributed intrusion detection framework

Intrusion Detection Techniques Anomaly detection – Artificial immune model for intrusion detection system Some terms in Natural Immunity System(NIS): T-cell, B-cell Antigen, epitope, receptor Antibody, paratope Affinity Immune recognition Immune tolerance Immune memory Autoimmune response vaccnine

Intrusion Detection Techniques Anomaly detection – Artificial immune model for intrusion detection system Self set (learning by using training set) generating randomly Detector set Negative selection algorithm (non-self set) Anomaly detection Clonal selection algorithm Dynamic Clonal selection algorithm Genetic algorithm based on immunity r-contiguous match algorithm

Intrusion Detection Techniques Anomaly detection – Artificial immune model for intrusion detection system LISYS Model is as follows:

Intrusion Detection Techniques

Anomaly detection – Artificial immune model for intrusion detection system The following is Kims conceptual model for intrusion detection:

Intrusion Detection Techniques

My current research works Topic: research on immune model for intrusion detection system Design An Artificial Immune model with Vaccine operator for Network Intrusion Detection Study Immune Evolutionary Algorithm of detectors population. Implement intrusion detection on network layer, transport layer and application layer Analyze detection rate, false positive rate detector cover, detector hole in theory

References 1. Taxonomy=%2fpr%2f5e3, CERT/CC Statistics P2DR IDC ( 12 ): Richard. Lippmann, Joshua W. Haines. "The 1999 Darpa Off-Line Intrusion Detection Evaluation". Computer Networks,34 (4),p , Third Edition of the Intrusion Detection System 7.Stephanie Forrest, Steven A. Hofineyr. "John Holland's Invisible Hand: An Artificial Immune System" Steven A. Hofineyr. "An Interpretative Introduction to the Immune System Design Principles for the Immune System and other Distributed Autonomous Systems. Oxford University Press, Eds, I. Cohen and L. Segel J.PAnderson. Computer security threat monitoring and surveillance. Technical, James P. Anderson Company, Fort Washington, Pennsylvania, April Dorothy E. Denning. "An Intrusion Detection Model". IEEE TRANSACTIONS on Software Engineering VoL SE-13,No.2,FEBRUARY pp ,1987.

References 11.Henry S.Teng, Kaihu chen stephen c-y lu. "Adaptive Realtime Anomaly Detection Using Inductively Generated Sequential Paterns". Proceeding of the 1990 IEEE Symposium on security and Privacy S.Stainford-Chen. Common intrusion detection framework Nicholas J.Puketza,Kui Zhang Mandy chung,Biswanath Mukheriee,Ronald A.Oisson. "A Methodology for Testing Intrusion Detection Systems". IEEE Transaction of Software Engineering Vol.22,No.10,pp , Kristopher Kendall. "A Database of Computer Attacks for the Evaluation of Intrusion Detection Systems ". MIT Master Thesis Ulf Lindqvist Phillip A.Porras. "Detecting Computer and Network Misuse Through the Production-Based Expert System Tool set (P-BEST)". IEEE Symposium on Security and Privacy pp , Eugene H.Spaford, Diego Zamboni. Intrusion Detection Using Autonomous Agents. Computer Network 34(2000) pp , Weake Lee Salvatore J.Stolfo Kui W.Mok "A Data Mining Framework for Building Intrusion Detection Models". IEEE Symposium on Security and privacy pp ,1999.

References 18.S. Staniford-Chen, S. Cheung, R. Crawford, M. Dilger, J. Frai J. Hoagland, K. Levitt, C.Wee, R.Yip, and D.Zerkle. GrIDS A Graph Based Intrusion Detection System for large networks.In Proceedings of the 20th National Information Systems Security Conference volume 1,pages ,October Anup K.Ghosh and Aaron Schwartzbard. "A Study in Using Neural Networks for Anomaly and Misuse Detection". Proceeding of the 8th USENIS Security Symposium on Washington, D.C.,USA. pp , Tim Bass "Multi sensor Data Fusion for Next Generation Distributed Intrusion Detection System".1999 IRIS NATIONAL SYMPOSIUM ,. AGENT. Vol.1l pp , :. Vol. 11, pp , SVM Vol.23,No.5, , VOL.12, NO.4: pp , , Vol.26,No.5,

References 27.,,,.. Vo1.23 No pp. l ,.., Vol.22,No.2,pp , , Vol.23 No.10: pp S. Forrest, A. S. Perelson, L. Allen and R. Cherukuri. Self-nonself discrimination in a computer. In Proceedings of the IEEE Symposium on Research in Security and Privacy J. E. Hunt and D. E. Cooke, An Adaptive and distributed Learning System based on the Immune System. In Proc. of the IEEE International Conference on SMC, pp , L. C. Jiao and L. Wang. A novel genetic algorithm based on immunity. IEEE Trans. Systems, Man and Cybernetics. 30(5): pp BP Forrest, S., Hofmeyr, S. A., & Somayaji, A. (1997). Computer immunology. Communications of the ACM, 40(10), 88–96.

References [36] Jiao L C, Wang L. A novel genetic algorithm based on immunity. IEEE Trans. On Systems, Man, And Cybernetics-Part A: System and Humans, 2000,30(5):552~561. [37] J.Kim, EBentley. Immune Memory in the Dynamic Clonal Selection Algorithm. In: Proc of the 1st International Conference on Artificial Immune Systems, Canterbury, UK,2002: [38]Tarakanov A, Dasgupta D. A formal model of an artificial immune system. BioSystems, 2000, 55: 151~158. [39]Tarakanov A O. Towards immunocompute [40]Timmis J, Neal M. A resource limited artificial immune system for data analysis. Knowledge Based Systems, 2001,14(3-4):121~130. [41]Nunes de Castro L, Von Zuben F J. An evolutionary immune network data clustering. Proceeding of the sixth Brazilian Symposium on Neural networks, 2000, 84~89. [42] Stephanie Forrest, Alan s.Perelson, Lawrence Allen. "Self-Nonself Discrimination in a Computer". In proceedings of the 1994 IEEE symposium on Research in Security and privacy, LosAlamos, CA, [43]Stephanie Forrest, Thomas A.Longstaf steven A. Hofmeyr. "A sense of self for Unix processes". In proceeding of the 1996 IEEE Symposium on security and Privacy.

References [44]Steven Andrew Hofmeyr. "An Immunological Model of Distributed Detection and its Application to Computer Security". Ph.D. Dissertation. University of New Mexico,1999. [45]Paul D.Williams, Kevin P Anchor, John L. Bebo, Gregg H.Gunsch, Gray D.Lamout. "CDIS: Towards a Computer Immune System for Detecting Network Intrusions". Proceedings 4th International Symposium, RAID 2001 Davis, CA,USA, October 10-12,2001. [46]Kim and Bentley P. "The Human Immune System and Network Intrusion Detection",7th European Congress on Intelligent Techniques and Soft Computing( EUFIT '99), Aachen Germany, September [47]Kim, J. and Bentley, P., (1999), "The Artificial Immune Model for Network Intrusion Detection". 7th European Congress on Intelligent Techniques and Soft Computing( EUFIT99), Aachen, Germany, September [48]Kim, J. and Bentley, E J. (1999). "Negative Selection and Niching by an Artificial Immune System for Network Intrusion Detection" Genetic and Evolutionary Computation Conference (GECCO '99),Orlando, Florida, Ju ly13-17.pp

References [49]Jungwon Kim, Peter J. Bertley. An Evaluation of Negative Selection In an Artificial Immune System for Network Intrusion Detection. Genetic and evolutionary computation conference 2001(GECCO-2001), San Francisco, pp , July 7- 11,2001. [50]Jungwon Kim, Peter J. Bertley. Towards an artificial immune system for network intrustion detection: an investigation of clonal selection with a negative selection operator. Congress on evolutionary computation (CEC-2001), Seoul, Korea, pp , May 27-30,2001. [51]Dipankar Dasgupta, Fabio A.Gonzalez. "An Immunogenetic Approach to Intrusion Detection". Technical Report No.CS May,2001. [52]Fabio A.Gonzalez, Dipankar Dasgupta. "An Immunogenetic Technique to Detect Anomalies in Network Traffic". In Gecco 2002: proceedings of the genetic and evolutionary computation coference,pages , NewYork,9-13 July Morgan Kaufmann Publishers. [53]Fabio A.Gonzalez, Dipankar Dasgupta, Robert Kozma. "Combining Negative Selection and Classification Technique for Anomaly Detection". In Proceedings of the Congress on Evolutionary Computation. Pages ,Honolulu,HI,May 2002.IEEE.

References [54]Dipankar Dasgupta, Fabio Gonzalez "An Immunity-Based Technique to Characterize Intrusions in Computer Networks" IEEE Transactions on Evolutionary Computation Vol 6 No.3 June 2002: [55]LUO Wen-jian, ZHANG Si-hai LIHANG Wen, CAO Xian-bin, WANG Xu-fa, NIDS Research Advance Based on Artificial Immunology, Journal of University of Science and Technology, Vol. 35, No 5, Oct [56],,,.., Vol. 24 No. 8, Aug [57]., [58].., [59]. Kim., [60]Cohen F. Computer viruses. Computer & Security, 1987,

Thank you!

Questions?

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2024 SlidePlayer.com Inc. All rights reserved.