Anomaly Based Intrusion Detection System Using Naive Bayesian and Hidden Markov Models By Jonathan Lally ID: 12211753 Email: jonathan.lally6@mail.dcu.ie

What is an IDS? Proxy: Process Request & hide IP Firewall: Blocks unwanted connections (FTP) IDS: Analyses packet data Hack ESB

What is an IDS Goals Identify Prevent Learn Denial of Service Attack (DoS)

Location Backbone

Misuse Detectors Analyses Signatures IP address Port and count Packet flags SYN Flags: DoS Local Bouncer: Not you Bob

Misuse Detectors Advantages Disadvantages Known attacks Quick Regular patches Adaptive attackers Snort Adaptive Attackers: Changing attacks implementation

Anomaly Detectors Knows user habits Flags odd behaviour Blocks persistently flagged connections Club Bouncer

Anomaly Detectors Advantages Disadvantages Powerful Slow Blocks Unknown Attacks Disadvantages Slow False Positives Training Users aren’t predictable Safe Training Data

Hidden Markov Model Finite State Analysis

Hidden Markov Model Watches State Transitions Advantages Disadvantages Accurate Disadvantages Slow Memory Usage

Naive Bayesian Model Probability distribution of packet type Average connection: < 3RSTs, 8 SYNs, 48 ACKs, 1 FIN/ACKs, 40 PSH/ACKs > DoS attack: < 0 RSTs, 100 SYNs, 0 ACKs, 0 FIN/ACKs, 0 PSH/ACKs > Flooding with Hello packets

Naive Bayesian Model Advantages Disadvantages Fast Effective High False positives

My Experiment Hybrid Naive Bayesian Model with Hidden Markov Model

Previous Experiments Naive Bayesian based IDS Hidden Markov Model Vijayasarathy, R., Raghavan, S. V., & Ravindran, B. in “A system approach to network modeling for DDoS detection using a Naìve Bayesian classifier” 2011. Hidden Markov Model Rangadurai Karthick, R., Hattiwale, V. P., & Ravindran, B. In “Adaptive network intrusion detection system using a hybrid approach” in 2012 This Experiment: Time based Training data