Anomaly Based Intrusion Detection System Using Naive Bayesian and Hidden Markov Models By Jonathan Lally ID: 12211753 Email: jonathan.lally6@mail.dcu.ie
What is an IDS? Proxy: Process Request & hide IP Firewall: Blocks unwanted connections (FTP) IDS: Analyses packet data Hack ESB
What is an IDS Goals Identify Prevent Learn Denial of Service Attack (DoS)
Location Backbone
Misuse Detectors Analyses Signatures IP address Port and count Packet flags SYN Flags: DoS Local Bouncer: Not you Bob
Misuse Detectors Advantages Disadvantages Known attacks Quick Regular patches Adaptive attackers Snort Adaptive Attackers: Changing attacks implementation
Anomaly Detectors Knows user habits Flags odd behaviour Blocks persistently flagged connections Club Bouncer
Anomaly Detectors Advantages Disadvantages Powerful Slow Blocks Unknown Attacks Disadvantages Slow False Positives Training Users aren’t predictable Safe Training Data
Hidden Markov Model Finite State Analysis
Hidden Markov Model Watches State Transitions Advantages Disadvantages Accurate Disadvantages Slow Memory Usage
Naive Bayesian Model Probability distribution of packet type Average connection: < 3RSTs, 8 SYNs, 48 ACKs, 1 FIN/ACKs, 40 PSH/ACKs > DoS attack: < 0 RSTs, 100 SYNs, 0 ACKs, 0 FIN/ACKs, 0 PSH/ACKs > Flooding with Hello packets
Naive Bayesian Model Advantages Disadvantages Fast Effective High False positives
My Experiment Hybrid Naive Bayesian Model with Hidden Markov Model
Previous Experiments Naive Bayesian based IDS Hidden Markov Model Vijayasarathy, R., Raghavan, S. V., & Ravindran, B. in “A system approach to network modeling for DDoS detection using a Naìve Bayesian classifier” 2011. Hidden Markov Model Rangadurai Karthick, R., Hattiwale, V. P., & Ravindran, B. In “Adaptive network intrusion detection system using a hybrid approach” in 2012 This Experiment: Time based Training data