WAC/ISSCI 20061 Automated Anomaly Detection Using Time-Variant Normal Profiling Jung-Yeop Kim, Utica College Rex E. Gantenbein, University of Wyoming.

Slides:



Advertisements
Similar presentations
Intrusion Detection Systems (I) CS 6262 Fall 02. Definitions Intrusion Intrusion A set of actions aimed to compromise the security goals, namely A set.
Advertisements

Applications of one-class classification
Loss-Sensitive Decision Rules for Intrusion Detection and Response Linda Zhao Statistics Department University of Pennsylvania Joint work with I. Lee,
Enhancing Security Using Mobile Based Anomaly Detection in Cellular Mobile Networks Bo Sun, Fei Yu, KuiWu, Yang Xiao, and Victor C. M. Leung. Presented.
Decision Making: An Introduction 1. 2 Decision Making Decision Making is a process of choosing among two or more alternative courses of action for the.
IDS/IPS Definition and Classification
Intrusion Detection Systems and Practices
Report on Intrusion Detection and Data Fusion By Ganesh Godavari.
EECS Presentation Web Tap: Intelligent Intrusion Detection Kevin Borders.
Learning Classifier Systems to Intrusion Detection Monu Bambroo 12/01/03.
Intrusion detection Anomaly detection models: compare a user’s normal behavior statistically to parameters of the current session, in order to find significant.
School of Computer Science and Information Systems
seminar on Intrusion detection system
Algorithms for variable length Markov chain modeling Author: Gill Bejerano Presented by Xiangbin Qiu.
Neural Technology and Fuzzy Systems in Network Security Project Progress Group 2: Omar Ehtisham Anwar Aneela Laeeq
Intrusion Detection Systems. Definitions Intrusion –A set of actions aimed to compromise the security goals, namely Integrity, confidentiality, or availability,
Department Of Computer Engineering
Building Survivable Systems based on Intrusion Detection and Damage Containment Paper by: T. Bowen Presented by: Tiyseer Al Homaiyd 1.
Intrusion and Anomaly Detection in Network Traffic Streams: Checking and Machine Learning Approaches ONR MURI area: High Confidence Real-Time Misuse and.
Lucent Technologies – Proprietary Use pursuant to company instruction Learning Sequential Models for Detecting Anomalous Protocol Usage (work in progress)
Distributed Network Intrusion Detection An Immunological Approach Steven Hofmeyr Stephanie Forrest Patrik D’haeseleer Dept. of Computer Science University.
Data Mining for Intrusion Detection: A Critical Review Klaus Julisch From: Applications of data Mining in Computer Security (Eds. D. Barabara and S. Jajodia)
1 Intrusion Detection Systems. 2 Intrusion Detection Intrusion is any use or attempted use of a system that exceeds authentication limits Intrusions are.
CS490D: Introduction to Data Mining Prof. Chris Clifton April 14, 2004 Fraud and Misuse Detection.
Intrusion Detection Jie Lin. Outline Introduction A Frame for Intrusion Detection System Intrusion Detection Techniques Ideas for Improving Intrusion.
User Profiling for Intrusion Detection in Windows NT Tom Goldring R23.
Masquerade Detection Mark Stamp 1Masquerade Detection.
IIT Indore © Neminah Hubballi
Improving Intrusion Detection System Taminee Shinasharkey CS689 11/2/00.
Anomaly detection with Bayesian networks Website: John Sandiford.
INTRUSION DETECTION INTRUSION DETECTION INTRUSION DETECTION INTRUSION DETECTION INTRUSION DETECTION INTRUSION DETECTION INTRUSION DETECTION INTRUSION DETECTION.
Using Identity Credential Usage Logs to Detect Anomalous Service Accesses Daisuke Mashima Dr. Mustaque Ahamad College of Computing Georgia Institute of.
Bayesian networks Classification, segmentation, time series prediction and more. Website: Twitter:
Grant Pannell. Intrusion Detection Systems  Attempt to detect unauthorized activity  CIA – Confidentiality, Integrity, Availability  Commonly network-based.
Data Mining Chapter 1 Introduction -- Basic Data Mining Tasks -- Related Concepts -- Data Mining Techniques.
Report on Intrusion Detection and Data Fusion By Ganesh Godavari.
Operating system Security By Murtaza K. Madraswala.
Automatically Generating Models for Botnet Detection Presenter: 葉倚任 Authors: Peter Wurzinger, Leyla Bilge, Thorsten Holz, Jan Goebel, Christopher Kruegel,
SNORT Biopsy: A Forensic Analysis on Intrusion Detection System By Asif Syed Chowdhury.
1 Data Mining: Concepts and Techniques (3 rd ed.) — Chapter 12 — Jiawei Han, Micheline Kamber, and Jian Pei University of Illinois at Urbana-Champaign.
Intrusion Detection System (IDS). What Is Intrusion Detection Intrusion Detection is the process of identifying and responding to malicious activity targeted.
Intrusion Detection State of the Art/Practice Anita Jones University of Virginia.
DTRAB Combating Against Attacks on Encrypted Protocols through Traffic- Feature Analysis.
Cryptography and Network Security Sixth Edition by William Stallings.
Intrusion Detection Systems Paper written detailing importance of audit data in detecting misuse + user behavior 1984-SRI int’l develop method of.
Intrusion Detection System
CS526: Information Security Chris Clifton November 25, 2003 Intrusion Detection.
Effective Anomaly Detection with Scarce Training Data Presenter: 葉倚任 Author: W. Robertson, F. Maggi, C. Kruegel and G. Vigna NDSS
Scientific Systems Not for Public Release SSCI #1301 DARPA OASIS PI MEETING – Santa Fe, NM - Jul 24-27, 2001 Intelligent Active Profiling for Detection.
A Blackboard-Based Learning Intrusion Detection System: A New Approach
Approaches to Intrusion Detection statistical anomaly detection – threshold – profile based rule-based detection – anomaly – penetration identification.
Using Honeypots to Improve Network Security Dr. Saleh Ibrahim Almotairi Research and Development Centre National Information Centre - Ministry of Interior.
Jason Ewing. What is an Intrusion Why Detecting Signs of Intrusion is Important? Types of Intrusion Detection Systems (IDS) Approaches for Detection Anomaly.
Some Great Open Source Intrusion Detection Systems (IDSs)
IDS/IPS Intrusion Detection System/ Intrusion Prevention System.
POLYGRAPH: Automatically Generating Signatures for Polymorphic Worms
Security Methods and Practice CET4884
QianZhu, Liang Chen and Gagan Agrawal
Basics of Intrusion Detection
ONR MURI area: High Confidence Real-Time Misuse and Anomaly Detection
Operating system Security
Evaluating a Real-time Anomaly-based IDS
Authors Bo Sun, Fei Yu, Kui Wu, Yang Xiao, and Victor C. M. Leung.
IDS Survey Based on Two Surveys
A survey of network anomaly detection techniques
Intrusion Detection Systems
Botnet Detection by Monitoring Group Activities in DNS Traffic
Intrusion Detection Systems
Presentation transcript:

WAC/ISSCI Automated Anomaly Detection Using Time-Variant Normal Profiling Jung-Yeop Kim, Utica College Rex E. Gantenbein, University of Wyoming

WAC/ISSCI Automated intrusion detection Intrusion detection determines that a system has been accessed by unauthorized parties Detection can be manual or automated  Manual intrusion detection usually requires viewing of logs or user activity: labor-intensive, long reaction time  Automated detection relies on continuous monitoring of system behavior within the system itself

WAC/ISSCI Automated intrusion detection Automated detection based on one of two mechanisms  Misuse detection: define a set of “unacceptable” behaviors and raise alert when system behavior matches some member(s) of that set  Anomaly detection: create a profile of typical (“normal”) user behavior and raise alert when a user attempts an activity that does not match his/her profile

WAC/ISSCI Defining “normal” behavior To determine normal user behavior, we must:  Identify individual users  Monitor their behavior over time to create a profile of expected activity  Define measures for determining deviation from “normal” Quantitative: network traffic < 20% of capacity Qualititative: file transfer remains within internal network

WAC/ISSCI Defining “normal” behavior Using machine intelligence to detect intrusion  Observe sequences of user commands and save as a profile  Analyze new user commands using statistical similarity measures to compare with observed sequences  Classify new behavior as anomalous or consistent with past behavior This approach does not deal with “concept drift” – the varying of command sequences over time

WAC/ISSCI Time-variant profiling Assumes that a user will change “normal” activities over time  Profile is dynamically updated as activity changes  Should detect anomalies with fewer false alerts Necessary activities  Continuous monitoring of activity => profile  Partitioning of profile data into meaningful clusters  Characterizing deviation among clusters

WAC/ISSCI Time-variant profiling Representing user commands as tokens in an input stream allows the use of string- matching algorithms to characterize patterns over time  FLORA (and variations) uses supervised incremental learning to incrementally update knowledge about a pattern  Examines moving windows of token strings to determine pattern matches

WAC/ISSCI Time-variant profiling Clustering is accomplished through regression analysis  Defines cluster “value” as a function of multiple independent variables  Independent variables represent user command sequences from observed behavior

WAC/ISSCI Time-variant profiling Detecting deviation uses probabilistic reasoning  Markov modeling  Sequence alignment algorithms (bioinformatics) Needleman-Wunsch (global alignment) Smith-Waterman (local similarity)

WAC/ISSCI Current project status Evaluating functionality of string-matching algorithms Developing regression analysis formulae Determining how sequencing algorithms can be matched to a threshold value Future work includes implementing the system and measuring its effect on overall performance

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2024 SlidePlayer.com Inc. All rights reserved.