Intrusion and Anomaly Detection in Network Traffic Streams: Checking and Machine Learning Approaches ONR MURI area: High Confidence Real-Time Misuse and.

Slides:



Advertisements
Similar presentations
Intrusion Detection Systems (I) CS 6262 Fall 02. Definitions Intrusion Intrusion A set of actions aimed to compromise the security goals, namely A set.
Advertisements

Loss-Sensitive Decision Rules for Intrusion Detection and Response Linda Zhao Statistics Department University of Pennsylvania Joint work with I. Lee,
Enhancing Security Using Mobile Based Anomaly Detection in Cellular Mobile Networks Bo Sun, Fei Yu, KuiWu, Yang Xiao, and Victor C. M. Leung. Presented.
An Introduction of Botnet Detection – Part 2 Guofei Gu, Wenke Lee (Georiga Tech)
Detecting Computer Intrusions Using Behavioral Biometrics Ahmed Awad E. A, and Issa Traore University of Victoria PST’05 Oct 13,2005.
Intrusion Detection Techniques in Mobile Ad Hoc and Wireless Sensor Networks - IEEE October 2007 CMSC Advanced Computer Networks Oleg Aulov CMSC.
Service Discrimination and Audit File Reduction for Effective Intrusion Detection by Fernando Godínez (ITESM) In collaboration with Dieter Hutter (DFKI)
Intrusion Detection Systems and Practices
Report on Intrusion Detection and Data Fusion By Ganesh Godavari.
5/1/2006Sireesha/IDS1 Intrusion Detection Systems (A preliminary study) Sireesha Dasaraju CS526 - Advanced Internet Systems UCCS.
1 Intrusion Detection CSSE 490 Computer Security Mark Ardis, Rose-Hulman Institute May 4, 2004.
Statistical based IDS background introduction. Statistical IDS background Why do we do this project Attack introduction IDS architecture Data description.
Copyright 2002, Center for Secure Information Systems 1 Panel: Role of Data Mining in Cyber Threat Analysis Professor Sushil Jajodia Center for Secure.
Mining Behavior Models Wenke Lee College of Computing Georgia Institute of Technology.
School of Computer Science and Information Systems
Testing Intrusion Detection Systems: A Critic for the 1998 and 1999 DARPA Intrusion Detection System Evaluations as Performed by Lincoln Laboratory By.
Intrusion Detection Systems. Definitions Intrusion –A set of actions aimed to compromise the security goals, namely Integrity, confidentiality, or availability,
Misuse and Anomaly Detection Sampath Kannan Wenke Lee Insup Lee Diana Spears Oleg Sokolsky William Spears Linda Zhao.
Lecture 11 Intrusion Detection (cont)
Automatic Generation and Analysis of NIDS Attacks Shai Rubin Somesh Jha Barton P. Miller University of Wisconsin, Madison.
Intrusion Detection System Marmagna Desai [ 520 Presentation]
INTRUSION DETECTION SYSTEM
Building Survivable Systems based on Intrusion Detection and Damage Containment Paper by: T. Bowen Presented by: Tiyseer Al Homaiyd 1.
WAC/ISSCI Automated Anomaly Detection Using Time-Variant Normal Profiling Jung-Yeop Kim, Utica College Rex E. Gantenbein, University of Wyoming.
Lucent Technologies – Proprietary Use pursuant to company instruction Learning Sequential Models for Detecting Anomalous Protocol Usage (work in progress)
1. Introduction Generally Intrusion Detection Systems (IDSs), as special-purpose devices to detect network anomalies and attacks, are using two approaches.
Anomaly detection Problem motivation Machine Learning.
1 Intrusion Detection Systems. 2 Intrusion Detection Intrusion is any use or attempted use of a system that exceeds authentication limits Intrusions are.
Where Are the Nuggets in System Audit Data? Wenke Lee College of Computing Georgia Institute of Technology.
Intrusion Detection Jie Lin. Outline Introduction A Frame for Intrusion Detection System Intrusion Detection Techniques Ideas for Improving Intrusion.
A Vehicular Ad Hoc Networks Intrusion Detection System Based on BUSNet.
Intrusion Detection Adam Ashenfelter Nicholas J. Tyrrell.
Network Intrusion Detection Using Random Forests Jiong Zhang Mohammad Zulkernine School of Computing Queen's University Kingston, Ontario, Canada.
IIT Indore © Neminah Hubballi
INTRUSION DETECTION INTRUSION DETECTION INTRUSION DETECTION INTRUSION DETECTION INTRUSION DETECTION INTRUSION DETECTION INTRUSION DETECTION INTRUSION DETECTION.
Clay Brockman ITK 478 Fall Why intrusion detection? Comparing two types: Monitoring Database Application Behavior Using Time Signatures.
23-aug-05Intrusion detection system1. 23-aug-05Intrusion detection system2 Overview of intrusion detection system What is intrusion? What is intrusion.
Report on Intrusion Detection and Data Fusion By Ganesh Godavari.
An Overview of Intrusion Detection Using Soft Computing Archana Sapkota Palden Lama CS591 Fall 2009.
An Approach To Automate a Process of Detecting Unauthorised Accesses M. Chmielewski, A. Gowdiak, N. Meyer, T. Ostwald, M. Stroiński
Intrusion Control. CSCE Farkas2 Readings Lecture Notes Pfleeger: Chapter 7.5.
MURI: Integrated Fusion, Performance Prediction, and Sensor Management for Automatic Target Exploitation 1 Dynamic Sensor Resource Management for ATE MURI.
1 Intrusion Detection Methods “Intrusion detection is the process of identifying and responding to malicious activity targeted at computing and networking.
1 COPYRIGHT © 2015 ALCATEL-LUCENT. ALL RIGHTS RESERVED. Cognitive Security: Security Analytics and Autonomics for Virtualized Networks Lalita Jagadeesan.
7.5 Intrusion Detection Systems Network Security / G.Steffen1.
Intrusion Detection State of the Art/Practice Anita Jones University of Virginia.
Cryptography and Network Security Sixth Edition by William Stallings.
HACNet Simulation-based Validation of Security Protocols Vinay Venkataraghavan Advisors: S.Nair, P.-M. Seidel HACNet Lab Computer Science and Engineering.
1 Intrusion Detection “Intrusion detection is the process of identifying and responding to malicious activity targeted at computing and networking resources.”
Intrusion Detection System
CS526: Information Security Chris Clifton November 25, 2003 Intrusion Detection.
Automated Worm Fingerprinting Authors: Sumeet Singh, Cristian Estan, George Varghese and Stefan Savage Publish: OSDI'04. Presenter: YanYan Wang.
Scientific Systems Not for Public Release SSCI #1301 DARPA OASIS PI MEETING – Santa Fe, NM - Jul 24-27, 2001 Intelligent Active Profiling for Detection.
PANACEA: AUTOMATING ATTACK CLASSIFICATION FOR ANOMALY-BASED NETWORK INTRUSION DETECTION SYSTEMS Reporter : 鄭志欣 Advisor: Hsing-Kuo Pao.
A Blackboard-Based Learning Intrusion Detection System: A New Approach
Parameter Estimation. Statistics Probability specified inferred Steam engine pump “prediction” “estimation”
1. ABSTRACT Information access through Internet provides intruders various ways of attacking a computer system. Establishment of a safe and strong network.
Ch.22 INTRUSION DETECTION
Access control techniques
Intrusion Control.
Intrusion Detection Systems
ONR MURI area: High Confidence Real-Time Misuse and Anomaly Detection
An Enhanced Support Vector Machine Model for Intrusion Detection
Damiano Bolzoni, Sandro Etalle, Pieter H. Hartel
A survey of network anomaly detection techniques
Intrusion Detection Systems
Statistical based IDS background introduction
Intrusion Detection Systems
Modeling IDS using hybrid intelligent systems
Presentation transcript:

Intrusion and Anomaly Detection in Network Traffic Streams: Checking and Machine Learning Approaches ONR MURI area: High Confidence Real-Time Misuse and Anomaly Detection Sampath KannanWenke Lee Insup LeeDiana Spears Oleg SokolskyWilliam Spears Linda Zhao

Misuse & Anomaly Misuse: Unauthorized behavior specified by known message patterns called signatures. Anomaly: Large deviations from specified or statistical expected behavior.

Our Goals Stronger misuse detection and misuse prediction. Combining statistical and specification-based anomaly detection. Space and time-efficient algorithms to process large streams of traffic. A systems architecture to incorporate and facilitate our approaches (other poster).

Misuse Detection The most significant open problem in misuse detection: False negatives, i.e., errors of omission Our MURI objectives: Learn models of intruders and also of legitimate users Apply the models for misuse detection Use the models to predict future intruder behavior

Misuse Detection: Approach 1 Model network traffic with Hidden Markov Models (HMMs) From interleaved sequences of observations, infer the parameters of individual Markov chains in order to model several users If there is an intruder, one of the Markov chains will capture his/her behavior Challenges: Minimizing complexity and data needed Use of prior knowledge

Misuse Detection: Approach 2 Apply Case-Based Reasoning (CBR) to maximize the flexibility for matching the model to the observations, thereby reducing errors of omission CBR will consist of: Maintaining a library of prior attack signatures and other background knowledge Flexible matching of signatures to detect new intrusions Prediction of future intrusion behavior Learning and storing new signatures in the library

Misuse Detection: Evaluation Will test the hypothesis that combined application of our two approaches results in fewer errors of omission than the leading alternative approaches

Anomaly Detection Two main approaches Specification-based Detect events that directly violate specifications of normal operations Statistics-based Use normal profiles to detect anomalous events that are statistical and temporal in nature Need both

Specification- Based Detection Specification-based detection Normal events can be modeled, e.g., as extended finite state machines (EFSMs) An intrusion detection system (IDS) checks events against specification detects violation, e.g., if EFSM is used Verify if the current state is legitimate Verify if pre-conditions and post- conditions of transition are met Verify if the new state matches the expected transition

Statistics-Based Approach Statistical and temporal deviation detection Select and construct statistical features of normal operations, e.g., statistics on the states and transitions of the EFSMs Apply statistical (machine) learning tools to learn normal profiles, e.g., of the important EFSM states and transitions Use the profiles to detect anomalies

Our MURI Objectives A general framework to generate specification-based model and statistics-based model, and to combine the two models What events/models to specify What statistical/temporal features Which anomalies are covered by each model

Approach Start with a taxonomy of basic events of the target system Any operation is some combination of basic events Anomalies can be detected if their anomalous basic events are detected. Investigate What is the proper granularity for basic events Completeness of taxonomy

Approach (cont ’ d) Model normal operations according to system/protocol specification Construct extended finite state machines (EFSMs) in terms of basic events Investigate Tools for constructing and validating the models

Approach (cont ’ d) Construct statistical and temporal features of the normal basic events Apply learning algorithms to generate normal profiles Detect statistical anomalies that are not detectable by specification-based approach Investigate Automated feature construction and selection Optimization of the tradeoffs of model accuracy and efficiency

Validation Case studies using representative network protocols (e.g., smtp, http) Comparative studies using COTS and intrusion detection algorithms from this research

Data Stream Model Properties of Network IDS Real time operation Memory much smaller than the number of packets processed Data Stream Model formalizes this scenario. Goal: Use algorithm design techniques for this model to solve ID problems. Example: Can detect large anomalies in day-to-day behavior of some sites.

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2024 SlidePlayer.com Inc. All rights reserved.