1. Introduction Generally Intrusion Detection Systems (IDSs), as special-purpose devices to detect network anomalies and attacks, are using two approaches.

Slides:

Advertisements

Similar presentations

Intrusion Detection Systems (I) CS 6262 Fall 02. Definitions Intrusion Intrusion A set of actions aimed to compromise the security goals, namely A set.

Advertisements

Loss-Sensitive Decision Rules for Intrusion Detection and Response Linda Zhao Statistics Department University of Pennsylvania Joint work with I. Lee,

Enhancing Security Using Mobile Based Anomaly Detection in Cellular Mobile Networks Bo Sun, Fei Yu, KuiWu, Yang Xiao, and Victor C. M. Leung. Presented.

Application of Bayesian Network in Computer Networks Raza H. Abedi.

Service Discrimination and Audit File Reduction for Effective Intrusion Detection by Fernando Godínez (ITESM) In collaboration with Dieter Hutter (DFKI)

Anomaly Based Intrusion Detection System

Guide to Network Defense and Countermeasures Second Edition

IDS/IPS Definition and Classification

NETWORK SECURITY INTRUSION DETECTION SYSTEMS (IDS) KANDIAH.M Clarkson University, Potsdam, New York.

Report on Intrusion Detection and Data Fusion By Ganesh Godavari.

1 Intrusion Detection CSSE 490 Computer Security Mark Ardis, Rose-Hulman Institute May 4, 2004.

Unsupervised Intrusion Detection Using Clustering Approach Muhammet Kabukçu Sefa Kılıç Ferhat Kutlu Teoman Toraman 1/29.

Copyright 2002, Center for Secure Information Systems 1 Panel: Role of Data Mining in Cyber Threat Analysis Professor Sushil Jajodia Center for Secure.

Mining Behavior Models Wenke Lee College of Computing Georgia Institute of Technology.

Security administrators The experts need better tools too!

Report on statistical Intrusion Detection systems By Ganesh Godavari.

Big Data Analytics and Challenge Presented by Saurabh Rastogi Asst. Prof. in Maharaja Agrasen Institute of Technology B.Tech(IT), M.Tech(IT)

seminar on Intrusion detection system

Intrusion Detection Systems. Definitions Intrusion –A set of actions aimed to compromise the security goals, namely Integrity, confidentiality, or availability,

Lecture 11 Intrusion Detection (cont)

Department Of Computer Engineering

Intrusion Detection System Marmagna Desai [ 520 Presentation]

Scientific Computing Department Faculty of Computer and Information Sciences Ain Shams University Supervised By: Mohammad F. Tolba Mohammad S. Abdel-Wahab.

Network-based and Attack-resilient Length Signature Generation for Zero-day Polymorphic Worms Zhichun Li 1, Lanjia Wang 2, Yan Chen 1 and Judy Fu 3 1 Lab.

Network-based and Attack-resilient Length Signature Generation for Zero-day Polymorphic Worms Zhichun Li 1, Lanjia Wang 2, Yan Chen 1 and Judy Fu 3 1 Lab.

Intrusion and Anomaly Detection in Network Traffic Streams: Checking and Machine Learning Approaches ONR MURI area: High Confidence Real-Time Misuse and.

Chirag N. Modi and Prof. Dhiren R. Patel NIT Surat, India Ph. D Colloquium, CSI-2011 Signature Apriori based Network.

Where Are the Nuggets in System Audit Data? Wenke Lee College of Computing Georgia Institute of Technology.

Intrusion Detection Jie Lin. Outline Introduction A Frame for Intrusion Detection System Intrusion Detection Techniques Ideas for Improving Intrusion.

Intrusion Detection for Grid and Cloud Computing Author Kleber Vieira, Alexandre Schulter, Carlos Becker Westphall, and Carla Merkle Westphall Federal.

NATIONAL INSTITUTE OF SCIENCE & TECHNOLOGY Presented by:Manoj Kumar Gantayat CS: Technical Seminar Presentation by MANOJ KUMAR GANTAYAT.

Network Intrusion Detection Using Random Forests Jiong Zhang Mohammad Zulkernine School of Computing Queen's University Kingston, Ontario, Canada.

IIT Indore © Neminah Hubballi

Intrusion Detection Techniques for Mobile Wireless Networks Zhang, Lee, Yi-An Huang Presented by: Alex Singh and Nabil Taha.

INTRUSION DETECTION INTRUSION DETECTION INTRUSION DETECTION INTRUSION DETECTION INTRUSION DETECTION INTRUSION DETECTION INTRUSION DETECTION INTRUSION DETECTION.

11 Automatic Discovery of Botnet Communities on Large-Scale Communication Networks Wei Lu, Mahbod Tavallaee and Ali A. Ghorbani - in ACM Symposium on InformAtion,

A Data Mining Approach for Building Cost-Sensitive and Light Intrusion Detection Models PI Meeting - July, 2000 North Carolina State University Columbia.

23-aug-05Intrusion detection system1. 23-aug-05Intrusion detection system2 Overview of intrusion detection system What is intrusion? What is intrusion.

Guide to Network Defense and Countermeasures

Report on Intrusion Detection and Data Fusion By Ganesh Godavari.

7.5 Intrusion Detection Systems Network Security / G.Steffen1.

The Impact of Sampling Techniques on Application Level DoS Attack Detection Hossein Hadian Jazi, Hugo Gonzalez, Natalia Stakhanova, and Ali A. Ghorbani.

Intrusion Detection System (IDS). What Is Intrusion Detection Intrusion Detection is the process of identifying and responding to malicious activity targeted.

Data Mining BS/MS Project Anomaly Detection for Cyber Security Presentation by Mike Calder.

Secure In-Network Aggregation for Wireless Sensor Networks

Cryptography and Network Security Sixth Edition by William Stallings.

Consensus Extraction from Heterogeneous Detectors to Improve Performance over Network Traffic Anomaly Detection Jing Gao 1, Wei Fan 2, Deepak Turaga 2,

Intrusion Detection Systems Paper written detailing importance of audit data in detecting misuse + user behavior 1984-SRI int’l develop method of.

BotCop: An Online Botnet Traffic Classifier 鍾錫山 Jan. 4, 2010.

Learning and Acting with Bayes Nets Chapter 20.. Page 2 === A Network and a Training Data.

Selective Packet Inspection to Detect DoS Flooding Using Software Defined Networking Author : Tommy Chin Jr., Xenia Mountrouidou, Xiangyang Li and Kaiqi.

Intrusion Detection System

Effective Anomaly Detection with Scarce Training Data Presenter: 葉倚任 Author: W. Robertson, F. Maggi, C. Kruegel and G. Vigna NDSS

MITRE 7 April 2009 CS 5214 Presenter: Phu-Gui Feng Performance Analysis of Distributed IDS Protocols for Mobile GCS Dr. Jin-Hee Cho, Dr. Ing-Ray Chen MITRE.

Network Security Terms. Perimeter is the fortified boundary of the network that might include the following aspects: 1.Border routers 2.Firewalls 3.IDSs.

Network-based and Attack-resilient Length Signature Generation for Zero-day Polymorphic Worms Zhichun Li 1, Lanjia Wang 2, Yan Chen 1 and Judy Fu 3 1 Lab.

A Blackboard-Based Learning Intrusion Detection System: A New Approach

Anomaly Detection. Network Intrusion Detection Techniques. Ştefan-Iulian Handra Dept. of Computer Science Polytechnic University of Timișoara June 2010.

Design Lines for a Long Term Competitive IDS Erwan Lemonnier KTH-IT / Defcom.

1. ABSTRACT Information access through Internet provides intruders various ways of attacking a computer system. Establishment of a safe and strong network.

Using Honeypots to Improve Network Security Dr. Saleh Ibrahim Almotairi Research and Development Centre National Information Centre - Ministry of Interior.

DIVYA K 1RN09IS016 RNSIT1. Cloud computing provides a framework for supporting end users easily through internet. One of the security issues is how to.

Some Great Open Source Intrusion Detection Systems (IDSs)

Security Methods and Practice CET4884

Talal H. Noor, Quan Z. Sheng, Lina Yao,

Authors Bo Sun, Fei Yu, Kui Wu, Yang Xiao, and Victor C. M. Leung.

Automatic Discovery of Network Applications: A Hybrid Approach

An Incremental Self-Improvement Hybrid Intrusion Detection System Mahbod Tavallaee, Wei Lu, and Ali A. Ghorbani Faculty of Computer Science, UNB Fredericton.

Remah Alshinina and Khaled Elleithy DISCRIMINATOR NETWORK

Autonomous Network Alerting Systems and Programmable Networks

Presentation transcript:

1. Introduction Generally Intrusion Detection Systems (IDSs), as special-purpose devices to detect network anomalies and attacks, are using two approaches including misuse detection and anomaly detection. In misuse detection the search for evidence of attacks is based on known attacks' signatures. In anomaly detection, the deviation from the normal model will be considered as an attack or anomaly. Both kinds of IDSs have their own advantages and disadvantages. The advantages of misuse detection approaches are their good accuracy, low false alarm rate and giving enough information about the type of detected attacks to system administrator On the contrary, their drawbacks include the difficulty of gathering the required information on the known attacks and keeping it up-to-date with new vulnerabilities. The main advantage of anomaly detection approach over misuse detection is that it can detect attempts to exploit new and unforeseen vulnerabilities. However, this approach has high false alarm rate. Fusing Multiple Sensors to Detect Network Traffic Anomalies - A Control Theoretic Model Mahsa Kiani, Wei Lu, Mahbod Tavallaee and Ali A. Ghorbani Faculty of Computer Science, UNB Fredericton 6. Conclusions Although the number of correct alerts reported by hybrid system is a little bit smaller than the number reported by one of the individual detectors, the hybrid system reduces the number of false alerts largely (24%). The future work consists of using more detectors, developing more evaluation metrics to judge the fusion performance and improving the system through dynamic programming. 2. Motivation In order to combine the advantages of both misuse and anomaly detection, the idea of hybrid detection has been proposed. Currently two ways exist to combine IDSs: sequence based (figure 1) and parallel based (figure 2). The sequence based approaches might not provide a full coverage for the attack types due to the filtering of malicious (normal) traffic and also the sequence process will prolong the detection and make a real-time detection impossible. In contrast, parallel based hybrid IDSs provide a wide coverage for intrusions and has the potential to detect previously unknown attacks. One of the biggest challenges for parallel based IDSs is how to make accurate inferences that minimize the number of false alarms and maximize the detection accuracy. In particular, TRW Sjfi is the trust-reputation weight for feature f i in S j,. denotes the attacking probability generated by feature f i and detection sensor S j. Notation FACount is the number of false alerts obtained from historical alerting reports. Based on FACount, penalty factor and reward factor are used to adjust the value of RW fiSj and RW Sj in order to reach the minimize FACount. 3. General Architecture of the Proposed Detection Framework Feature Analysis Multi-Sensor based IDS Sensor 1Sensor 2Sensor m Raw Packets Features based on Flows Flows with Attacking Probabilities Proposed multi-sensor IDS has been evaluated with the full 1999 DARPA intrusion detection dataset based on network flow data for each specific day. 15 features has been considered to describe entire traffic behavior on networks (Table I). Two detectors using non-parametric Cumulative SUM algorithm and Expectation-Maximization based clustering technique are considered and historical reputation matrix is set up according to the detection rate (DR) and the false positive rate (FPR) for each detector over a long time history. The ratio of DR to FPR is used to measure the performance of each detector. Average value of DR, FPR and the ratio of DR to FPR for each feature over 9 days for both detectors have been illustrated in Table II and Table III. Obtained results show that the correct alerts generated by hybrid system is 105, which is smaller than the 161 correct alerts generated by the detector using EM based clustering algorithm. The number of false alerts reported by the hybrid system, however, is 189, which is much smaller than the 799 false alerts by the clustering based detector. 4. Formalized Model for Multi-Sensor IDS In the following model, F(,..... ) refers to features that might be based on flows, packets, host logs, firewall/alert events, traffic behaviour, biometric. Detection sensors are denoted by S (S 1, S 2, S 3, …,S m ) that include m different detection algorithms for intrusion detection. Notation TRW refers to the Trust-Reputation Weight matrix and it measures the credibility degree of decisions. 5. Experimental Results