Scientific Systems Not for Public Release SSCI #1301 DARPA OASIS PI MEETING – Santa Fe, NM - Jul 24-27, 2001 Intelligent Active Profiling for Detection.

Slides:



Advertisements
Similar presentations
Intrusion Detection Systems (I) CS 6262 Fall 02. Definitions Intrusion Intrusion A set of actions aimed to compromise the security goals, namely A set.
Advertisements

Applications of one-class classification
Loss-Sensitive Decision Rules for Intrusion Detection and Response Linda Zhao Statistics Department University of Pennsylvania Joint work with I. Lee,
Enhancing Security Using Mobile Based Anomaly Detection in Cellular Mobile Networks Bo Sun, Fei Yu, KuiWu, Yang Xiao, and Victor C. M. Leung. Presented.
Service Discrimination and Audit File Reduction for Effective Intrusion Detection by Fernando Godínez (ITESM) In collaboration with Dieter Hutter (DFKI)
Data Mining and Intrusion Detection
Scientific Systems SSCI #1301 DARPA OASIS PI MEETING – Norfolk, VA - Feb 13-16, 2001 Intelligent Active Profiling for Detection and Intent Inference of.
IDS/IPS Definition and Classification
Report on Intrusion Detection and Data Fusion By Ganesh Godavari.
UNIVERSITY OF SOUTH CAROLINA Department of Computer Science and Engineering On-line Alert Systems for Production Plants A Conflict Based Approach.
Learning Classifier Systems to Intrusion Detection Monu Bambroo 12/01/03.
Unsupervised Intrusion Detection Using Clustering Approach Muhammet Kabukçu Sefa Kılıç Ferhat Kutlu Teoman Toraman 1/29.
Mining Behavior Models Wenke Lee College of Computing Georgia Institute of Technology.
seminar on Intrusion detection system
12 -1 Lecture 12 User Modeling Topics –Basics –Example User Model –Construction of User Models –Updating of User Models –Applications.
Intrusion Detection Systems. Definitions Intrusion –A set of actions aimed to compromise the security goals, namely Integrity, confidentiality, or availability,
Lecture 11 Intrusion Detection (cont)
Department Of Computer Engineering
Intrusion Detection System Marmagna Desai [ 520 Presentation]
Scientific Computing Department Faculty of Computer and Information Sciences Ain Shams University Supervised By: Mohammad F. Tolba Mohammad S. Abdel-Wahab.
WAC/ISSCI Automated Anomaly Detection Using Time-Variant Normal Profiling Jung-Yeop Kim, Utica College Rex E. Gantenbein, University of Wyoming.
Intrusion and Anomaly Detection in Network Traffic Streams: Checking and Machine Learning Approaches ONR MURI area: High Confidence Real-Time Misuse and.
1. Introduction Generally Intrusion Detection Systems (IDSs), as special-purpose devices to detect network anomalies and attacks, are using two approaches.
Data Mining for Intrusion Detection: A Critical Review Klaus Julisch From: Applications of data Mining in Computer Security (Eds. D. Barabara and S. Jajodia)
Water Contamination Detection – Methodology and Empirical Results IPN-ISRAEL WATER WEEK (I 2 W 2 ) Eyal Brill Holon institute of Technology, Faculty of.
Where Are the Nuggets in System Audit Data? Wenke Lee College of Computing Georgia Institute of Technology.
A Statistical Anomaly Detection Technique based on Three Different Network Features Yuji Waizumi Tohoku Univ.
Intrusion Detection Jie Lin. Outline Introduction A Frame for Intrusion Detection System Intrusion Detection Techniques Ideas for Improving Intrusion.
Intrusion Detection for Grid and Cloud Computing Author Kleber Vieira, Alexandre Schulter, Carlos Becker Westphall, and Carla Merkle Westphall Federal.
Network Intrusion Detection Using Random Forests Jiong Zhang Mohammad Zulkernine School of Computing Queen's University Kingston, Ontario, Canada.
IIT Indore © Neminah Hubballi
Improving Intrusion Detection System Taminee Shinasharkey CS689 11/2/00.
Signature Based and Anomaly Based Network Intrusion Detection
INTRUSION DETECTION INTRUSION DETECTION INTRUSION DETECTION INTRUSION DETECTION INTRUSION DETECTION INTRUSION DETECTION INTRUSION DETECTION INTRUSION DETECTION.
A Data Mining Approach for Building Cost-Sensitive and Light Intrusion Detection Models PI Meeting - July, 2000 North Carolina State University Columbia.
Data Mining Approaches for Intrusion Detection Wenke Lee and Salvatore J. Stolfo Computer Science Department Columbia University.
23-aug-05Intrusion detection system1. 23-aug-05Intrusion detection system2 Overview of intrusion detection system What is intrusion? What is intrusion.
Grant Pannell. Intrusion Detection Systems  Attempt to detect unauthorized activity  CIA – Confidentiality, Integrity, Availability  Commonly network-based.
Report on Intrusion Detection and Data Fusion By Ganesh Godavari.
Operating system Security By Murtaza K. Madraswala.
Automated Classification and Analysis of Internet Malware M. Bailey J. Oberheide J. Andersen Z. M. Mao F. Jahanian J. Nazario RAID 2007 Presented by Mike.
Automatically Generating Models for Botnet Detection Presenter: 葉倚任 Authors: Peter Wurzinger, Leyla Bilge, Thorsten Holz, Jan Goebel, Christopher Kruegel,
HIPS Host-Based Intrusion Prevention System By Ali Adlavaran & Mahdi Mohamad Pour (M.A. Team) Life’s Live in Code Life.
1 Intrusion Detection Methods “Intrusion detection is the process of identifying and responding to malicious activity targeted at computing and networking.
Intrusion Detection System (IDS). What Is Intrusion Detection Intrusion Detection is the process of identifying and responding to malicious activity targeted.
1 Chapter 9 Intruders. 2 Outline Intruders –Intrusion Techniques –Password Protection –Password Selection Strategies –Intrusion Detection Statistical.
Intrusion Detection State of the Art/Practice Anita Jones University of Virginia.
DTRAB Combating Against Attacks on Encrypted Protocols through Traffic- Feature Analysis.
Cryptography and Network Security Sixth Edition by William Stallings.
Consensus Extraction from Heterogeneous Detectors to Improve Performance over Network Traffic Anomaly Detection Jing Gao 1, Wei Fan 2, Deepak Turaga 2,
Intrusion Detection Systems Paper written detailing importance of audit data in detecting misuse + user behavior 1984-SRI int’l develop method of.
1 Intrusion Detection “Intrusion detection is the process of identifying and responding to malicious activity targeted at computing and networking resources.”
Intrusion Detection System
Virtualized Execution Realizing Network Infrastructures Enhancing Reliability Application Communities PI Meeting Arlington, VA July 10, 2007.
Hiding Intrusions : From the Abnormal to the Normal and Beyond Kymie Tan, John McHugh and Kevin Killourhy Presented in 5 th Information Hiding Workshop,
Approaches to Intrusion Detection statistical anomaly detection – threshold – profile based rule-based detection – anomaly – penetration identification.
1. ABSTRACT Information access through Internet provides intruders various ways of attacking a computer system. Establishment of a safe and strong network.
Some Great Open Source Intrusion Detection Systems (IDSs)
Application Intrusion Detection
Chapter 9 Intruders.
Machine Learning for Computer Security
Operating system Security
An Enhanced Support Vector Machine Model for Intrusion Detection
Detecting Targeted Attacks Using Shadow Honeypots
Chapter 9 Intruders.
Intrusion Detection Systems
PLANNING A SECURE BASELINE INSTALLATION
M. Kezunovic (P.I.) S. S. Luo D. Ristanovic Texas A&M University
Presentation transcript:

Scientific Systems Not for Public Release SSCI #1301 DARPA OASIS PI MEETING – Santa Fe, NM - Jul 24-27, 2001 Intelligent Active Profiling for Detection and Intent Inference of Insider Threat in Information Systems Joao B. D. Cabrera and Raman K. Mehra Scientific Systems Company, Inc. Lundy Lewis Wenke Lee Aprisma Inc. North Carolina State Univ. SBIR Phase I Topic No. SB Contract No. DAAH01-01-C-R027

Scientific Systems Not for Public Release Objective Classifying and Responding to Insider Threats Objectives: Design and evaluate IDSs capable of classifying and responding to Insider Threats; investigate the use of Network Management Systems as a vehicle. * Misuse/Intrusion Tolerance is achieved by having an adequate and timely response. * Technology: Statistical Pattern Recognition and AI for the design of detectors and classifiers; NMSs for data collection and response coordination. * Approach: Utilize the Benchmark Problem for proof-of- concept studies; examine the applicability of NMSs and peripherals for monitoring and response.

Scientific Systems Not for Public Release Towards Adequate and Timely Response Adequate: 1.High Accuracy – Few False Alarms, Lots of Detections. 2.Distinguish among attacks – Different attacks elicit different types of response. 3.Distinguish faults from attacks. Timely: Detect the Attack before it is too late to respond.

Scientific Systems Not for Public Release Question 1: What threats/attacks are your project considering ? * Insider Attacks: Password stealing, unauthorized database access, snooping, etc. * For proof-of-concept purposes, we investigated the Benchmark Problem of System Calls made by Unix’s sendmail. * However, the technologies and tools we are developing are applicable to any situation in which the observables are sequences of possibly correlated categorical variables – Audit Records by BSM in Unix or Object Access Auditing in Windows NT.

Scientific Systems Not for Public Release Question 2: What assumptions do your project make ? 1. Data sets corresponding to normal, malicious and faulty behavior are available for the construction and testing of detection schemes – Training Stage and Testing Stage. 2. The observables for normal, malicious and faulty behavior are sequences of categorical variables. 3. Patterns capable of differentiating between different types of malicious activity and faults exist, and are learnable by special purpose algorithms – verified in the effort. 4. If 3. is possible, there is time to take preventive action when malicious activity is detected.

Scientific Systems Not for Public Release Question 3: What policies can your project enforce ? * If the detection system accuses the presence of malicious activity, a response will be triggered. * For the specific case of the Benchmark Problem, typical responses would be to kill the process, or delay its execution till time out. * Intent Inference gives the capability of specializing the response.  The project aims to develop a capability – Intent Inference - which can be used as a component of Intrusion Tolerant Architectures.

Scientific Systems Not for Public Release Benchmark Problem Detect malicious activity by monitoring System Calls made by Privileged Processes in Unix * Originally suggested by C. Ko, G. Fink, and K. Levitt – * Extensively studied by the UNM Group (S. Forrest and others), starting with “A Sense of Self for Unix Processes” – * Programs: sendmail, lpr, ls, ftp, finger … * Well Investigated Problem – Our results could be compared with previous efforts. * We concentrated on sendmail – Data sets for six types of anomalies (five attacks and one fault) are available.

Scientific Systems Not for Public Release Benchmark Problem (cont.) *UNM Finding: A relatively small dictionary of short sequences (901 sequences of length 6 for sendmail) provides a very good characterization of normality for several Unix processes. * The dictionary is constructed using a Training Set of Normal behavior. * Sequences not belonging to this dictionary are called abnormal sequences. * Intrusions are detected if a process contains “too many” abnormal sequences. * Processes are labeled as normal or intrusions – All intrusions receive the same label.

Scientific Systems Not for Public Release Privileged Programs and the space of OS calls

Scientific Systems Not for Public Release Anomaly Count Detector (UNM) Determining the Threshold: Anomalous Traces not available – Anomaly Detection Problem. Anomalous Traces available – Classification Problem.

Scientific Systems Not for Public Release Anomaly Count Detector - Statistics Typical Results: A2, A3, A4, A5 detectable (anomaly counts well above normal). A1 – decode intrusion – Not Detectable.

Scientific Systems Not for Public Release This Project: Specific Objectives and Accomplishments 1. Intent Inference: Demonstrated the feasibility of performing Intent Inference based on sequences of OS calls for sendmail. The classification results were quantified and compared with the detection results by UNM. 2.Fusion of Detection Systems: Demonstrated the improvement of detection rates gained by combining the proposed scheme for Intent Inference with the UNM scheme for detection based on Anomaly Counts.

Scientific Systems Not for Public Release Intent Inference * We pose the problem of Intent Inference as distinguishing between types of attacks and faults using the sequences of OS calls. * From the statistical point of view, this is a classification problem. The main issue is to find features that cluster the different types of attacks and faults.

Scientific Systems Not for Public Release Looking for Features Returning to the space of OS Calls * Balance between small within-class-scatter (elements in each class as clustered as possible) and large between-class- scatter (classes as separated as possible). * The Abnormal Sequences corresponding to each Anomaly can also be viewed as Features. Do they have any Discriminating Power ?

Scientific Systems Not for Public Release Discriminating Power of Anomalous Sequences (Anomalies for which Multiple Traces are available) * It was observed that the Anomalous Sequences are distinct for each Anomaly Type (large between-class-scatter), and appear consistently in all traces of a given Anomaly (small within-class-scatter).  The Anomalous Sequences are good discriminators.

Scientific Systems Not for Public Release Why this is so ? * Anomalous Processes are the superposition of large sections of Normal Actions reflecting the Normal Behavior of the Program (typically 90%) and a small, concentrated sequence of very specific actions associated with the Anomaly. * Different anomalies are related to different actions, and it is reasonable to expect that these distinctions would be apparent. * It is remarkable however that this separation could be observed at the level of OS Calls.  The Anomalous Sequences serve as signatures for the Anomalies – These are statistical signatures, extracted by an automatic procedure, not by domain knowledge.

Scientific Systems Not for Public Release Constructing a Classifier based on Anomalous Sequences 1.Extract the Normal Dictionary. 2.For each Anomaly Type, record the corresponding Anomalous Sequences – Call the set of these sequences as the Anomaly Dictionary for the Anomaly. After Training, there will be N Anomaly Dictionaries. 3.Incoming Processes are labeled according to matches with the Anomaly Dictionaries – the Anomaly with most matches is selected. 4.Processes for which no match is found are labeled as Normal.

Scientific Systems Not for Public Release String Matching Classifier * The operation is as simple as the Anomaly Count Detector, but the Memory Storage Requirements are typically 70% less.

Scientific Systems Not for Public Release Performance Evaluation (Testing Set – average of 4,000 combinations) 100% performance for A1 and A2 for k > 5. A1 is detected, which is not possible using Anomaly Counts. No False Alarms for k < 8.

Scientific Systems Not for Public Release Performance Evaluation (cont.) Poor Performance for Unknown Anomalies – Mislabeled as one of the Known Anomalies. 20% of the Fault Anomalies are missed.

Scientific Systems Not for Public Release Improving the Performance of the String Matching Classifier  The Performance of the Classifier can be improved by combining it with the Anomaly Count Detector: Processes with Anomaly Counts above the Detection Threshold, are labeled as Anomalous, regardless of matches with the Anomaly Dictionaries – following this procedure, the 20% of Faults are labeled as Unknown Anomalies. Anomalies with matches with more than one Anomaly Dictionary are labeled as Unknown Anomalies – following this procedure, the Unknown Anomalies A4 and A5 are corrected labeled.

Scientific Systems Not for Public Release Summary (Phase I) * Demonstrated the feasibility of using sequences of OS calls for the classification of Anomalies effected by Privileged Programs in Unix – String Matching Classifier. * Correct classification of Anomalies allows a more specific response – an important capability for Intrusion Tolerance. * Sequences of systems calls were shown to be Statistical Signatures for the Anomalies. * Combining the String Matching Classifier with the Anomaly Count Detector – The Anomaly Count Detector detects Unknown Attacks, while the String Matching Classifier allows accurate characterization of Known Attacks.

Scientific Systems Not for Public Release Further Work (Phase II)  Towards a Host-Based System for Classification of Intrusions * Verify if the Paradigm of Statistical Signatures holds for other scenarios – Audit Trails in Unix and Windows NT. * Combination of data-based schemes with Domain Knowledge – using Automated Rules to construct more complete Normal Dictionaries at the level of OS Calls. * Integration with NMS modules: - At the System and Application Management Level: Using available COTS peripherals to construct a Host-Based IDS and the attending response infrastructure. - At the Network Management Level: Using the COTS systems to integrate the outputs of the IDS with other elements of the Infrastructure.

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2024 SlidePlayer.com Inc. All rights reserved.