Presentation is loading. Please wait.

Presentation is loading. Please wait.

Evaluating a Real-time Anomaly-based IDS

Published byLydia Andrews Modified over 5 years ago

Similar presentations

Presentation on theme: "Evaluating a Real-time Anomaly-based IDS"— Presentation transcript:

1 Evaluating a Real-time Anomaly-based IDS
A.B. Ruighaver P.G. Thorne K. Tan Computer Forensic and System Security Group University of Melbourne, Australia

2 Anomaly-based Intrusion Detection
To detect the unauthorized use, misuse or abuse of a computer system. Not attack based (use a misuse IDS) Can detect masqueraders Finger prints user behavior Other intrusions ? Subjective (what is an intrusion ?) Anomaly only indicates possible intrusion

3 A Real-time Anomaly-based IDS
Neural network based Uses simple feed forward networks Does not predict next action in sequence, but whether current action is “normal behavior” Needs to be able to forget old behavior Uses standard system logs No need to permanently run auditing software Consumes minimal system resources Portability

4 Behavioral profiles Separate networks for each behavioral characteristic Commands Activity Time CPU usage Login Host Correlation network to build user profile

5 Evaluation Finger Print uniqueness Intrusive behavior
only briefly tested, seems to work well not sure whether we can identify an attacker Intrusive behavior external attacks (easy) insider threat (more difficult) Initial test data Student machine for one semester Host identification not reliable and removed

6 Preliminary Evaluation results
Some clear intrusions Some clear non-intrusions Most anomalies can not be classified A few accounts generate most anomalies Known incidents have been detected Command-time anomalies prevalent Many repeated anomalies Command is not a good indicator

7 Lessons Need good data set Need more behavior
No artificial data set, need varied behavior Need audit data to explain behavior May need to filter out repeated intrusions Need more behavior Tailor system to generate complex behavior Prevent detection of non-intrusive anomalies Need to have better response capabilities

8 Conclusions Finger print based on individual behavior
Indicates any change in individual behavior To identify intrusions need group behavior Need to create more behavior in system Anomaly-based IDS is not only a tool for detection but also a tool for prevention -> use it as a behavioral monitor

Download ppt "Evaluating a Real-time Anomaly-based IDS"

Similar presentations

Overview of local security issues in Campus Grid environments Bruce Beckles University of Cambridge Computing Service.

Overview of local security issues in Campus Grid environments Bruce Beckles University of Cambridge Computing Service.
The Most Analytical and Comprehensive Defense Network in a Box.

The Most Analytical and Comprehensive Defense Network in a Box.
1 Telstra in Confidence Managing Security for our Mobile Technology.

1 Telstra in Confidence Managing Security for our Mobile Technology.
Intrusion Detection Systems and Practices

Intrusion Detection Systems and Practices
5/1/2006Sireesha/IDS1 Intrusion Detection Systems (A preliminary study) Sireesha Dasaraju CS526 - Advanced Internet Systems UCCS.

5/1/2006Sireesha/IDS1 Intrusion Detection Systems (A preliminary study) Sireesha Dasaraju CS526 - Advanced Internet Systems UCCS.
1 Intrusion Detection CSSE 490 Computer Security Mark Ardis, Rose-Hulman Institute May 4, 2004.

1 Intrusion Detection CSSE 490 Computer Security Mark Ardis, Rose-Hulman Institute May 4, 2004.
Intrusion detection Anomaly detection models: compare a user’s normal behavior statistically to parameters of the current session, in order to find significant.

Intrusion detection Anomaly detection models: compare a user’s normal behavior statistically to parameters of the current session, in order to find significant.
Silberschatz, Galvin and Gagne  2002 19.1 Operating System Concepts Module 19: Security The Security Problem Authentication Program Threats System Threats.

Silberschatz, Galvin and Gagne  Operating System Concepts Module 19: Security The Security Problem Authentication Program Threats System Threats.
Firewalls CS591 Topics in Internet Security November 15 1999 Steve Miskovitz, Steve Peckham, Kan Hayashi.

Firewalls CS591 Topics in Internet Security November Steve Miskovitz, Steve Peckham, Kan Hayashi.
Lecture 11 Intrusion Detection (cont)

Lecture 11 Intrusion Detection (cont)
Department Of Computer Engineering

Department Of Computer Engineering
Intrusion Detection System Marmagna Desai [ 520 Presentation]

Intrusion Detection System Marmagna Desai [ 520 Presentation]
Data Mining for Intrusion Detection: A Critical Review Klaus Julisch From: Applications of data Mining in Computer Security (Eds. D. Barabara and S. Jajodia)

Data Mining for Intrusion Detection: A Critical Review Klaus Julisch From: Applications of data Mining in Computer Security (Eds. D. Barabara and S. Jajodia)
CS490D: Introduction to Data Mining Prof. Chris Clifton April 14, 2004 Fraud and Misuse Detection.

CS490D: Introduction to Data Mining Prof. Chris Clifton April 14, 2004 Fraud and Misuse Detection.
NATIONAL INSTITUTE OF SCIENCE & TECHNOLOGY Presented by:Manoj Kumar Gantayat CS:200118258 Technical Seminar Presentation - 2004 by MANOJ KUMAR GANTAYAT.

NATIONAL INSTITUTE OF SCIENCE & TECHNOLOGY Presented by:Manoj Kumar Gantayat CS: Technical Seminar Presentation by MANOJ KUMAR GANTAYAT.
Intrusion Detection Presentation : 1 OF n by Manish Mehta 01/24/03.

Intrusion Detection Presentation : 1 OF n by Manish Mehta 01/24/03.
Intrusion Detection Adam Ashenfelter Nicholas J. Tyrrell.

Intrusion Detection Adam Ashenfelter Nicholas J. Tyrrell.
IIT Indore © Neminah Hubballi

IIT Indore © Neminah Hubballi
Improving Intrusion Detection System Taminee Shinasharkey CS689 11/2/00.

Improving Intrusion Detection System Taminee Shinasharkey CS689 11/2/00.
Security Security is a measure of the system’s ability to protect data and information from unauthorized access while still providing access to people.

Security Security is a measure of the system’s ability to protect data and information from unauthorized access while still providing access to people.

Similar presentations

Ads by Google