Presentation is loading. Please wait.

Presentation is loading. Please wait.

Misuse and Anomaly Detection Sampath Kannan Wenke Lee Insup Lee Diana Spears Oleg Sokolsky William Spears Linda Zhao.

Published byEvangeline Shields Modified over 8 years ago

Similar presentations

Presentation on theme: "Misuse and Anomaly Detection Sampath Kannan Wenke Lee Insup Lee Diana Spears Oleg Sokolsky William Spears Linda Zhao."— Presentation transcript:

1

2 Misuse and Anomaly Detection Sampath Kannan Wenke Lee Insup Lee Diana Spears Oleg Sokolsky William Spears Linda Zhao

3 Network Intrusion Detection Systems (NIDS) oImportant defense to protect sensitive information and resources on the network. oUsually have the following functionalities. o Observe traffic and extract features o Pattern match with database of “attack signatures” to detect misuse (intrusion) oObserve statistical properties and check against specifications of correct behavior to detect anomalies

4 Shortcomings of Current NIDS oNew attack strategies arise constantly and attack signature databases become obsolete rapidly. oVolume and interleaving of traffic at backbone of network makes complex signature recognition infeasible.

5 Shortcomings cont’d o Anomaly detection algorithms are primitive. We want more scalable yet more sophisticated techniques. o Want to reduce the number of false positives in anomaly detection to make it useful.

6 Our Approach oUse Machine Learning, Data Mining, and Case-Based Reasoning techniques to learn new intruder models on the fly. oBuild a taxonomy of possible anomalies; extract relevant features; use statistical and machine learning techniques to reduce false-alarm rate.

7 Our Approach – Cont’d oApply sophisticated algorithms designed in the resource-constrained data stream model to NIDS. oIntegrate all of these modules into a MaC- based system architecture.

8 Existing Infrastructure oMonitoring and Checking (MaC) architecture for run-time monitoring oUser specified instrumentation of running programs to extract important state changes. (Primitive Event Definition Language (PEDL)). oUser specified conversion of these low-level events to abstract events relevant to properties (MEDL). oChecker for processing abstract event stream to monitor correctness.

9 Existing Infrastructure – Cont’d oAn experimental test-bed to test performance of Intrusion and Anomaly Detection Systems. o Enhancement of a similar set-up from MIT Lincoln Labs from the 90’s. o Models hacker profiles and taxonomy of attacks and generates “realistic” normal and attack traffic. o Metrics for evaluating potency of attacks.

10 Using MaC for NIDS oNeed multiple Primitive Event Definition Languages (PEDLs) to model different algorithmic techniques for extracting abstract events. oNeed dynamically changeable properties as machine learning approaches discover new attack signatures. oNeed integration module that combines the results of various modules.

11 Inferring Mixtures of Markov Chains Batu, Guha, Kannan A theoretical result...

12 An example oNetwork traffic log … each party behaves like a Markov Chain oSome parties are malicious oCan you tease out the malicious chains from a single common log?

13 Another Example: Browsing habits oYou read sports and cartoons. You’re equally likely to read both. You do not remember what you read last. oYou’d expect a “random” sequence SCSSCSSCSSCCSCCCSSSSCSC…

14 Suppose there are two oI like health, entertainment, and fashion oI always read entertainment first, health next and fashion last oThe sequence would be EHFEHFEHFEHFEHFEHFEHF…

15 Two readers, one log file oIf there is one log file… oAssume there is no correlation between us SECHSSFECSHFESCSSHCFCESCHCCFSESHFESSHFE… Is there enough information to tell that there are two people browsing? What are they browsing? How are they browsing?

16 Clues in stream? oYes! (under model assumptions). oH, E, F have special relationship. oThey cannot belong to different (uncorrelated) people. oNot clear about S and C... Could be 3 uncorrelated persons. SECHSSFECSHFESCSSHCFCESCHCCFSESHFESSHFE…

17 Markov Chains as Stochastic Sources 1 2 3 4 5 6 7.2.4.7.3.1.9.5.8.2.9.1 Output sequence: 1 4 7 7 1 2 5 7... 1

18 Markov chains on S,E,C,H,F S C 1/2 Modeled by … H 1 E F 1 1

19 Problem Statement (informal) oTwo or more probabilistic processes oWe are observing interleaved behavior oWe do not know which state belongs to which process – cold start.

20 The Problem MC1 MC2... 1 3 2 5 1 4... 2 6 7 3 1...2 6 1 3 2 7 5 3 1 4 1 Observe...2 6 1 3 2 7 5 3 1 4 1... Infer: MC1, MC2, & mixing parameters

21 For our problem we assume: Stream is polynomially long in the number of states of each Markov chain (need perhaps long stream). C : maximum cover time Q : upper bound on the denominator of any probability Nonzero probabilities are bounded away from 0. Space available is some small polynomial in #states. Under these assumptions, we can identify individual chains if their state spaces are disjoint.

22 Research Directions oMany exciting directions oOur research team has expertise in network security, machine learning, AI, real-time systems, and algorithm design oWe expect interesting synergies between these strengths.

Download ppt "Misuse and Anomaly Detection Sampath Kannan Wenke Lee Insup Lee Diana Spears Oleg Sokolsky William Spears Linda Zhao."

Similar presentations

Intrusion Detection Systems (I) CS 6262 Fall 02. Definitions Intrusion Intrusion A set of actions aimed to compromise the security goals, namely A set.

Intrusion Detection Systems (I) CS 6262 Fall 02. Definitions Intrusion Intrusion A set of actions aimed to compromise the security goals, namely A set.
Wenke Lee and Nick Feamster Georgia Tech Botnet and Spam Detection in High-Speed Networks.

Wenke Lee and Nick Feamster Georgia Tech Botnet and Spam Detection in High-Speed Networks.
Loss-Sensitive Decision Rules for Intrusion Detection and Response Linda Zhao Statistics Department University of Pennsylvania Joint work with I. Lee,

Loss-Sensitive Decision Rules for Intrusion Detection and Response Linda Zhao Statistics Department University of Pennsylvania Joint work with I. Lee,
Enhancing Security Using Mobile Based Anomaly Detection in Cellular Mobile Networks Bo Sun, Fei Yu, KuiWu, Yang Xiao, and Victor C. M. Leung. Presented.

Enhancing Security Using Mobile Based Anomaly Detection in Cellular Mobile Networks Bo Sun, Fei Yu, KuiWu, Yang Xiao, and Victor C. M. Leung. Presented.
Intrusion Detection System(IDS) Overview Manglers Gopal Paliwal Gopal Paliwal Roshni Zawar Roshni Zawar SenthilRaja Velu SenthilRaja Velu Sreevathsa Sathyanarayana.

Intrusion Detection System(IDS) Overview Manglers Gopal Paliwal Gopal Paliwal Roshni Zawar Roshni Zawar SenthilRaja Velu SenthilRaja Velu Sreevathsa Sathyanarayana.
Inferring Mixtures of Markov Chains Tuğkan BatuSudipto GuhaSampath Kannan University of Pennsylvania.

Inferring Mixtures of Markov Chains Tuğkan BatuSudipto GuhaSampath Kannan University of Pennsylvania.
SSP Re-hosting System Development: CLBM Overview and Module Recognition SSP Team Department of ECE Stevens Institute of Technology Presented by Hongbing.

SSP Re-hosting System Development: CLBM Overview and Module Recognition SSP Team Department of ECE Stevens Institute of Technology Presented by Hongbing.
Report on Intrusion Detection and Data Fusion By Ganesh Godavari.

Report on Intrusion Detection and Data Fusion By Ganesh Godavari.
Topics in Advanced Network Security 1 Stateful Intrusion Detection for High Speed Networks Christopher Kruegel Fredrick Valeur Giovanni Vigna Richard Kemmerer.

Topics in Advanced Network Security 1 Stateful Intrusion Detection for High Speed Networks Christopher Kruegel Fredrick Valeur Giovanni Vigna Richard Kemmerer.
1 Intrusion Detection CSSE 490 Computer Security Mark Ardis, Rose-Hulman Institute May 4, 2004.

1 Intrusion Detection CSSE 490 Computer Security Mark Ardis, Rose-Hulman Institute May 4, 2004.
Statistical based IDS background introduction. Statistical IDS background Why do we do this project Attack introduction IDS architecture Data description.

Statistical based IDS background introduction. Statistical IDS background Why do we do this project Attack introduction IDS architecture Data description.
Lesson 13-Intrusion Detection. Overview Define the types of Intrusion Detection Systems (IDS). Set up an IDS. Manage an IDS. Understand intrusion prevention.

Lesson 13-Intrusion Detection. Overview Define the types of Intrusion Detection Systems (IDS). Set up an IDS. Manage an IDS. Understand intrusion prevention.
Intrusion detection Anomaly detection models: compare a user’s normal behavior statistically to parameters of the current session, in order to find significant.

Intrusion detection Anomaly detection models: compare a user’s normal behavior statistically to parameters of the current session, in order to find significant.
Mining Behavior Models Wenke Lee College of Computing Georgia Institute of Technology.

Mining Behavior Models Wenke Lee College of Computing Georgia Institute of Technology.
School of Computer Science and Information Systems

School of Computer Science and Information Systems
seminar on Intrusion detection system

seminar on Intrusion detection system
Intrusion Detection Systems. Definitions Intrusion –A set of actions aimed to compromise the security goals, namely Integrity, confidentiality, or availability,

Intrusion Detection Systems. Definitions Intrusion –A set of actions aimed to compromise the security goals, namely Integrity, confidentiality, or availability,
5/24/011 Advanced Tool Integration for Embedded Systems Assurance Insup Lee Department of Computer and Information Science University of Pennsylvania.

5/24/011 Advanced Tool Integration for Embedded Systems Assurance Insup Lee Department of Computer and Information Science University of Pennsylvania.
Lecture 11 Intrusion Detection (cont)

Lecture 11 Intrusion Detection (cont)
Intrusion Detection System Marmagna Desai [ 520 Presentation]

Intrusion Detection System Marmagna Desai [ 520 Presentation]

Similar presentations

Ads by Google