Presentation is loading. Please wait.

Presentation is loading. Please wait.

Intrusion and Anomaly Detection in Network Traffic Streams: Checking and Machine Learning Approaches ONR MURI area: High Confidence Real-Time Misuse and.

Published byLinette Floyd Modified over 8 years ago

Similar presentations

Presentation on theme: "Intrusion and Anomaly Detection in Network Traffic Streams: Checking and Machine Learning Approaches ONR MURI area: High Confidence Real-Time Misuse and."— Presentation transcript:

1 Intrusion and Anomaly Detection in Network Traffic Streams: Checking and Machine Learning Approaches ONR MURI area: High Confidence Real-Time Misuse and Anomaly Detection Sampath KannanWenke Lee Insup LeeDiana Spears Oleg SokolskyWilliam Spears Linda Zhao

2 Misuse & Anomaly Misuse: Unauthorized behavior specified by known message patterns called signatures. Anomaly: Large deviations from specified or statistical expected behavior.

3 Our Goals Stronger misuse detection and misuse prediction. Combining statistical and specification-based anomaly detection. Space and time-efficient algorithms to process large streams of traffic. A systems architecture to incorporate and facilitate our approaches (other poster).

4 Misuse Detection The most significant open problem in misuse detection: False negatives, i.e., errors of omission Our MURI objectives: Learn models of intruders and also of legitimate users Apply the models for misuse detection Use the models to predict future intruder behavior

5 Misuse Detection: Approach 1 Model network traffic with Hidden Markov Models (HMMs) From interleaved sequences of observations, infer the parameters of individual Markov chains in order to model several users If there is an intruder, one of the Markov chains will capture his/her behavior Challenges: Minimizing complexity and data needed Use of prior knowledge

6 Misuse Detection: Approach 2 Apply Case-Based Reasoning (CBR) to maximize the flexibility for matching the model to the observations, thereby reducing errors of omission CBR will consist of: Maintaining a library of prior attack signatures and other background knowledge Flexible matching of signatures to detect new intrusions Prediction of future intrusion behavior Learning and storing new signatures in the library

7 Misuse Detection: Evaluation Will test the hypothesis that combined application of our two approaches results in fewer errors of omission than the leading alternative approaches

8 Anomaly Detection Two main approaches Specification-based Detect events that directly violate specifications of normal operations Statistics-based Use normal profiles to detect anomalous events that are statistical and temporal in nature Need both

9 Specification- Based Detection Specification-based detection Normal events can be modeled, e.g., as extended finite state machines (EFSMs) An intrusion detection system (IDS) checks events against specification detects violation, e.g., if EFSM is used Verify if the current state is legitimate Verify if pre-conditions and post- conditions of transition are met Verify if the new state matches the expected transition

10 Statistics-Based Approach Statistical and temporal deviation detection Select and construct statistical features of normal operations, e.g., statistics on the states and transitions of the EFSMs Apply statistical (machine) learning tools to learn normal profiles, e.g., of the important EFSM states and transitions Use the profiles to detect anomalies

11 Our MURI Objectives A general framework to generate specification-based model and statistics-based model, and to combine the two models What events/models to specify What statistical/temporal features Which anomalies are covered by each model

12 Approach Start with a taxonomy of basic events of the target system Any operation is some combination of basic events Anomalies can be detected if their anomalous basic events are detected. Investigate What is the proper granularity for basic events Completeness of taxonomy

13 Approach (cont ’ d) Model normal operations according to system/protocol specification Construct extended finite state machines (EFSMs) in terms of basic events Investigate Tools for constructing and validating the models

14 Approach (cont ’ d) Construct statistical and temporal features of the normal basic events Apply learning algorithms to generate normal profiles Detect statistical anomalies that are not detectable by specification-based approach Investigate Automated feature construction and selection Optimization of the tradeoffs of model accuracy and efficiency

15 Validation Case studies using representative network protocols (e.g., smtp, http) Comparative studies using COTS and intrusion detection algorithms from this research

16 Data Stream Model Properties of Network IDS Real time operation Memory much smaller than the number of packets processed Data Stream Model formalizes this scenario. Goal: Use algorithm design techniques for this model to solve ID problems. Example: Can detect large anomalies in day-to-day behavior of some sites.

Download ppt "Intrusion and Anomaly Detection in Network Traffic Streams: Checking and Machine Learning Approaches ONR MURI area: High Confidence Real-Time Misuse and."

Similar presentations

Intrusion Detection Systems (I) CS 6262 Fall 02. Definitions Intrusion Intrusion A set of actions aimed to compromise the security goals, namely A set.

Intrusion Detection Systems (I) CS 6262 Fall 02. Definitions Intrusion Intrusion A set of actions aimed to compromise the security goals, namely A set.
Loss-Sensitive Decision Rules for Intrusion Detection and Response Linda Zhao Statistics Department University of Pennsylvania Joint work with I. Lee,

Loss-Sensitive Decision Rules for Intrusion Detection and Response Linda Zhao Statistics Department University of Pennsylvania Joint work with I. Lee,
Enhancing Security Using Mobile Based Anomaly Detection in Cellular Mobile Networks Bo Sun, Fei Yu, KuiWu, Yang Xiao, and Victor C. M. Leung. Presented.

Enhancing Security Using Mobile Based Anomaly Detection in Cellular Mobile Networks Bo Sun, Fei Yu, KuiWu, Yang Xiao, and Victor C. M. Leung. Presented.
An Introduction of Botnet Detection – Part 2 Guofei Gu, Wenke Lee (Georiga Tech)

An Introduction of Botnet Detection – Part 2 Guofei Gu, Wenke Lee (Georiga Tech)
Detecting Computer Intrusions Using Behavioral Biometrics Ahmed Awad E. A, and Issa Traore University of Victoria PST’05 Oct 13,2005.

Detecting Computer Intrusions Using Behavioral Biometrics Ahmed Awad E. A, and Issa Traore University of Victoria PST’05 Oct 13,2005.
Intrusion Detection Techniques in Mobile Ad Hoc and Wireless Sensor Networks - IEEE October 2007 CMSC 681 - Advanced Computer Networks Oleg Aulov CMSC.

Intrusion Detection Techniques in Mobile Ad Hoc and Wireless Sensor Networks - IEEE October 2007 CMSC Advanced Computer Networks Oleg Aulov CMSC.
Service Discrimination and Audit File Reduction for Effective Intrusion Detection by Fernando Godínez (ITESM) In collaboration with Dieter Hutter (DFKI)

Service Discrimination and Audit File Reduction for Effective Intrusion Detection by Fernando Godínez (ITESM) In collaboration with Dieter Hutter (DFKI)
Intrusion Detection Systems and Practices

Intrusion Detection Systems and Practices
Report on Intrusion Detection and Data Fusion By Ganesh Godavari.

Report on Intrusion Detection and Data Fusion By Ganesh Godavari.
5/1/2006Sireesha/IDS1 Intrusion Detection Systems (A preliminary study) Sireesha Dasaraju CS526 - Advanced Internet Systems UCCS.

5/1/2006Sireesha/IDS1 Intrusion Detection Systems (A preliminary study) Sireesha Dasaraju CS526 - Advanced Internet Systems UCCS.
1 Intrusion Detection CSSE 490 Computer Security Mark Ardis, Rose-Hulman Institute May 4, 2004.

1 Intrusion Detection CSSE 490 Computer Security Mark Ardis, Rose-Hulman Institute May 4, 2004.
Statistical based IDS background introduction. Statistical IDS background Why do we do this project Attack introduction IDS architecture Data description.

Statistical based IDS background introduction. Statistical IDS background Why do we do this project Attack introduction IDS architecture Data description.
Copyright 2002, Center for Secure Information Systems 1 Panel: Role of Data Mining in Cyber Threat Analysis Professor Sushil Jajodia Center for Secure.

Copyright 2002, Center for Secure Information Systems 1 Panel: Role of Data Mining in Cyber Threat Analysis Professor Sushil Jajodia Center for Secure.
Mining Behavior Models Wenke Lee College of Computing Georgia Institute of Technology.

Mining Behavior Models Wenke Lee College of Computing Georgia Institute of Technology.
School of Computer Science and Information Systems

School of Computer Science and Information Systems
Testing Intrusion Detection Systems: A Critic for the 1998 and 1999 DARPA Intrusion Detection System Evaluations as Performed by Lincoln Laboratory By.

Testing Intrusion Detection Systems: A Critic for the 1998 and 1999 DARPA Intrusion Detection System Evaluations as Performed by Lincoln Laboratory By.
Intrusion Detection Systems. Definitions Intrusion –A set of actions aimed to compromise the security goals, namely Integrity, confidentiality, or availability,

Intrusion Detection Systems. Definitions Intrusion –A set of actions aimed to compromise the security goals, namely Integrity, confidentiality, or availability,
Misuse and Anomaly Detection Sampath Kannan Wenke Lee Insup Lee Diana Spears Oleg Sokolsky William Spears Linda Zhao.

Misuse and Anomaly Detection Sampath Kannan Wenke Lee Insup Lee Diana Spears Oleg Sokolsky William Spears Linda Zhao.
Lecture 11 Intrusion Detection (cont)

Lecture 11 Intrusion Detection (cont)
Automatic Generation and Analysis of NIDS Attacks Shai Rubin Somesh Jha Barton P. Miller University of Wisconsin, Madison.

Automatic Generation and Analysis of NIDS Attacks Shai Rubin Somesh Jha Barton P. Miller University of Wisconsin, Madison.

Similar presentations

Ads by Google