Presentation is loading. Please wait.

Presentation is loading. Please wait.

1. Introduction Generally Intrusion Detection Systems (IDSs), as special-purpose devices to detect network anomalies and attacks, are using two approaches.

Published byDarlene Allison Modified over 8 years ago

Similar presentations

Presentation on theme: "1. Introduction Generally Intrusion Detection Systems (IDSs), as special-purpose devices to detect network anomalies and attacks, are using two approaches."— Presentation transcript:

1 1. Introduction Generally Intrusion Detection Systems (IDSs), as special-purpose devices to detect network anomalies and attacks, are using two approaches including misuse detection and anomaly detection. In misuse detection the search for evidence of attacks is based on known attacks' signatures. In anomaly detection, the deviation from the normal model will be considered as an attack or anomaly. Both kinds of IDSs have their own advantages and disadvantages. The advantages of misuse detection approaches are their good accuracy, low false alarm rate and giving enough information about the type of detected attacks to system administrator On the contrary, their drawbacks include the difficulty of gathering the required information on the known attacks and keeping it up-to-date with new vulnerabilities. The main advantage of anomaly detection approach over misuse detection is that it can detect attempts to exploit new and unforeseen vulnerabilities. However, this approach has high false alarm rate. Fusing Multiple Sensors to Detect Network Traffic Anomalies - A Control Theoretic Model Mahsa Kiani, Wei Lu, Mahbod Tavallaee and Ali A. Ghorbani Faculty of Computer Science, UNB Fredericton 6. Conclusions Although the number of correct alerts reported by hybrid system is a little bit smaller than the number reported by one of the individual detectors, the hybrid system reduces the number of false alerts largely (24%). The future work consists of using more detectors, developing more evaluation metrics to judge the fusion performance and improving the system through dynamic programming. 2. Motivation In order to combine the advantages of both misuse and anomaly detection, the idea of hybrid detection has been proposed. Currently two ways exist to combine IDSs: sequence based (figure 1) and parallel based (figure 2). The sequence based approaches might not provide a full coverage for the attack types due to the filtering of malicious (normal) traffic and also the sequence process will prolong the detection and make a real-time detection impossible. In contrast, parallel based hybrid IDSs provide a wide coverage for intrusions and has the potential to detect previously unknown attacks. One of the biggest challenges for parallel based IDSs is how to make accurate inferences that minimize the number of false alarms and maximize the detection accuracy. In particular, TRW Sjfi is the trust-reputation weight for feature f i in S j,. denotes the attacking probability generated by feature f i and detection sensor S j. Notation FACount is the number of false alerts obtained from historical alerting reports. Based on FACount, penalty factor and reward factor are used to adjust the value of RW fiSj and RW Sj in order to reach the minimize FACount. 3. General Architecture of the Proposed Detection Framework Feature Analysis Multi-Sensor based IDS Sensor 1Sensor 2Sensor m Raw Packets Features based on Flows Flows with Attacking Probabilities Proposed multi-sensor IDS has been evaluated with the full 1999 DARPA intrusion detection dataset based on network flow data for each specific day. 15 features has been considered to describe entire traffic behavior on networks (Table I). Two detectors using non-parametric Cumulative SUM algorithm and Expectation-Maximization based clustering technique are considered and historical reputation matrix is set up according to the detection rate (DR) and the false positive rate (FPR) for each detector over a long time history. The ratio of DR to FPR is used to measure the performance of each detector. Average value of DR, FPR and the ratio of DR to FPR for each feature over 9 days for both detectors have been illustrated in Table II and Table III. Obtained results show that the correct alerts generated by hybrid system is 105, which is smaller than the 161 correct alerts generated by the detector using EM based clustering algorithm. The number of false alerts reported by the hybrid system, however, is 189, which is much smaller than the 799 false alerts by the clustering based detector. 4. Formalized Model for Multi-Sensor IDS In the following model, F(,..... ) refers to features that might be based on flows, packets, host logs, firewall/alert events, traffic behaviour, biometric. Detection sensors are denoted by S (S 1, S 2, S 3, …,S m ) that include m different detection algorithms for intrusion detection. Notation TRW refers to the Trust-Reputation Weight matrix and it measures the credibility degree of decisions. 5. Experimental Results

Download ppt "1. Introduction Generally Intrusion Detection Systems (IDSs), as special-purpose devices to detect network anomalies and attacks, are using two approaches."

Similar presentations

Intrusion Detection Systems (I) CS 6262 Fall 02. Definitions Intrusion Intrusion A set of actions aimed to compromise the security goals, namely A set.

Intrusion Detection Systems (I) CS 6262 Fall 02. Definitions Intrusion Intrusion A set of actions aimed to compromise the security goals, namely A set.
Loss-Sensitive Decision Rules for Intrusion Detection and Response Linda Zhao Statistics Department University of Pennsylvania Joint work with I. Lee,

Loss-Sensitive Decision Rules for Intrusion Detection and Response Linda Zhao Statistics Department University of Pennsylvania Joint work with I. Lee,
Enhancing Security Using Mobile Based Anomaly Detection in Cellular Mobile Networks Bo Sun, Fei Yu, KuiWu, Yang Xiao, and Victor C. M. Leung. Presented.

Enhancing Security Using Mobile Based Anomaly Detection in Cellular Mobile Networks Bo Sun, Fei Yu, KuiWu, Yang Xiao, and Victor C. M. Leung. Presented.
Application of Bayesian Network in Computer Networks Raza H. Abedi.

Application of Bayesian Network in Computer Networks Raza H. Abedi.
Service Discrimination and Audit File Reduction for Effective Intrusion Detection by Fernando Godínez (ITESM) In collaboration with Dieter Hutter (DFKI)

Service Discrimination and Audit File Reduction for Effective Intrusion Detection by Fernando Godínez (ITESM) In collaboration with Dieter Hutter (DFKI)
Anomaly Based Intrusion Detection System

Anomaly Based Intrusion Detection System
Guide to Network Defense and Countermeasures Second Edition

Guide to Network Defense and Countermeasures Second Edition
IDS/IPS Definition and Classification

IDS/IPS Definition and Classification
NETWORK SECURITY INTRUSION DETECTION SYSTEMS (IDS) KANDIAH.M Clarkson University, Potsdam, New York.

NETWORK SECURITY INTRUSION DETECTION SYSTEMS (IDS) KANDIAH.M Clarkson University, Potsdam, New York.
Report on Intrusion Detection and Data Fusion By Ganesh Godavari.

Report on Intrusion Detection and Data Fusion By Ganesh Godavari.
1 Intrusion Detection CSSE 490 Computer Security Mark Ardis, Rose-Hulman Institute May 4, 2004.

1 Intrusion Detection CSSE 490 Computer Security Mark Ardis, Rose-Hulman Institute May 4, 2004.
Unsupervised Intrusion Detection Using Clustering Approach Muhammet Kabukçu Sefa Kılıç Ferhat Kutlu Teoman Toraman 1/29.

Unsupervised Intrusion Detection Using Clustering Approach Muhammet Kabukçu Sefa Kılıç Ferhat Kutlu Teoman Toraman 1/29.
Copyright 2002, Center for Secure Information Systems 1 Panel: Role of Data Mining in Cyber Threat Analysis Professor Sushil Jajodia Center for Secure.

Copyright 2002, Center for Secure Information Systems 1 Panel: Role of Data Mining in Cyber Threat Analysis Professor Sushil Jajodia Center for Secure.
Mining Behavior Models Wenke Lee College of Computing Georgia Institute of Technology.

Mining Behavior Models Wenke Lee College of Computing Georgia Institute of Technology.
Security administrators The experts need better tools too!

Security administrators The experts need better tools too!
Report on statistical Intrusion Detection systems By Ganesh Godavari.

Report on statistical Intrusion Detection systems By Ganesh Godavari.
Big Data Analytics and Challenge Presented by Saurabh Rastogi Asst. Prof. in Maharaja Agrasen Institute of Technology B.Tech(IT), M.Tech(IT)

Big Data Analytics and Challenge Presented by Saurabh Rastogi Asst. Prof. in Maharaja Agrasen Institute of Technology B.Tech(IT), M.Tech(IT)
seminar on Intrusion detection system

seminar on Intrusion detection system
Intrusion Detection Systems. Definitions Intrusion –A set of actions aimed to compromise the security goals, namely Integrity, confidentiality, or availability,

Intrusion Detection Systems. Definitions Intrusion –A set of actions aimed to compromise the security goals, namely Integrity, confidentiality, or availability,
Lecture 11 Intrusion Detection (cont)

Lecture 11 Intrusion Detection (cont)

Similar presentations

Ads by Google