Presentation is loading. Please wait.

Presentation is loading. Please wait.

Using Bayesian Networks for Detecting Network Anomalies Lane Thames ECE 8833 Intelligent Systems.

Published byMarvin Atkins Modified over 8 years ago

Similar presentations

Presentation on theme: "Using Bayesian Networks for Detecting Network Anomalies Lane Thames ECE 8833 Intelligent Systems."— Presentation transcript:

1 Using Bayesian Networks for Detecting Network Anomalies Lane Thames ECE 8833 Intelligent Systems

2 Goals for this Project To see how well a Bayesian Learning Network performs at predicting attacks within a computer network How do the predictions change when using pure network data versus a combination of network and host data

3 Common Types of Attacks Buffer Overflow Attacks Redirects Program Control Flow which causes the computer to execute carefully injected malicious code Redirects Program Control Flow which causes the computer to execute carefully injected malicious code Code be crafted to elevate the privileges of a user by obtaining super user (root) privileges Code be crafted to elevate the privileges of a user by obtaining super user (root) privileges

4 Common Types of Attacks Denial of Service Exhaust a computer’s resources: TCP SYN Flooding Attack Exhaust a computer’s resources: TCP SYN Flooding Attack Consume a computer’s available networking bandwidth: ICMP Smurf Attack Consume a computer’s available networking bandwidth: ICMP Smurf Attack

5 Data Sets UCI Knowledge Discovery in Databases (KDD) archive KDD Cup 1999 for Intrusion Detection Database A subset of data generated by MIT Lincoln Labs that simulated a military networking environment (4 weeks @ 22 hrs/day of data)

6 Data Sets Contained data for training and separate, labeled data for testing The test data contained noise because it contained attack data that was not included in the training data

7 Data Sets 22 total attack types were generated and were interlaced with normal traffic flows Types of Attacks within the data Denial of Service Denial of Service Unauthorized remote access Unauthorized remote access Local user to super user access Local user to super user access Probing: Reconnaissance and network mapping Probing: Reconnaissance and network mapping

8 Data Sets 41 Features that could be used as Random Variables within a Bayesian Network Host Based Features Host Based Features Network Based Features Network Based Features

9 Feature Set Snippet protocolserviceflagsrcBdstBcntsrvcntserrratererrratetypeAtck tcphttpSF23513378800normal. tcphttpSF21913376600normal. icmpecr_iSF10320511 00smurf. icmpecr_iSF10320511 00smurf. tcpprivateS000103110neptune. tcpprivateS0001121010neptune.

10 Tool Boxes Used for the Project BN Power Constructor Developed by J. Cheng at the University of Alberta in Canada Developed by J. Cheng at the University of Alberta in Canada Tool for generating possible network structures given a set of training data Tool for generating possible network structures given a set of training data Exports the structure in DNE Bayesian network file format Exports the structure in DNE Bayesian network file format

11 Tool Boxes Used for the Project NeticaJ by Norsys Java based development library Java based development library Used to build the Bayesian network codebase for this project Used to build the Bayesian network codebase for this project Imports structure in DNE file format Imports structure in DNE file format Contains functions for doing inference and learning CPTs given a set of training data Contains functions for doing inference and learning CPTs given a set of training data

12 Implementation 2 types of structures used Combination of network and host based features Combination of network and host based features Only network based features Only network based features

13 Host/Network Structure

14 Host/Network Test Results Using the Noisy Test Data 65,505 Total Test Cases 65,019 Correctly Classified 99.26% Classification Accuracy

15 Probabilities for a Single Flow

16 Probabilities for a Smurf Flow

17 Time Series of Normal Probabilities

18 Network Features Structure

19 Network Variables Test Results 62,047 Total Noisy Test Cases 59,734 Correctly Classified 96.27% Classification Accuracy

20 Conclusion The Bayesian Network produced very impressive results The reduced structure only relied on network data, and only suffered from a small decrease in accuracy Term project will extend this to incorporate a SOM variable

Download ppt "Using Bayesian Networks for Detecting Network Anomalies Lane Thames ECE 8833 Intelligent Systems."

Similar presentations

Loss-Sensitive Decision Rules for Intrusion Detection and Response Linda Zhao Statistics Department University of Pennsylvania Joint work with I. Lee,

Loss-Sensitive Decision Rules for Intrusion Detection and Response Linda Zhao Statistics Department University of Pennsylvania Joint work with I. Lee,
Network and Application Attacks Contributed by- Chandra Prakash Suryawanshi CISSP, CEH, SANS-GSEC, CISA, ISO 27001LI, BS 25999LA, ERM (ISB) June 2006.

Network and Application Attacks Contributed by- Chandra Prakash Suryawanshi CISSP, CEH, SANS-GSEC, CISA, ISO 27001LI, BS 25999LA, ERM (ISB) June 2006.
Application of Bayesian Network in Computer Networks Raza H. Abedi.

Application of Bayesian Network in Computer Networks Raza H. Abedi.
Performance Evaluation of the Fuzzy ARTMAP for Network Intrusion Detection Nelcileno Araújo Ruy de Oliveira Ed’Wilson Tavares Ferreira Valtemir Nascimento.

Performance Evaluation of the Fuzzy ARTMAP for Network Intrusion Detection Nelcileno Araújo Ruy de Oliveira Ed’Wilson Tavares Ferreira Valtemir Nascimento.
1 Reading Log Files. 2 Segment Format

1 Reading Log Files. 2 Segment Format
FLAME: A Flow-level Anomaly Modeling Engine

FLAME: A Flow-level Anomaly Modeling Engine
Packet Anomaly Intrusion Detection PAID Constantine Manikopoulos and Zheng Zhang New Jersey Center for Wireless Networking and Security (NJWINS) at NJIT.

Packet Anomaly Intrusion Detection PAID Constantine Manikopoulos and Zheng Zhang New Jersey Center for Wireless Networking and Security (NJWINS) at NJIT.
Simulation and Analysis of DDos Attacks Poongothai, M Department of Information Technology,Institute of Road and Transport Technology, Erode Tamilnadu,

Simulation and Analysis of DDos Attacks Poongothai, M Department of Information Technology,Institute of Road and Transport Technology, Erode Tamilnadu,
KDD CUP 2001 Task 1: Thrombin Jie Cheng (Homepage: www.cs.ualberta.ca/~jcheng) Global Analytics Canadian Imperial Bank of Commerce.

KDD CUP 2001 Task 1: Thrombin Jie Cheng (Homepage: Global Analytics Canadian Imperial Bank of Commerce.
15-441: Computer Networking Lecture 26: Networking Future.

15-441: Computer Networking Lecture 26: Networking Future.
Machine Learning Reading: Chapter 18, 20. 2 Agenda and Announcements Machine Learning assignment will go out on Thursday. Tutorial in class on tool for.

Machine Learning Reading: Chapter 18, Agenda and Announcements Machine Learning assignment will go out on Thursday. Tutorial in class on tool for.
1 Weekly Progress (MAGGIE) Adnan Iqbal Superviser Dr. Waqar Mahmood 22-11-05.

1 Weekly Progress (MAGGIE) Adnan Iqbal Superviser Dr. Waqar Mahmood
Unsupervised Intrusion Detection Using Clustering Approach Muhammet Kabukçu Sefa Kılıç Ferhat Kutlu Teoman Toraman 1/29.

Unsupervised Intrusion Detection Using Clustering Approach Muhammet Kabukçu Sefa Kılıç Ferhat Kutlu Teoman Toraman 1/29.
Information Networking Security and Assurance Lab National Chung Cheng University 1 Top Vulnerabilities in Web Applications (I) Unvalidated Input:  Information.

Information Networking Security and Assurance Lab National Chung Cheng University 1 Top Vulnerabilities in Web Applications (I) Unvalidated Input:  Information.
Statistical based IDS background introduction. Statistical IDS background Why do we do this project Attack introduction IDS architecture Data description.

Statistical based IDS background introduction. Statistical IDS background Why do we do this project Attack introduction IDS architecture Data description.
Beyond the perimeter: the need for early detection of Denial of Service Attacks John Haggerty,Qi Shi,Madjid Merabti Presented by Abhijit Pandey.

Beyond the perimeter: the need for early detection of Denial of Service Attacks John Haggerty,Qi Shi,Madjid Merabti Presented by Abhijit Pandey.
© 2006 Cisco Systems, Inc. All rights reserved. Implementing Secure Converged Wide Area Networks (ISCW) Module 6: Cisco IOS Threat Defense Features.

© 2006 Cisco Systems, Inc. All rights reserved. Implementing Secure Converged Wide Area Networks (ISCW) Module 6: Cisco IOS Threat Defense Features.
Vipin Kumar, AHPCRC, University of Minnesota

Vipin Kumar, AHPCRC, University of Minnesota
Machine Learning as Applied to Intrusion Detection By Christine Fossaceca.

Machine Learning as Applied to Intrusion Detection By Christine Fossaceca.
Attack Profiles CS-480b Dick Steflik Attack Categories Denial-of-Service Exploitation Attacks Information Gathering Attacks Disinformation Attacks.

Attack Profiles CS-480b Dick Steflik Attack Categories Denial-of-Service Exploitation Attacks Information Gathering Attacks Disinformation Attacks.

Similar presentations

Ads by Google