Embed Size (px)
Citation preview
Design of an Intrusion Response System using
Evolutionary Computation
Rohit Parti
Agenda
Motivation Automated Intrusion Response Challenges Response Model Individuals Representation EC Mechanism Evaluation Function Preliminary Results
Motivation
The number of computer attacks are increasing Attacks are getting more sophisticated Speed of Attacks are increasing
Security Incidents between 1988 and 3rd Quater of 2003
0
20000
40000
60000
80000
100000
120000
140000
1988
1989
1990
1991
1992
1993
1994
1995
1996
1997
1998
1999
2000
2001
2002
2003
Year
# o
f In
cid
en
ts
Motivation
Need for Computer Security– Intrusion Prevention– Intrusion Detection– Intrusion Response
Need for
Automated
Intrusion
Response
Automated Intrusion Response Need for Automated Response
– Earlier Response Systems: Notification System and Manual Response Systems
– System administrators can neither keep up with the pace that and IDS is delivering alerts , nor can they react within adequate time limits
– Delay between detection of a possible intrusion and response to that intrusion
– Research by Cohen shows that • If delay is 10 hours, intruder has 80% success
• If delay is 20 hours, intruder has 95% success
• If delay is 30 hours, intruder has 100% success
Challenges in Automating Response
Countermeasures may only defend against attack, but can also have negative impact on legitimate users.– Possibility of response causing more damage
than actual attack
Intrusion Detection Systems (IDS) are not perfect and can generate False Alarms. – This has an impact on response as uncertainty
is generated in formulating a response.
Response Model
Focus is on choosing a response action from among alternatives that have the least negative impact on the whole system
Basic elements of the model– Resources (services provided by hosts)
– System Users (users of the network)
– Network Topology (the underlying communication architecture)
– Firewall Rules
Entities: Resources and System Users together
Dependency
It is a relation between two entities.– One entity needs a
service from another to be fully operational
Two types– Direct (represents dependency of an entity on a service)
– Indirect (formed due to network topology and firewall rules)
Indirect dependencies are a precondition to fulfilling direct dependencies
Dependency Tree
Describes the relationship of an entity with other entities
Leaf Node: Describes an entity that does not depend on other entities
COMBINE Node: Describes an entity that needs access to more than one service
CHOICE Node: Describes an entity which needs access to at least one of a set of identical services
Capability
The capability c(r) of an entity ‘r’:– is a value ranging from 0.0 to 1.0 and– describes in how far the entity ‘r’ can perform
its work given the current network configuration
If all the resources the entity ‘r’ uses are available, then c(r)=1.0
If a particular service the entity ‘r’ uses is unavailable, the value of c(r) decreases (as will be shown)
Capability Calculation
c(left) and c(right): denotes the capability of the left and right link of a node.
c: denotes the capability of any intermediate node
Leaf Node: – if entity provides service, capability is set to 1.0– if entity does not provide service, capability is
set to 0.0 COMBINE Node: c=(c(left)+c(right))/2 CHOICE Node: c=Max(c(left),c(right))
Example
User ‘A’ (entity) uses the DNS server, the NFS server, and one of the two domain name servers DNS1 and DNS2 to accomplish all his tasks
When the NFS server is unavailable
Dependency Degree Describes in how far the operation of an entity is
affected if the resource, which it depends on is no longer available– Example: user mainly surfs the internet
• High dependency on availability of DNS and HTTP server (say we set dependency degree to 100 %)
• Not very much on NFS server (say we set dependency degree to 75 %)
Changes to capability calculation– c(left)=c(left)*dependency
degree
– c(right)=c(right)*dependency degree
Evaluating the Network State In a network many entities depend on other
entities in the network We create dependency trees for every such entity Final State of Network: Average of all capability
values of all dependency trees created over all entities
Handling cyclic dependencies: An unavailable service can affect the availability of other services– Create another dependency tree for the depending
service
Individual Representation
Individual represents a response action– A set of operations that are performed when an intrusion is detected
A response actions is represented as a binary string of bits– Each bit is associated with an operation on a host that provides
service
If a response action indicated an operation to be performed and the operation is already in effect, it is ignored– Example: If a response action indicates that a particular firewall rule
be installed (removed), and that rule is already installed (not installed), the response action ignores the rule
EC Mechanism
Response History Agent (RHA) Stores information about the attack and the
response to that attack Attack Information: Stored as “reports” generated
by IDS Response Information: Stored as a binary string
that represents the response action Partial Population: Created by selecting responses
from RHA that have “similar intrusive patterns” (if many of the variables within the report are same) <IDS variables indicate type of intrusion>
As new attacks are generated, attack-response pair is added to the RHA
If exact similar attack had previously occurred we have the option to generate the response that was previously generated
Evaluation Function
Add the response action (defined by the individual) temporarily to the model
Determine total capability of network For a mild attack, and a severe response,
associate a penalty to the fitness– Mild attack: determined from IDS report
For a severe attack, and a mild response, associate a penalty to the fitness
Preliminary Results
Questions or Comments?
A Simpler Approach
Happy Thanksgiving!!!
Thank You!!!
