Upload
nuala
View
72
Download
0
Tags:
Embed Size (px)
DESCRIPTION
Machine Learning in Intrusion Detection Systems (IDS). 2 papers:. Artificial Intelligence & Intrusion Detection: Current & Future Directions [AIID] J. Frank Applying Genetic Programming to Intrusion Detection [GP] M. Crosbie, G. Spafford. AIID. What is intrusion detection? - PowerPoint PPT Presentation
Citation preview
Machine Learning in Intrusion Detection Systems
(IDS)
2 papers:
Artificial Intelligence & Intrusion Detection: Current & Future Directions [AIID]– J. Frank
Applying Genetic Programming to Intrusion Detection [GP]– M. Crosbie, G. Spafford
AIID
What is intrusion detection? What are the issues in Intrusion Detection?
– Data collection– Data reduction– Behavior Classification– Reporting– Response
AIID
AI methods are used to help solve some issues
For data classification:– Classifier systems
• Neural Network
• Decision Tree
• Feature Selection
AIID
Data Reduction– Data Filtering– Feature Selection– Data Clustering
AIID
Behavior Classification– Expert Systems– Anomaly Detection– Rule-Based Induction
AIID
An experiment using Feature Selection– Info. about network connections using a
Network Security Monitor
AIID
3 Search algorithms used:– Backward Sequential Search (BSS)– Beam Search (BS)– Random Generation Plus Sequential Selection
(RS)
AIID
Algorithm performance
AIID
Error Rate Performance (All)
[I, W, T, PS, PD, DS]
[T, PD, DS]Best
AIID
Error Rate Performance (SMTP)
[W, T, PS, PD, DS]
Best
AIID
Error Rate Performance (Login)
Best[W, T, PS, PD]
[T, PD, DS]RGSS
AIID
Error Rate Performance (Shell)
[W, PS, PD, DS]BS & BSS
Best
[W, T, PS, DS] RS
GP (Applying Genetic Programming to Intrusion Detection)
An IDS that exploits the learning power of Genetic Programming
Two types of security tools :– Pro-active– Reactive : IDS falls in this catergory
GP
Components in an IDS– Anomaly
• May indicate a possible intrusion
– So how do we know for sure? Expert-system• Rule-set = model• Metrics• Comparing metrics & model
But …If a new intrusion scenario arises modifying the
IDS is complicated
GP
A finer-grained approach
IDS gets split into multiple Autonomous Agents
GP
GP
Using GP for learning– Instead of a monolithic static “knowledge base”– The GP paradigm allows evolution of agents
that could be placed in a system to monitor audit data
– GP programs • are in a simple meta-language
• Have primitives that access audit data fields and manipulate them
GP
Internal agent architecture
GP
Learning by feedback What do the agents monitor?
– Inter-packet timing metrics:
Total # of socket connections, average time between socket connections, minimum time between socket connections, maximum time between socket connections, destination port, source port
– Potential intrusions looked for:Port flooding, port-walking, probing, password cracking
GP
Δ = | outcome – suspicion |
Penalty = Δ * ranking /100
Fitness = (100 – Δ) - penalty
GP Multiple types:
– Time (long int), port (int), boolean, suspicion (int) Problems with multiple types ADF solution to type safety
– ADF: Automatically Defined Function– To monitor network timing:
avg_interconn_time, min_interconn_time, max_interconn_time
– For port monitoing:src_port, dest_port
– For privileged port checking:is_priv_dest_port, is_priv_src_port
GP
Experimental results:
That’s it !!!
Too old a research idea … did not find any current researches in the same field