1 / 28

Embeddable Hybrid Intrusion Detection System

Embeddable Hybrid Intrusion Detection System. Adrian P. Lauf Department of Electrical Engineering and Computer Science Vanderbilt University. Embeddable Intrusion Detection System (IDS). Scenario:

blue
Download Presentation

Embeddable Hybrid Intrusion Detection System

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. Embeddable Hybrid Intrusion Detection System Adrian P. Lauf Department of Electrical Engineering and Computer Science Vanderbilt University

  2. Embeddable Intrusion Detection System (IDS) • Scenario: • Identify a malicious agent in networked embedded systems while minimizing computational overhead • Research goals: • System-on-a-chip implementation • Minimal HW resource overhead • Consume low power • Provide flexibility for changes in the system • Method: • Develop a system to provide high-level analysis of interactions in a homogenous device network

  3. Embedded Device Outlook • Provide a hybrid detection system while minimizing performance impacts • Reduces memory allocation requirements • HybrIDS performance underscores an efficient management of computational cycles • Balanced computational requirements and accuracy yield embedded application performance • Multiple interface compatibility • TCP/UPD network interface (UDP default) • Disk-based interface for simulation purposes • Serial I/O capability • Java 5 platform yields portable embedded device platform • Optimization for ARM9 development environment

  4. Outline • Concept Primitives • Example Scenario • System-level abstraction • Computational Effort Management and Terminology • Maxima Detection System (MDS) • System configuration • Algorithmic Detail • Performance Assessment • Cross-Correlative Intrusion Detection System (CCIDS) • System Configuration • Detection Method • Score Analysis • Threshold Determination • Hybrid Intrusion Detection System (HybrIDS) • Transitioning Methodology • HybrIDS performance • System-level Implementation • Summary

  5. What is a traditional IDS? • Classifies traffic patterns • Centralized point of analysis • Observation of data packets • Not context-sensitive • Packet analysis is compute intensive • Less effective for ad-hoc networks

  6. A Decentralized Approach for Embedded Networks • Reduce dependence on a single system • Reduce power consumption • Reduce compute-intensive operations • Allows for group consensus decisions • Each unit maintains a model of the world • Reduces chance of tampering with a centralized system

  7. Scenario: Autonomous Aircraft Network • A collection of several aircraft (i.e., agents) • A general mission or goal established • (e.g. reconnaissance) • Bidirectional communication between all agents • Inter-node communications can include: • Attitude/position requests • Grouping pattern requests • Obstacle Avoidance • Mission Updates

  8. Simplifying by Abstraction • Actions classified by labels • Action histories recorded • Each node maintains action histories from its point of view • Abstraction permits context independence • Applicable to any system using predetermined actions

  9. Computational Cycle Management • Scalability and Embedded Performance Aspects • Reduce computational intensity • Allow for node addition with minimal impact on performance • Terminology: • DPC – Data Processing Cycle • A computationally intensive cycle • Performs IDS analysis • DCC – Data Collection Cycle • Minimally computationally intensive • Executed for received transaction requests

  10. Number of DCCs per DPC • Computed by • DPC executed upon reaching τDCCs per node (average) • More nodes yield more accurate representation of system • Requires fewer data points • Yields earlier transition

  11. Outline • Concept Primitives • Example Scenario • System-level abstraction • Computational Effort Management and Terminology • Maxima Detection System (MDS) • System configuration • Algorithmic Detail • Performance Assessment • Cross-Correlative Intrusion Detection System (CCIDS) • System Configuration • Detection Method • Score Analysis • Threshold Determination • Hybrid Intrusion Detection System (HybrIDS) • Transitioning Methodology • HybrIDS performance • System-level Implementation • Summary

  12. Maxima Detection: Theory Labels Nodes • Histograms formed for each connected node • Node A will track B, C, and D. • Average system behavior obtained by averaging across observed nodes • Bins correspond to action labels • Data must be normalized to a distribution • E.g. Gaussian, Chi2 . . . . . Σ/(n-1) Avg. behavioral PDF for system

  13. Maxima Detection Algorithm • Resultant vector yields approximate PDF • Find global maximum, exclude it • Identify, mark local maxima • Local maximum yields likely intrusion-motivated behaviors • Reverse-map this label to node with most frequent occurrence

  14. MDS Identification Performance • Deviant Node Pervasion • Percentage of nodes in cluster that are issuing malicious requests • MDS typically detects a deviant node within first iteration • Detected node fluctuates within the space of deviant nodes

  15. Outline • Concept Primitives • Example Scenario • System-level abstraction • Computational Effort Management and Terminology • Maxima Detection System (MDS) • System configuration • Algorithmic Detail • Performance Assessment • Cross-Correlative Intrusion Detection System (CCIDS) • System Configuration • Detection Method • Score Analysis • Threshold Determination • Hybrid Intrusion Detection System (HybrIDS) • Transitioning Methodology • HybrIDS performance • System-level Implementation • Summary

  16. Cross Correlation • Cross correlation technique generates individual profile scores • Compared to average score for system PDF • Provides multiple detection capability • Induces false positives • False positives typically disappear after future iterations • Resolved by setting proper threshold

  17. Detection Method: Cross-correlation Labels Nodes . . . . . Σ/(n-1) Average PDF = Score 17

  18. Score Analysis Suspected Deviant Node Mean Score Line • Average score is computed • Each score is compared to the average • Deviance determined by a threshold Threshold Setting Score Node Number Threshold Bounds

  19. Threshold Requirements • Threshold varies for each scenario • Representative of a percentage deviation required for suspicion of a node • Variability of thresholds is a weakness of CCIDS • Can cause generation of false positives • Reduced by selecting proper threshold • Minimal baseline threshold is possible – system may never converge

  20. Required Thresholds for Proper Detection (CCIDS) • Threshold drops linearly dependent on deviant node pervasion • Number of nodes has negligible impact on threshold requirements • 0.2 represents 100% deviation in this figure • Detects only nodes that vary significantly • 0.02 represents a 10% deviation • More sensitive to smaller node deviations

  21. Outline • Concept Primitives • Example Scenario • System-level abstraction • Computational Effort Management and Terminology • Maxima Detection System (MDS) • System configuration • Algorithmic Detail • Performance Assessment • Cross-Correlative Intrusion Detection System (CCIDS) • System Configuration • Detection Method • Score Analysis • Threshold Determination • Hybrid Intrusion Detection System (HybrIDS) • Transitioning Methodology • HybrIDS performance • System-level Implementation • Summary

  22. Why a hybrid approach? • MDS requires no training data • Can isolate a single anomaly • CCIDS requires training data • Can detect multiple anomalies • More flexible to system changes MDS CCIDS Time/DCC Progression

  23. How does HybrIDS Choose? HybridState object determines if transition point has been reached If one of the results from CCIDS matches a suspected node from MDS, a match is considered found

  24. Transitioning • Increasing the deviant node pervasion requires more tuning cycles • Threshold adjusted once per tuning cycle • Figure represents an average for all node sizes • # transition cycles is independent of node cluster size

  25. How does it perform? HybrIDS Performance Analyzed • HybrIDS can reliably detect deviant nodes upto 22% pervasion • 25% pervasion and up removes element of determinacy • Scalability by percentage pervasion • Number of nodes in cluster does not affect scalability concerns • Graph includes total time – MDS, transition and CCIDS cycles

  26. HybrIDS Implementation • Implemented in Java 5 (1.5) • Introduces Code Portability • ARM9 development board target • 2.73 KB memory footprint for a 35-agent system with 10 behaviors • MDS and CCIDS use a shared data structure • Storage footprint less than 46 KB • Flexible interface implementation • TCP/UDP for network interface • Disk-based access for simulation • RS-232/Serial interface possible

  27. Outline • Concept Primitives • Example Scenario • System-level abstraction • Computational Effort Management and Terminology • Maxima Detection System (MDS) • System configuration • Algorithmic Detail • Performance Assessment • Cross-Correlative Intrusion Detection System (CCIDS) • System Configuration • Detection Method • Score Analysis • Threshold Determination • Hybrid Intrusion Detection System (HybrIDS) • Transitioning Methodology • HybrIDS performance • System-level Implementation • Summary

  28. Summary • Two-phased approach gives HybrIDS a detection advantage in an abstracted homogeneous device network • MDS provides accurate, single-anomaly detection • Requires no training data • CCIDS provides multiple-anomaly detection • Requires training threshold • DPC/DCC computational cycle management reduces embedded device load • Decentralized approach increases reliability and allows for ad-hoc network arrangement • HybrIDS detection accuracy and determinacy viable through 22% deviant node pervasion • Java implementation and small footprint assures integration ease and platform cross-compatibility • HybrIDS is scalable based on the deviant node pervasion, not the number of nodes

More Related