290 likes | 510 Views
Embeddable Hybrid Intrusion Detection System. Adrian P. Lauf Department of Electrical Engineering and Computer Science Vanderbilt University. Embeddable Intrusion Detection System (IDS). Scenario:
E N D
Embeddable Hybrid Intrusion Detection System Adrian P. Lauf Department of Electrical Engineering and Computer Science Vanderbilt University
Embeddable Intrusion Detection System (IDS) • Scenario: • Identify a malicious agent in networked embedded systems while minimizing computational overhead • Research goals: • System-on-a-chip implementation • Minimal HW resource overhead • Consume low power • Provide flexibility for changes in the system • Method: • Develop a system to provide high-level analysis of interactions in a homogenous device network
Embedded Device Outlook • Provide a hybrid detection system while minimizing performance impacts • Reduces memory allocation requirements • HybrIDS performance underscores an efficient management of computational cycles • Balanced computational requirements and accuracy yield embedded application performance • Multiple interface compatibility • TCP/UPD network interface (UDP default) • Disk-based interface for simulation purposes • Serial I/O capability • Java 5 platform yields portable embedded device platform • Optimization for ARM9 development environment
Outline • Concept Primitives • Example Scenario • System-level abstraction • Computational Effort Management and Terminology • Maxima Detection System (MDS) • System configuration • Algorithmic Detail • Performance Assessment • Cross-Correlative Intrusion Detection System (CCIDS) • System Configuration • Detection Method • Score Analysis • Threshold Determination • Hybrid Intrusion Detection System (HybrIDS) • Transitioning Methodology • HybrIDS performance • System-level Implementation • Summary
What is a traditional IDS? • Classifies traffic patterns • Centralized point of analysis • Observation of data packets • Not context-sensitive • Packet analysis is compute intensive • Less effective for ad-hoc networks
A Decentralized Approach for Embedded Networks • Reduce dependence on a single system • Reduce power consumption • Reduce compute-intensive operations • Allows for group consensus decisions • Each unit maintains a model of the world • Reduces chance of tampering with a centralized system
Scenario: Autonomous Aircraft Network • A collection of several aircraft (i.e., agents) • A general mission or goal established • (e.g. reconnaissance) • Bidirectional communication between all agents • Inter-node communications can include: • Attitude/position requests • Grouping pattern requests • Obstacle Avoidance • Mission Updates
Simplifying by Abstraction • Actions classified by labels • Action histories recorded • Each node maintains action histories from its point of view • Abstraction permits context independence • Applicable to any system using predetermined actions
Computational Cycle Management • Scalability and Embedded Performance Aspects • Reduce computational intensity • Allow for node addition with minimal impact on performance • Terminology: • DPC – Data Processing Cycle • A computationally intensive cycle • Performs IDS analysis • DCC – Data Collection Cycle • Minimally computationally intensive • Executed for received transaction requests
Number of DCCs per DPC • Computed by • DPC executed upon reaching τDCCs per node (average) • More nodes yield more accurate representation of system • Requires fewer data points • Yields earlier transition
Outline • Concept Primitives • Example Scenario • System-level abstraction • Computational Effort Management and Terminology • Maxima Detection System (MDS) • System configuration • Algorithmic Detail • Performance Assessment • Cross-Correlative Intrusion Detection System (CCIDS) • System Configuration • Detection Method • Score Analysis • Threshold Determination • Hybrid Intrusion Detection System (HybrIDS) • Transitioning Methodology • HybrIDS performance • System-level Implementation • Summary
Maxima Detection: Theory Labels Nodes • Histograms formed for each connected node • Node A will track B, C, and D. • Average system behavior obtained by averaging across observed nodes • Bins correspond to action labels • Data must be normalized to a distribution • E.g. Gaussian, Chi2 . . . . . Σ/(n-1) Avg. behavioral PDF for system
Maxima Detection Algorithm • Resultant vector yields approximate PDF • Find global maximum, exclude it • Identify, mark local maxima • Local maximum yields likely intrusion-motivated behaviors • Reverse-map this label to node with most frequent occurrence
MDS Identification Performance • Deviant Node Pervasion • Percentage of nodes in cluster that are issuing malicious requests • MDS typically detects a deviant node within first iteration • Detected node fluctuates within the space of deviant nodes
Outline • Concept Primitives • Example Scenario • System-level abstraction • Computational Effort Management and Terminology • Maxima Detection System (MDS) • System configuration • Algorithmic Detail • Performance Assessment • Cross-Correlative Intrusion Detection System (CCIDS) • System Configuration • Detection Method • Score Analysis • Threshold Determination • Hybrid Intrusion Detection System (HybrIDS) • Transitioning Methodology • HybrIDS performance • System-level Implementation • Summary
Cross Correlation • Cross correlation technique generates individual profile scores • Compared to average score for system PDF • Provides multiple detection capability • Induces false positives • False positives typically disappear after future iterations • Resolved by setting proper threshold
Detection Method: Cross-correlation Labels Nodes . . . . . Σ/(n-1) Average PDF = Score 17
Score Analysis Suspected Deviant Node Mean Score Line • Average score is computed • Each score is compared to the average • Deviance determined by a threshold Threshold Setting Score Node Number Threshold Bounds
Threshold Requirements • Threshold varies for each scenario • Representative of a percentage deviation required for suspicion of a node • Variability of thresholds is a weakness of CCIDS • Can cause generation of false positives • Reduced by selecting proper threshold • Minimal baseline threshold is possible – system may never converge
Required Thresholds for Proper Detection (CCIDS) • Threshold drops linearly dependent on deviant node pervasion • Number of nodes has negligible impact on threshold requirements • 0.2 represents 100% deviation in this figure • Detects only nodes that vary significantly • 0.02 represents a 10% deviation • More sensitive to smaller node deviations
Outline • Concept Primitives • Example Scenario • System-level abstraction • Computational Effort Management and Terminology • Maxima Detection System (MDS) • System configuration • Algorithmic Detail • Performance Assessment • Cross-Correlative Intrusion Detection System (CCIDS) • System Configuration • Detection Method • Score Analysis • Threshold Determination • Hybrid Intrusion Detection System (HybrIDS) • Transitioning Methodology • HybrIDS performance • System-level Implementation • Summary
Why a hybrid approach? • MDS requires no training data • Can isolate a single anomaly • CCIDS requires training data • Can detect multiple anomalies • More flexible to system changes MDS CCIDS Time/DCC Progression
How does HybrIDS Choose? HybridState object determines if transition point has been reached If one of the results from CCIDS matches a suspected node from MDS, a match is considered found
Transitioning • Increasing the deviant node pervasion requires more tuning cycles • Threshold adjusted once per tuning cycle • Figure represents an average for all node sizes • # transition cycles is independent of node cluster size
How does it perform? HybrIDS Performance Analyzed • HybrIDS can reliably detect deviant nodes upto 22% pervasion • 25% pervasion and up removes element of determinacy • Scalability by percentage pervasion • Number of nodes in cluster does not affect scalability concerns • Graph includes total time – MDS, transition and CCIDS cycles
HybrIDS Implementation • Implemented in Java 5 (1.5) • Introduces Code Portability • ARM9 development board target • 2.73 KB memory footprint for a 35-agent system with 10 behaviors • MDS and CCIDS use a shared data structure • Storage footprint less than 46 KB • Flexible interface implementation • TCP/UDP for network interface • Disk-based access for simulation • RS-232/Serial interface possible
Outline • Concept Primitives • Example Scenario • System-level abstraction • Computational Effort Management and Terminology • Maxima Detection System (MDS) • System configuration • Algorithmic Detail • Performance Assessment • Cross-Correlative Intrusion Detection System (CCIDS) • System Configuration • Detection Method • Score Analysis • Threshold Determination • Hybrid Intrusion Detection System (HybrIDS) • Transitioning Methodology • HybrIDS performance • System-level Implementation • Summary
Summary • Two-phased approach gives HybrIDS a detection advantage in an abstracted homogeneous device network • MDS provides accurate, single-anomaly detection • Requires no training data • CCIDS provides multiple-anomaly detection • Requires training threshold • DPC/DCC computational cycle management reduces embedded device load • Decentralized approach increases reliability and allows for ad-hoc network arrangement • HybrIDS detection accuracy and determinacy viable through 22% deviant node pervasion • Java implementation and small footprint assures integration ease and platform cross-compatibility • HybrIDS is scalable based on the deviant node pervasion, not the number of nodes