1 / 1

Embeddable Intrusion Detection System (IDS)

Embeddable Intrusion Detection System (IDS). Adrian P. Lauf, William H. Robinson, Vanderbilt University Institute for Software Integrated Systems Richard A. Peters, Vanderbilt University Center for Intelligent Systems. Project Description. Machine Learning Algorithm.

colt-reid
Download Presentation

Embeddable Intrusion Detection System (IDS)

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Embeddable Intrusion Detection System (IDS) Adrian P. Lauf, William H. Robinson, Vanderbilt University Institute for Software Integrated Systems Richard A. Peters, Vanderbilt University Center for Intelligent Systems Project Description Machine Learning Algorithm • Security Scenario: a network of aircraft shares position and mission information • A deviant node exists • The deviant node behaves differently • Connected aircraft record activities • Method: develop a system to provide high-level analysis of interactions in a homogenous device network • An activity profile is established • Machine learning techniques used to build node profiles • Profiles analyzed by the IDS engine • Step 1: IDS analyzes inter-node requests and actions • Step 2: History of requests kept for each node • Step 3: Node activity histories aggregated in History Table • Step 4: Process to analyze activity • Organization of action labels according to Gaussian distribution • Detection of local maxima from summed histories • Gaussian normalization adjust tolerance factor for maxima detection • Step 5: Node histories added in groups of 10 occurrences to stabilize changes in behavior • Device interactions • Each device maintains its own set of node activity histories and history tables • Devices do not maintain information “self “data • Should multiple devices identify a deviant node, it can be excised from the network IDS Performance and Future Work Embedded Application RS-232/Ethernet • Data packet-level analysis has high computational costs • High-level abstraction of interactions can reduce this cost • Each agent node is equipped with a lightweight IDS • Prototype implementation • ARM9-based development board • Java codebase running on Linux 2.6 kernel • Code optimization reduces number of cycles for power reduction • Results using only maxima detection show promise • High detection accuracy achieved under test conditions (> 99%) • False positives appeared only under extremely low tolerance values • Future work: Scalability • Determine range of agent network sizes and deviant nodes that can be used with this IDS • Future work: Gaussian normalization • Normalization of label distribution will assist detection and eliminate manual tuning • Will require calibration period and possibly sample test data • Future work: Resource analysis • Prototype will yield data on power consumption and computational overhead Abstraction Levels Implemented March 20, 2007

More Related