180 likes | 352 Views
By Nitin Bande. Multi-Level Intrusion Detection System (ML-IDS). Introduction. Deployment of network-centric systems increases, network attacks increases proportionally in intensity as well as complexity Attack detection techniques are broadly classified as Signature-based,
E N D
By Nitin Bande Multi-Level Intrusion Detection System (ML-IDS)
Introduction • Deployment of network-centric systems increases, network attacks increases proportionally in intensity as well as complexity • Attack detection techniques are broadly classified as Signature-based, Classification-based, or Anomaly-based.
ML-IDS • Multi level intrusion detection system (ML-IDS) uses autonomic computing to automate the control and management of ML-IDS • Automation allows ML-IDS to detect network attacks and proactively protect against them. • ML-IDS inspects and analyzes network traffic using three levels of granularities Traffic flow, Packet header, Payload.
ML-IDS • Employs an efficient fusion decision algorithm to improve the overall detection rate and minimize the occurrence of false alarm • Network defense systems (signature based or anomaly based), can be classified according to the attacker’s misuse type. • The first category of network defense systems detects misuse of network resources’ limitations
ML-IDS • Defense systems use flow level information in making decisions and to detect the attacks such as PeakFlow X, Mazu Profiler, and the AND system • The second type focuses on detecting attackers misuse of protocol’s vulnerabilities. • The system detects attacks using information collected from the protocol headers
ML-IDS • Current detection systems statefull firewalls (e.g., IPTABLES, Cisco PIX, and Linksys WRT54GS) • It protects against attacks such as DoS attacks and SYN flooding attacks. • Network defense systems detects misuses of application’s vulnerabilities by analyzing information collected from the packet payloads.
ML-IDS • It is capable of detecting any type of network attacks. • The current implementation of ML-IDS uses two types of attack detection techniques: flow based protocol based
Flow-based approach • It employs a set of rules, if violated then flags the traffic flow as being anomalous. • The protocol behavior approach views network protocol operation as being a finite state machine, and flags illegal sequences of state transitions as being anomalous. • The current protocol behavior analysis module is not affected by the use of TCP window scaling. • A fusion module that implements the least square algorithm is used to combine the decision produced by each type of anomaly analysis and thus significantly reduce the attack detection error.
Signature-based detection • SNORT, USTAT, NSTAT and P-Best • Limited in that they cannot detect new attacks. • New attack is identified, there is a significant time-lapse before the signature database is updated. • This is well known for its high number of false positive alerts.
Classification-based detection • Have normal and abnormal data sets, and use data mining techniques to train the system • This creates fairly accurate classification models, when compared with signature-based approaches and they are thus extremely powerful in detecting known attacks and their variants. • Are not capable of detecting unknown attacks. • ADAM uses a combination of association rules mining and classification to discover attacks in a TCPdump audit trail. • Another approach is the use of rare class predictive models such as Credos, PNRule. • Use association rules to detect intrusions, while others use cost sensitive modeling.
Anomaly-based detection • It build a model of normal behavior, and automatically classify statistically significant deviations from the normal as being abnormal. • Advantage of this approach is that it is possible to detect unknown attacks. However, there is a potential for having a high rate of false positive alarms generated when the knowledge collected about normal behaviors is inaccurate.
ML-IDS Architecture • The main modules are the Online Monitoring and Filtering, Multi-level Behavior Analysis, Decision Fusion, Action, Visualization, and Adaptive Learning.
Online Monitoring and Filtering Engine • Multi-level Behavior Analysis • Rule-based Flow Behavior Analysis • Protocol Behavior Analysis • Payload behavior Analysis • Decision Fusion Module • Risk and Impact Analysis Engine • Action Engine • Visualization module • Adaptive Learning
ML-IDS Modules • Monitoring and Filtering Engine • Multi-level Behavior Analysis • Rule-based behavior analysis • Protocol behavior Analysis • Decision Fusion • Action Module