1 / 15

Multi-Level Intrusion Detection System (ML-IDS)

By Nitin Bande. Multi-Level Intrusion Detection System (ML-IDS). Introduction. Deployment of network-centric systems increases, network attacks increases proportionally in intensity as well as complexity Attack detection techniques are broadly classified as Signature-based,

dudley
Download Presentation

Multi-Level Intrusion Detection System (ML-IDS)

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. By Nitin Bande Multi-Level Intrusion Detection System (ML-IDS)

  2. Introduction • Deployment of network-centric systems increases, network attacks increases proportionally in intensity as well as complexity • Attack detection techniques are broadly classified as Signature-based, Classification-based, or Anomaly-based.

  3. ML-IDS • Multi level intrusion detection system (ML-IDS) uses autonomic computing to automate the control and management of ML-IDS • Automation allows ML-IDS to detect network attacks and proactively protect against them. • ML-IDS inspects and analyzes network traffic using three levels of granularities Traffic flow, Packet header, Payload.

  4. ML-IDS • Employs an efficient fusion decision algorithm to improve the overall detection rate and minimize the occurrence of false alarm • Network defense systems (signature based or anomaly based), can be classified according to the attacker’s misuse type. • The first category of network defense systems detects misuse of network resources’ limitations

  5. ML-IDS • Defense systems use flow level information in making decisions and to detect the attacks such as PeakFlow X, Mazu Profiler, and the AND system • The second type focuses on detecting attackers misuse of protocol’s vulnerabilities. • The system detects attacks using information collected from the protocol headers

  6. ML-IDS • Current detection systems statefull firewalls (e.g., IPTABLES, Cisco PIX, and Linksys WRT54GS) • It protects against attacks such as DoS attacks and SYN flooding attacks. • Network defense systems detects misuses of application’s vulnerabilities by analyzing information collected from the packet payloads.

  7. ML-IDS • It is capable of detecting any type of network attacks. • The current implementation of ML-IDS uses two types of attack detection techniques: flow based protocol based

  8. Flow-based approach • It employs a set of rules, if violated then flags the traffic flow as being anomalous. • The protocol behavior approach views network protocol operation as being a finite state machine, and flags illegal sequences of state transitions as being anomalous. • The current protocol behavior analysis module is not affected by the use of TCP window scaling. • A fusion module that implements the least square algorithm is used to combine the decision produced by each type of anomaly analysis and thus significantly reduce the attack detection error.

  9. Signature-based detection • SNORT, USTAT, NSTAT and P-Best • Limited in that they cannot detect new attacks. • New attack is identified, there is a significant time-lapse before the signature database is updated. • This is well known for its high number of false positive alerts.

  10. Classification-based detection • Have normal and abnormal data sets, and use data mining techniques to train the system • This creates fairly accurate classification models, when compared with signature-based approaches and they are thus extremely powerful in detecting known attacks and their variants. • Are not capable of detecting unknown attacks. • ADAM uses a combination of association rules mining and classification to discover attacks in a TCPdump audit trail. • Another approach is the use of rare class predictive models such as Credos, PNRule. • Use association rules to detect intrusions, while others use cost sensitive modeling.

  11. Anomaly-based detection • It build a model of normal behavior, and automatically classify statistically significant deviations from the normal as being abnormal. • Advantage of this approach is that it is possible to detect unknown attacks. However, there is a potential for having a high rate of false positive alarms generated when the knowledge collected about normal behaviors is inaccurate.

  12. ML-IDS Architecture • The main modules are the Online Monitoring and Filtering, Multi-level Behavior Analysis, Decision Fusion, Action, Visualization, and Adaptive Learning.

  13. Online Monitoring and Filtering Engine • Multi-level Behavior Analysis • Rule-based Flow Behavior Analysis • Protocol Behavior Analysis • Payload behavior Analysis • Decision Fusion Module • Risk and Impact Analysis Engine • Action Engine • Visualization module • Adaptive Learning

  14. ML-IDS Modules • Monitoring and Filtering Engine • Multi-level Behavior Analysis • Rule-based behavior analysis • Protocol behavior Analysis • Decision Fusion • Action Module

  15. Thank you

More Related