250 likes | 331 Views
Information Integration and Assurance Laboratory IEE594 Presentation. Xiangyang Li Dept. of Industrial Engineering Arizona State University Box 875906, Tempe, AZ 85287-5906, USA. Current People. Director Dr. Nong Ye. Students Master: Syed Masum Emran Ph.D.: Qiang Chen Xiangyang Li
E N D
Information Integration and Assurance Laboratory IEE594 Presentation Xiangyang Li Dept. of Industrial Engineering Arizona State University Box 875906, Tempe, AZ 85287-5906, USA
Current People • Director Dr. Nong Ye • Students Master: Syed Masum Emran Ph.D.: Qiang Chen Xiangyang Li Mingming Xu Dawei Zhang Yebin Zhang
Current Researches • Information security Intrusion detection Technology Study • Supply chain - Business School Enterprise modeling and simulation
Intrusion Detection Technology Application of Decision Tree Classifier
Intrusion Detection - Defensive System • Security Policy • What should we protect? • Prevention • How can we prevent an intrusion? • Detection • If there is an intrusion, how can we detect it? • Response/Recovery • If we detect an intrusion, how can we response? How can we recover the system from the damage?
Intrusion Detection - Methods • Norm-based Approach • Statistical-based Techniques (SPC) • Build up a norm profile with statistical methods • Specification-based Techniques (ANN, BN,...) • Build up a norm profile with rules and logical specification • Signature-based Approach (DT, Clustering,...) • Recognize the pre-defined intrusion signature from system activities.
Problem Definition(1) • Intrusion Detection Normality profile method Signature recognition method • Decision tree technique can be used to build the signatures of normal activities and attacks automatically. Each path of the tree corresponds to a signature. • Each leaf represents an IW value. Each leaf corresponds to a specific state of the system.
BSM audit event from Solaris event 217 auid -2 euid 0 egid 0 ruid 0 rgid 0 pid 96 sid 0 RemoteIP 0.0.0.0 time 897047263 error_message 91 process_error 0 retval 0 attack 0 Target variable Label : 0 - normal activity, 1 - attack IW(Intrusion Warning) : 0 - 1 Predictor variables Only use the information of event type. (284 event types - Solaris 2.7) Data sets Training data set Testing data set Problem Definition(2)
Problem Definition(3) • Decision tree algorithms • GINI and CHAID (Answer Tree - SPSS Inc.) • Analysis of testing results • Comparison of Mean, Max and Min of IW values between normal and attack events. • ROC (Receiver Operating Curve) with Hit rates and False alarm rates based on the predicted IW values and the true Label values.
Single-event Decision Tree Classifier • Single-event classifier • Label -> target variable • Event type -> the only predictor variable
EWMA Vectors We use one variable to represent one event type. Then there are 284 variables for the 284 event types. In our sample data set there are 49 variables. We use these variables as the predictor variables. Each variable is calculated for each event as: if the audit event at time t belongs to the ith event type if the audit event at time t is different from the ith event type
“Existence” and “Count” Classifiers • “Existence” In the transferred data set, variable i records whether event type i exists in current moving window. • “Count” In the transferred data set, variable i records how many times event type i appears in current moving window. We use this one in moving window classifiers on event types. • Truncation Remove the part of transferred data which includes both normal and attack events.
Conclusions and Problem Conclusions • DTCs show promising performance in intrusion detection application • The performance of a DTC is dependent on its design, i.e. the choice of predictor variables and target variable. • Different decision tree algorithms impact the results. Problem • Computational Feasibility • Incremental training ability(ITI) • Scalable/Parallel/Database(ScalParC) • Bagging and Boosting?
END • Other works - http://iia.eas.asu.edu/