1 / 34

Packet Anomaly Intrusion Detection PAID

Packet Anomaly Intrusion Detection PAID. Constantine Manikopoulos and Zheng Zhang New Jersey Center for Wireless Networking and Security ( NJWINS ) at NJIT George Mason University September 24-26, 2003. The HIDE/PAID Project.

kinipela-aidan
Download Presentation

Packet Anomaly Intrusion Detection PAID

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Packet Anomaly Intrusion Detection PAID Constantine Manikopoulos and Zheng Zhang New Jersey Center for Wireless Networking and Security (NJWINS) at NJIT George Mason University September 24-26, 2003

  2. The HIDE/PAID Project NJWINS – US Army SBIR Phase II Research and Development Effort • Prototype and Evaluate an Intrusion Detection System for the Tactical Internet of the Digital Battlefield

  3. System Architecture • Components • Probe • Event preprocessor • NN classifier • Post processor

  4. System Architecture

  5. Multi-layer Detection

  6. PDF Representation • Binned PDF Representation • S be the sample space of a random variable • events E1­, E2,…, Ek a mutually exclusive partition of S • Piis the expected probability of the occurrence of the event Ei • Pi’ be the frequency of the occurrence of Ei during a given time interval

  7. Similarity Measuring Algorithms • 2-like test. • Kolmogorov-Smirnov test. • Anderson-Darling’s statistic. • Kupier’s statistic. • Others.

  8. Similarity Measuring Algorithms • pi is the expected probability of event Ei. • Pi’ is the observed probability of event Ei during a time interval. • f(N) is a function that takes into account the total number of occurrences during a time window.

  9. Reference Model Updating • Reference Model Updating Algorithm • pold is the reference model before updating • Pnew is the reference model after updating • is a programmable predefined adaptation rate s is a learning rate determined by the outputs of the neural network

  10. HIDE/PAID: User Interface

  11. Two-Dimensional Scatter Plots

  12. Two-dimensional Scatter Plots

  13. Sample Visualization Attack traffic Normal

  14. Data Description • DARPA’98 Intrusion Detection Evaluation Data Set • Seven weeks of training data • Two weeks of testing data (not used because the attack truth is not available) • Categories of the simulated attacks: DOS, Probe, R2L, U2R

  15. System Configuration • Only Non-stealthy DOS attacks are tested: • Neptune (SYN flooding), • Pod (Ping-of-Death), • Smurf (ICMP flooding), • Teardrop (Pathetic IP Fragmentation) • PDF Observation Time Window: 30s. • Classifier: Backpropagation with 4 hidden neurons

  16. Detection Results on y98w1d3

  17. Detection Results on y98w3d4

  18. Detection Results on y98w4d2

  19. Detection Results on y98w4d3

  20. Detection Results on y98w5d1

  21. Detection Results on y98w5d2

  22. Detection Results on y98w5d4

  23. Detection Results on y98w5d5

  24. Detection Results on y98w6d1

  25. Detection Results on y98w6d2

  26. Detection Results on y98w6d3

  27. Detection Results on y98w6d4

  28. Detection Results on y98w6d5

  29. Detection Results on y98w7d2

  30. Detection Results on y98w7d3

  31. Detection Results on y98w7d4

  32. Detection Results on y98w7d5

  33. Summary (1)

  34. Summary (2)

More Related