1 / 25

Machine Learning in Intrusion Detection Systems (IDS)

Machine Learning in Intrusion Detection Systems (IDS). 2 papers:. Artificial Intelligence & Intrusion Detection: Current & Future Directions [AIID] J. Frank Applying Genetic Programming to Intrusion Detection [GP] M. Crosbie, G. Spafford. AIID. What is intrusion detection?

nuala
Download Presentation

Machine Learning in Intrusion Detection Systems (IDS)

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Machine Learning in Intrusion Detection Systems (IDS)

  2. 2 papers: • Artificial Intelligence & Intrusion Detection: Current & Future Directions [AIID] • J. Frank • Applying Genetic Programming to Intrusion Detection [GP] • M. Crosbie, G. Spafford

  3. AIID • What is intrusion detection? • What are the issues in Intrusion Detection? • Data collection • Data reduction • Behavior Classification • Reporting • Response

  4. AIID • AI methods are used to help solve some issues • For data classification: • Classifier systems • Neural Network • Decision Tree • Feature Selection

  5. AIID • Data Reduction • Data Filtering • Feature Selection • Data Clustering

  6. AIID • Behavior Classification • Expert Systems • Anomaly Detection • Rule-Based Induction

  7. AIID • An experiment using Feature Selection • Info. about network connections using a Network Security Monitor

  8. AIID • 3 Search algorithms used: • Backward Sequential Search (BSS) • Beam Search (BS) • Random Generation Plus Sequential Selection (RS)

  9. AIID • Algorithm performance

  10. AIID • Error Rate Performance (All) [T, PD, DS] Best [I, W, T, PS, PD, DS]

  11. AIID • Error Rate Performance (SMTP) Best [W, T, PS, PD, DS]

  12. AIID • Error Rate Performance (Login) [T, PD, DS]RGSS Best [W, T, PS, PD]

  13. AIID • Error Rate Performance (Shell) Best [W, T, PS, DS] RS [W, PS, PD, DS]BS & BSS

  14. GP(Applying Genetic Programming to Intrusion Detection) • An IDS that exploits the learning power of Genetic Programming • Two types of security tools : • Pro-active • Reactive : IDS falls in this catergory

  15. GP • Components in an IDS • Anomaly • May indicate a possible intrusion • So how do we know for sure? Expert-system • Rule-set = model • Metrics • Comparing metrics & model • But … If a new intrusion scenario arises modifying the IDS is complicated

  16. GP • A finer-grained approach IDS gets split into multiple Autonomous Agents

  17. GP

  18. GP • Using GP for learning • Instead of a monolithic static “knowledge base” • The GP paradigm allows evolution of agents that could be placed in a system to monitor audit data • GP programs • are in a simple meta-language • Have primitives that access audit data fields and manipulate them

  19. GP • Internal agent architecture

  20. GP • Learning by feedback • What do the agents monitor? • Inter-packet timing metrics: Total # of socket connections, average time between socket connections, minimum time between socket connections, maximum time between socket connections, destination port, source port • Potential intrusions looked for: Port flooding, port-walking, probing, password cracking

  21. GP • Δ = | outcome – suspicion | • Penalty = Δ * ranking /100 • Fitness = (100 – Δ) - penalty

  22. GP • Multiple types: • Time (long int), port (int), boolean, suspicion (int) • Problems with multiple types • ADF solution to type safety • ADF: Automatically Defined Function • To monitor network timing: avg_interconn_time, min_interconn_time, max_interconn_time • For port monitoing: src_port, dest_port • For privileged port checking: is_priv_dest_port, is_priv_src_port

  23. GP • Experimental results:

  24. That’s it !!!

  25. Too old a research idea … did not find any current researches in the same field

More Related