1 / 22

Design of an Intrusion Response System using Evolutionary Computation

Design of an Intrusion Response System using Evolutionary Computation. Rohit Parti. Agenda. Motivation Automated Intrusion Response Challenges Response Model Individuals Representation EC Mechanism Evaluation Function Preliminary Results. Motivation.

prunella
Download Presentation

Design of an Intrusion Response System using Evolutionary Computation

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. Design of an Intrusion Response System using Evolutionary Computation Rohit Parti

  2. Agenda • Motivation • Automated Intrusion Response • Challenges • Response Model • Individuals Representation • EC Mechanism • Evaluation Function • Preliminary Results

  3. Motivation • The number of computer attacks are increasing • Attacks are getting more sophisticated • Speed of Attacks are increasing

  4. Motivation • Need for Computer Security • Intrusion Prevention • Intrusion Detection • Intrusion Response • Need for Automated Intrusion Response

  5. Automated Intrusion Response • Need for Automated Response • Earlier Response Systems: Notification System and Manual Response Systems • System administrators can neither keep up with the pace that and IDS is delivering alerts , nor can they react within adequate time limits • Delay between detection of a possible intrusion and response to that intrusion • Research by Cohen shows that • If delay is 10 hours, intruder has 80% success • If delay is 20 hours, intruder has 95% success • If delay is 30 hours, intruder has 100% success

  6. Challenges in Automating Response • Countermeasures may only defend against attack, but can also have negative impact on legitimate users. • Possibility of response causing more damage than actual attack • Intrusion Detection Systems (IDS) are not perfect and can generate False Alarms. • This has an impact on response as uncertainty is generated in formulating a response.

  7. Response Model • Focus is on choosing a response action from among alternatives that have the least negative impact on the whole system • Basic elements of the model • Resources (services provided by hosts) • System Users (users of the network) • Network Topology (the underlying communication architecture) • Firewall Rules • Entities: Resources and System Users together

  8. Dependency • It is a relation between two entities. • One entity needs a service from another to be fully operational • Two types • Direct (represents dependency of an entity on a service) • Indirect (formed due to network topology and firewall rules) • Indirect dependencies are a precondition to fulfilling direct dependencies

  9. Dependency Tree • Describes the relationship of an entity with other entities • Leaf Node: Describes an entity that does not depend on other entities • COMBINE Node: Describes an entity that needs access to more than one service • CHOICE Node: Describes an entity which needs access to at least one of a set of identical services

  10. Capability • The capability c(r) of an entity ‘r’: • is a value ranging from 0.0 to 1.0 and • describes in how far the entity ‘r’ can perform its work given the current network configuration • If all the resources the entity ‘r’ uses are available, then c(r)=1.0 • If a particular service the entity ‘r’ uses is unavailable, the value of c(r) decreases (as will be shown)

  11. Capability Calculation • c(left) and c(right): denotes the capability of the left and right link of a node. • c: denotes the capability of any intermediate node • Leaf Node: • if entity provides service, capability is set to 1.0 • if entity does not provide service, capability is set to 0.0 • COMBINE Node: c=(c(left)+c(right))/2 • CHOICE Node: c=Max(c(left),c(right))

  12. Example User ‘A’ (entity) uses the DNS server, the NFS server, and one of the two domain name servers DNS1 and DNS2 to accomplish all his tasks When the NFS server is unavailable

  13. Dependency Degree • Describes in how far the operation of an entity is affected if the resource, which it depends on is no longer available • Example: user mainly surfs the internet • High dependency on availability of DNS and HTTP server (say we set dependency degree to 100 %) • Not very much on NFS server (say we set dependency degree to 75 %) • Changes to capability calculation • c(left)=c(left)*dependency degree • c(right)=c(right)*dependency degree

  14. Evaluating the Network State • In a network many entities depend on other entities in the network • We create dependency trees for every such entity • Final State of Network: Average of all capability values of all dependency trees created over all entities • Handling cyclic dependencies: An unavailable service can affect the availability of other services • Create another dependency tree for the depending service

  15. Individual Representation • Individual represents a response action • A set of operations that are performed when an intrusion is detected • A response actions is represented as a binary string of bits • Each bit is associated with an operation on a host that provides service • If a response action indicated an operation to be performed and the operation is already in effect, it is ignored • Example: If a response action indicates that a particular firewall rule be installed (removed), and that rule is already installed (not installed), the response action ignores the rule

  16. EC Mechanism

  17. Response History Agent (RHA) • Stores information about the attack and the response to that attack • Attack Information: Stored as “reports” generated by IDS • Response Information: Stored as a binary string that represents the response action • Partial Population: Created by selecting responses from RHA that have “similar intrusive patterns” (if many of the variables within the report are same) <IDS variables indicate type of intrusion> • As new attacks are generated, attack-response pair is added to the RHA • If exact similar attack had previously occurred we have the option to generate the response that was previously generated

  18. Evaluation Function • Add the response action (defined by the individual) temporarily to the model • Determine total capability of network • For a mild attack, and a severe response, associate a penalty to the fitness • Mild attack: determined from IDS report • For a severe attack, and a mild response, associate a penalty to the fitness

  19. Preliminary Results

  20. Questions or Comments?

  21. A Simpler Approach

  22. Happy Thanksgiving!!! ThankYou!!!

More Related