1 / 14

by Lam Ho-yu advised by Dr. Yeung Dit-yan

2003-2004 Final Year Project Presentation DY1 Machine Learning for Computer Security Applications. by Lam Ho-yu advised by Dr. Yeung Dit-yan. What is computer security?. Computer Security = Firewall? Is it secure? 7-eleven examples…. Intrusion Detection System (IDS).

sadie
Download Presentation

by Lam Ho-yu advised by Dr. Yeung Dit-yan

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. 2003-2004 Final Year Project Presentation DY1Machine Learning for Computer Security Applications by Lam Ho-yu advised by Dr. Yeung Dit-yan

  2. What is computer security? • Computer Security = Firewall? Is it secure? • 7-eleven examples…

  3. Intrusion Detection System (IDS) • Real world: Surveillance Camera • Computer Networks: IDS to monitor network • This project: computer security application = Intrusion Detection System (IDS)

  4. Presentation Flow • Problems of current IDS technology • Objectives of this project • Scenario – the key idea of this project • System framework • Another approach • Active Support Vector Machine (ASVM)

  5. Problems of Current IDS 172.16.113.50/portmap pm_getport: sadmind -> 0/udp 952442110.022445 SensitivePortmapperAccess rpc: 202.77.162.213/659 > 172.16.112.10/portmap pm_getport: sadmind -> 56255/udp 952442110.098242 SensitivePortmapperAccess rpc: 202.77.162.213/660 > 172.16.112.50/portmap pm_getport: sadmind -> 56261/udp 952443968.102596 ContentGap 194.27.251.21/13525 > 172.16.112.194/telnet content gap (< 92797/14296) A part of “alert.log” of Bro • Low-level • Large Quantity • False alerts – Password typo vs. Password guessing? • Heavy workload for network security officers

  6. Objectives • To allow easier separation between false alerts and real alerts • To transform alerts to a more user-friendly representation • To relief operator’s workload by automation

  7. Notion of Scenario • A typical attack usually takes several steps • Scan for candidate machines • Exploration – Gather information of the machine • Exploitation – Break into the machine • Escalation – gain more control (super-user) • Do anything the intruders want!! • Operators want to see logical steps that the intruder is taking

  8. The System Framework

  9. Learning Components • Clustering – Group similar alerts together • Correlation – Group alerts that are in the same scenario Multi-Layer Perceptrons Decision Tree

  10. Key Results Total Clusters: 236 Alert count in clusters: 835 ***********************Correlation Results************************* Total Scenarios: 182 Alert count in Scenarios: 236 --------------- Confusion Matrix --------------- Processed Results Desired True False Total ------------------------------------------------------ True 126 1 127 False 130 578 708 ------------------------------------------------------ Total 256 579 835 ------------------------------------------------------ Processed Results Desired True False Total ------------------------------------------------------ True 99.21% 0.7874% 15.21% False 18.36% 81.64% 84.79% ------------------------------------------------------ Total 30.66% 69.34%

  11. Screen Shot

  12. Q & A

  13. Thank you!

More Related