130 likes | 222 Views
Fuzzy Network Profiling for Intrusion Detection. Dickerson, J.E.; Dickerson, J.A. Fuzzy Information Processing Society, 2000. NAFIPS. 19th International Conference of the North American , 2000 Reporter : Chien-Chung Su. Agenda. Introduction System Architecture Implementation example
E N D
Fuzzy Network Profiling for Intrusion Detection Dickerson, J.E.; Dickerson, J.A.Fuzzy Information Processing Society, 2000. NAFIPS. 19th International Conference of the North American , 2000 Reporter : Chien-Chung Su
Agenda • Introduction • System Architecture • Implementation example • Conclusion
Introduction • Intrusion Detection System • A process to identifying network activity that can lead to the compromise of a security policy • Two primary form • Misuse Detection • Matching known patterns of hostile activity against database of past attacks • Anomaly Detection • Applying statistical measures or artificial knowledge to compare current activity against historical knowledge of network utilization
System Architecture (1/5) • Fuzzy Intrusion Recognition Engine(FIRE) • Anomaly-based intrusion detection system • Applying Fuzzy Theory • Applying simple data mining technique
Raw data Mined data Fuzzy Alerts System Architecture (2/5) A Local Area Local Network Data Collector (NDC) Network Data Processor (NDP) Fuzzy Threat Analyzer (FTA)
System Architecture (3/5) • Network Data Collector(NDC) • Grab all packets that cross the wire and stores them to disk • To help avoid packet loss in the data collection system, it is important that the tasks performed by the NDC be very limited
System Architecture (4/5) • Network Data Processor(NDP) • Perform a kind of data mining on the collected packets • Compare the current data with the historical mined data to create the “normalized” value that reflect how the new data differs from what was observed in the past
System Architecture (5/5) • Fuzzy Threat Analyzer(FTA) • A fuzzy rules can incorporate one or more fuzzy inputs • Depending on the fuzzy values, the fuzzy rules designer can make the types of intrusions they can detect either very general or very specific
Implementation example (1/4) • What metrics we wants? • SrcIP , DstIP , SrcPort , DstPort • TCP flags , data length • Data content • Time the packet was sent • Example • sdp = (SrcIP , DstIP ,SrcPort , DstPort) • Represents the existence of a TCP channel(whether successful or not) between two IP end points
LOW MED-LOW MED MED-HIGH HIGH 1 2 5 10 25 50 100 Implementation example (2/4) • Define fuzzy variables • COUNT • UNIQUENESS • VARIANCE • Membership Function
Implementation example (3/4) • Design fuzzy rules • Scenario : Network scan • Rules examples • If (COUNT == LOW) && (UNIQUENESS == MED)Then “Network Scan” = MED-LOW • If (COUNT == MED) && (UNIQUENESS == LOW)Then “Network Scan” = LOW • If (COUNT == MED) && (UNIQUENESS == HIGH)Then “Network Scan” = HIGH • If (COUNT of ForeignHosts == HIGH) && (UNIQUENESS of DNS == HIGH)Then “DNS Scan” == HIGH
Implementation example (4/4) • System issues • Data collection interval • Define fuzzy variables • Data mining techniques • Fuzzy rules
Conclusion • Intrusion detection with a part of fuzziness • Expert system should be supported • Real-time data mining issues