Implementation of Genetic Algorithms into SNORT, a Network Intrusion Detection System By Brian E. Lavender March 21, 2010 Advisor: Dr. Scott Gordon Department of Computer Science California State University, Sacramento
Overview ● Network Intrusion Detection System (NIDS) ● Genetic Algorithms ● Existing Research (Gong et al.) ● Extension
Network Intrusion Detection System(NIDS)
SNORT Rule alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-IIS CodeRed v2 root.exe access"; flow:to_server, established; uricontent:"/root.exe"; nocase; reference:url, classtype:web-application-attack; sid:1256; rev:8;) Experts required to write rules
System that Detects an Attack System will categorize connections into normal or attack types
DARPA audit and test data We can evolve rules to identify the attacks!
Genetic Algorithm Overview
Generate Random Individual fitness = w1 * support + w2 * confidence = 0.2 * * 0.5 = 0.42 and )( 1010 Support = = 0.1 and )( Confidence = = 0.5 w1 = 0.2, w2 = 0.8
Crossover and Mutation Evolve rules and integrate attribute detection into SNORT. Use top 25 rules.
What has been learned ● SNORT integration plugin ● Run snort with test data Still to Do ● Creating random Individuals ● More descriptive attributes for chromosome ● Systems for classifying data. Formal methods ● Something what seems so easy is not.