CISC 879 - Machine Learning for Solving Systems Problems John Cavazos Dept of Computer & Information Sciences University of Delaware www.cis.udel.edu/~cavazos/cisc879.

Slides:



Advertisements
Similar presentations
Support Vector Machine & Its Applications
Advertisements

Introduction to Support Vector Machines (SVM)
Support Vector Machines
Lecture 9 Support Vector Machines
ECG Signal processing (2)
Image classification Given the bag-of-features representations of images from different classes, how do we learn a model for distinguishing them?
Support Vector Machine & Its Applications Abhishek Sharma Dept. of EEE BIT Mesra Aug 16, 2010 Course: Neural Network Professor: Dr. B.M. Karan Semester.
Support Vector Machine & Its Applications Mingyue Tan The University of British Columbia Nov 26, 2004 A portion (1/3) of the slides are taken from Prof.
SVM - Support Vector Machines A new classification method for both linear and nonlinear data It uses a nonlinear mapping to transform the original training.
ONLINE ARABIC HANDWRITING RECOGNITION By George Kour Supervised by Dr. Raid Saabne.
An Introduction of Support Vector Machine
Classification / Regression Support Vector Machines
An Introduction of Support Vector Machine
Support Vector Machines
Search Engines Information Retrieval in Practice All slides ©Addison Wesley, 2008.
Support Vector Machine
Locally Constraint Support Vector Clustering
Unsupervised Intrusion Detection Using Clustering Approach Muhammet Kabukçu Sefa Kılıç Ferhat Kutlu Teoman Toraman 1/29.
CS 4700: Foundations of Artificial Intelligence
A Kernel-based Support Vector Machine by Peter Axelberg and Johan Löfhede.
Support Vector Machines
Statistical Learning Theory: Classification Using Support Vector Machines John DiMona Some slides based on Prof Andrew Moore at CMU:
Testing Intrusion Detection Systems: A Critic for the 1998 and 1999 DARPA Intrusion Detection System Evaluations as Performed by Lincoln Laboratory By.
Intrusion Detection System Marmagna Desai [ 520 Presentation]
Radial Basis Networks: An Implementation of Adaptive Centers Nivas Durairaj ECE539 Final Project.
Distributed Network Intrusion Detection An Immunological Approach Steven Hofmeyr Stephanie Forrest Patrik D’haeseleer Dept. of Computer Science University.
Classification III Tamara Berg CS Artificial Intelligence Many slides throughout the course adapted from Svetlana Lazebnik, Dan Klein, Stuart Russell,
Combining Supervised and Unsupervised Learning for Zero-Day Malware Detection © 2013 Narus, Inc. Prakash Comar 1 Lei Liu 1 Sabyasachi (Saby) Saha 2 Pang-Ning.
Masquerade Detection Mark Stamp 1Masquerade Detection.
Based on: The Nature of Statistical Learning Theory by V. Vapnick 2009 Presentation by John DiMona and some slides based on lectures given by Professor.
Support Vector Machine & Image Classification Applications
Copyright © 2001, Andrew W. Moore Support Vector Machines Andrew W. Moore Associate Professor School of Computer Science Carnegie Mellon University.
CS685 : Special Topics in Data Mining, UKY The UNIVERSITY of KENTUCKY Classification - SVM CS 685: Special Topics in Data Mining Jinze Liu.
23-aug-05Intrusion detection system1. 23-aug-05Intrusion detection system2 Overview of intrusion detection system What is intrusion? What is intrusion.
1 CSC 4510, Spring © Paula Matuszek CSC 4510 Support Vector Machines 2 (SVMs)
Nov 23rd, 2001Copyright © 2001, 2003, Andrew W. Moore Linear Document Classifier.
Kernel Methods A B M Shawkat Ali 1 2 Data Mining ¤ DM or KDD (Knowledge Discovery in Databases) Extracting previously unknown, valid, and actionable.
SVM Support Vector Machines Presented by: Anas Assiri Supervisor Prof. Dr. Mohamed Batouche.
Classifiers Given a feature representation for images, how do we learn a model for distinguishing features from different classes? Zebra Non-zebra Decision.
SNORT Biopsy: A Forensic Analysis on Intrusion Detection System By Asif Syed Chowdhury.
Presented by: Reem Alshahrani. Outlines What is Virtualization Virtual environment components Advantages Security Challenges in virtualized environments.
CISC Machine Learning for Solving Systems Problems Presented by: Sandeep Dept of Computer & Information Sciences University of Delaware Detection.
CISC Machine Learning for Solving Systems Problems Presented by: Ashwani Rao Dept of Computer & Information Sciences University of Delaware Learning.
1 CMSC 671 Fall 2010 Class #24 – Wednesday, November 24.
1 Support Vector Machines Chapter Nov 23rd, 2001Copyright © 2001, 2003, Andrew W. Moore Support Vector Machines Andrew W. Moore Professor School.
Intrusion Detection System (IDS). What Is Intrusion Detection Intrusion Detection is the process of identifying and responding to malicious activity targeted.
Automatic Detection of Emerging Threats to Computer Networks Andre McDonald.
1 CSC 4510, Spring © Paula Matuszek CSC 4510 Support Vector Machines (SVMs)
Machine Learning Lecture 7: SVM Moshe Koppel Slides adapted from Andrew Moore Copyright © 2001, 2003, Andrew W. Moore.
Cryptography and Network Security Sixth Edition by William Stallings.
Applying Support Vector Machines to Imbalanced Datasets Authors: Rehan Akbani, Stephen Kwek (University of Texas at San Antonio, USA) Nathalie Japkowicz.
A Blackboard-Based Learning Intrusion Detection System: A New Approach
Anomaly Detection. Network Intrusion Detection Techniques. Ştefan-Iulian Handra Dept. of Computer Science Polytechnic University of Timișoara June 2010.
SVMs in a Nutshell.
A Brief Introduction to Support Vector Machine (SVM) Most slides were from Prof. A. W. Moore, School of Computer Science, Carnegie Mellon University.
Non-separable SVM's, and non-linear classification using kernels Jakob Verbeek December 16, 2011 Course website:
Support Vector Machine Slides from Andrew Moore and Mingyue Tan.
Support Vector Machines
Neural networks and support vector machines
Support Vector Machines and Kernels
An Enhanced Support Vector Machine Model for Intrusion Detection
An Introduction to Support Vector Machines
LINEAR AND NON-LINEAR CLASSIFICATION USING SVM and KERNELS
CompTIA Security+ Study Guide (SY0-501)
Support Vector Machines
Machine Learning Week 2.
Support Vector Machines
Introduction to Support Vector Machines
Class #212 – Thursday, November 12
Support Vector Machines
Presentation transcript:

CISC Machine Learning for Solving Systems Problems John Cavazos Dept of Computer & Information Sciences University of Delaware Applying Support Vector Machines for Intrusion Detection on Virtual Machines Lecture 6

CISC Machine Learning for Solving Systems Problems Outline Background and Motivation Intrusion Detection Systems Support Vector Machines (SVMs) Dataset Results Conclusions Slides adapted from presentation by Fatemeh Azmandian (

CISC Machine Learning for Solving Systems Problems Background Virtual Machine: A software implementation of a machine (computer) that executes programs like a real machine Virtual Machine Monitor (VMM) or hypervisor: The software layer providing the virtualization Allows the multiplexing of the underlying physical machine between different virtual machines, each running its own operating system

CISC Machine Learning for Solving Systems Problems Background (contd) Intrusion Detection: The process of monitoring the events occurring in a computer system or network and analyzing them for signs of intrusions Intrusion: An attempt to compromise: Confidentiality Integrity Availability An attempt to bypass the security mechanisms of a computer or network [1]

CISC Machine Learning for Solving Systems Problems Background (contd) Intrusion Detection System (IDS): Software or hardware system that automates the process of monitoring the events occurring in a computer system or network, analyzing them for signs of security problems Why is it important? Every year, billions of dollars are lost due to virus attacks

CISC Machine Learning for Solving Systems Problems Financial Impact of Virus Attacks

CISC Machine Learning for Solving Systems Problems Intrusion Detection Approaches Misuse Detection Identifies intrusions based on known patterns for the malicious activity Known patterns are referred to as signatures Anomaly Detection Identifies intrusions based on deviations from established normal behavior Capable of identifying new (previously unseen) attacks New normal behavior may be misclassified as abnormal, producing false positives

CISC Machine Learning for Solving Systems Problems Intrusion Detection Systems Host IDS (HIDS): Performs intrusion detection from within host it is monitoring Advantages: Good visibility of the internal state of the host machine Difficult for malicious code (malware) to evade the HIDS Disadvantage: Susceptible to attacks by malware

CISC Machine Learning for Solving Systems Problems Intrusion Detection Systems Network IDS (NIDS) Performs intrusion detection through network connections and outside the host machine Advantage: More resistant to attacks by malware Disadvantages: Poor visibility of the internal state of the host machine Easier for malware to evade the NIDS

CISC Machine Learning for Solving Systems Problems Intrusion Detection Systems VMM-based IDS: Performs intrusion detection for a virtual machine through the Virtual Machine Monitor (VMM) Advantages: Better visibility of the internal state of the host machine, compared to an NIDS Harder for malware to evade the IDS Less susceptible to attacks by malware Our goal is to create a VMM-based IDS using machine learning techniques Support Vector Machines (SVMs)

CISC Machine Learning for Solving Systems Problems VMM-IDS Overview

CISC Machine Learning for Solving Systems Problems Support Vector Machines (SVMs) Machine learning to classify data points into one of two classes Two-Class SVMs Training is done on data from two classes One-Class SVMs Training is done on data from only one class During the testing phase, the origin and data points close to it are considered part of the second class

CISC Machine Learning for Solving Systems Problems Linear Classifiers Slide Source: Andrew W. Moore f x y est denotes +1 denotes -1 f(x,w,b) = sign(w. x - b) How would you classify this data?

CISC Machine Learning for Solving Systems Problems f x y est denotes +1 denotes -1 f(x,w,b) = sign(w. x - b) How would you classify this data? Slide Source: Andrew W. Moore Linear Classifiers

CISC Machine Learning for Solving Systems Problems f x y est denotes +1 denotes -1 f(x,w,b) = sign(w. x - b) How would you classify this data? Slide Source: Andrew W. Moore Linear Classifiers

CISC Machine Learning for Solving Systems Problems f x y est denotes +1 denotes -1 f(x,w,b) = sign(w. x - b) How would you classify this data? Slide Source: Andrew W. Moore Linear Classifiers

CISC Machine Learning for Solving Systems Problems f x y est denotes +1 denotes -1 f(x,w,b) = sign(w. x - b) How would you classify this data? Slide Source: Andrew W. Moore Linear Classifiers

CISC Machine Learning for Solving Systems Problems f x y est denotes +1 denotes -1 f(x,w,b) = sign(w. x - b) Slide Source: Andrew W. Moore Classifier Margin Define the margin of a linear classifier as the width that the boundary could be increased by before hitting a datapoint

CISC Machine Learning for Solving Systems Problems x y est denotes +1 denotes -1 f(x,w,b) = sign(w. x - b) Slide Source: Andrew W. Moore Maximum Margin The maximum margin linear classifier is the linear classifier with the maximum margin. This is the simplest kind of SVM (Called an LSVM) Linear SVM f

CISC Machine Learning for Solving Systems Problems x y est denotes +1 denotes -1 f(x,w,b) = sign(w. x - b) Slide Source: Andrew W. Moore Maximum Margin The maximum margin linear classifier is the linear classifier with the maximum margin. This is the simplest kind of SVM (Called an LSVM) Linear SVM f Support Vectors are those datapoints that the margin pushes up against

CISC Machine Learning for Solving Systems Problems Suppose 1-dimension What would SVMs do with this data? x=0

CISC Machine Learning for Solving Systems Problems Suppose 1-dimension Not a big surprise Positive plane Negative plane x=0

CISC Machine Learning for Solving Systems Problems What can be done about this? x=0 Harder 1-dimensional dataset

CISC Machine Learning for Solving Systems Problems Harder 1-dimensional dataset Use a kernel function to project the data onto higher dimensional space x=0

CISC Machine Learning for Solving Systems Problems Harder 1-dimensional dataset x=0 Use a kernel function to project the data onto higher dimensional space

CISC Machine Learning for Solving Systems Problems Non-linear SVMs: Feature spaces Φ: x φ(x) Input spaceFeature space

CISC Machine Learning for Solving Systems Problems Non-linear SVMs: Feature spaces Kernel functions are used to transform data into a different, linearly separable feature space (.) ( ) Feature spaceInput space

CISC Machine Learning for Solving Systems Problems Non-linear SVMs:Kernel Functions Popular Kernel Functions: Linear kernel Polynomial Kernel Gaussian Radial Basis Function (RBF) kernel Sigmoid kernel

CISC Machine Learning for Solving Systems Problems Dataset Synthetic dataset based on SQL and AsteriskNow workload Process-level features Rate-based features Correlation-based features Time-based windows of execution Current window size: 50 interrupt timers Three normal datasets per workload Two abnormal datasets per workload Consists of both normal and abnormal data points

CISC Machine Learning for Solving Systems Problems Constructing Features

CISC Machine Learning for Solving Systems Problems Features

CISC Machine Learning for Solving Systems Problems Two-Class SVM Results Experiment Workload Train on Abn1 Test on Abn2 Train on Abn2 Test on Abn1 Mixed Features SQL Asterisk 0.81 Rate Features SQL Asterisk Correlation Features SQL Asterisk

CISC Machine Learning for Solving Systems Problems SQL Train on Abn1 and Test on Abn2: Time Series Plot

CISC Machine Learning for Solving Systems Problems SQL Train : Train on Abn1 and Test on Abn2: (ROC Curve)

CISC Machine Learning for Solving Systems Problems SQL Train on Abn2 and Test on Abn1: Time Series Plot

CISC Machine Learning for Solving Systems Problems SQL Train on Abn2 and Test on Abn1: ROC Curve

CISC Machine Learning for Solving Systems Problems Conclusions Two-class SVM can perform well in detecting intrusions in virtual machine environments Goal to develop accurate intrusion detection system for VMs based on machine learning techniques

CISC Machine Learning for Solving Systems Problems References [1]R. Bace and P. Mell. Intrusion Detection Systems. NIST Special Publications SP , November, [2]T. Garfinkel and M. Rosenblum. A Virtual Machine Introspection Based Architecture for Intrusion Detection. Proceedings of the Network and Distributed Systems Security Symposium, [3]Andrew Moores slides on Support Vector Machines [4]Prasads slides on Support Vector Machines [5]2005 Malware Report: Executive Summary [6]Virtual Machine