CISC Machine Learning for Solving Systems Problems John Cavazos Dept of Computer & Information Sciences University of Delaware Applying Support Vector Machines for Intrusion Detection on Virtual Machines Lecture 6
CISC Machine Learning for Solving Systems Problems Outline Background and Motivation Intrusion Detection Systems Support Vector Machines (SVMs) Dataset Results Conclusions Slides adapted from presentation by Fatemeh Azmandian (
CISC Machine Learning for Solving Systems Problems Background Virtual Machine: A software implementation of a machine (computer) that executes programs like a real machine Virtual Machine Monitor (VMM) or hypervisor: The software layer providing the virtualization Allows the multiplexing of the underlying physical machine between different virtual machines, each running its own operating system
CISC Machine Learning for Solving Systems Problems Background (contd) Intrusion Detection: The process of monitoring the events occurring in a computer system or network and analyzing them for signs of intrusions Intrusion: An attempt to compromise: Confidentiality Integrity Availability An attempt to bypass the security mechanisms of a computer or network [1]
CISC Machine Learning for Solving Systems Problems Background (contd) Intrusion Detection System (IDS): Software or hardware system that automates the process of monitoring the events occurring in a computer system or network, analyzing them for signs of security problems Why is it important? Every year, billions of dollars are lost due to virus attacks
CISC Machine Learning for Solving Systems Problems Financial Impact of Virus Attacks
CISC Machine Learning for Solving Systems Problems Intrusion Detection Approaches Misuse Detection Identifies intrusions based on known patterns for the malicious activity Known patterns are referred to as signatures Anomaly Detection Identifies intrusions based on deviations from established normal behavior Capable of identifying new (previously unseen) attacks New normal behavior may be misclassified as abnormal, producing false positives
CISC Machine Learning for Solving Systems Problems Intrusion Detection Systems Host IDS (HIDS): Performs intrusion detection from within host it is monitoring Advantages: Good visibility of the internal state of the host machine Difficult for malicious code (malware) to evade the HIDS Disadvantage: Susceptible to attacks by malware
CISC Machine Learning for Solving Systems Problems Intrusion Detection Systems Network IDS (NIDS) Performs intrusion detection through network connections and outside the host machine Advantage: More resistant to attacks by malware Disadvantages: Poor visibility of the internal state of the host machine Easier for malware to evade the NIDS
CISC Machine Learning for Solving Systems Problems Intrusion Detection Systems VMM-based IDS: Performs intrusion detection for a virtual machine through the Virtual Machine Monitor (VMM) Advantages: Better visibility of the internal state of the host machine, compared to an NIDS Harder for malware to evade the IDS Less susceptible to attacks by malware Our goal is to create a VMM-based IDS using machine learning techniques Support Vector Machines (SVMs)
CISC Machine Learning for Solving Systems Problems VMM-IDS Overview
CISC Machine Learning for Solving Systems Problems Support Vector Machines (SVMs) Machine learning to classify data points into one of two classes Two-Class SVMs Training is done on data from two classes One-Class SVMs Training is done on data from only one class During the testing phase, the origin and data points close to it are considered part of the second class
CISC Machine Learning for Solving Systems Problems Linear Classifiers Slide Source: Andrew W. Moore f x y est denotes +1 denotes -1 f(x,w,b) = sign(w. x - b) How would you classify this data?
CISC Machine Learning for Solving Systems Problems f x y est denotes +1 denotes -1 f(x,w,b) = sign(w. x - b) How would you classify this data? Slide Source: Andrew W. Moore Linear Classifiers
CISC Machine Learning for Solving Systems Problems f x y est denotes +1 denotes -1 f(x,w,b) = sign(w. x - b) How would you classify this data? Slide Source: Andrew W. Moore Linear Classifiers
CISC Machine Learning for Solving Systems Problems f x y est denotes +1 denotes -1 f(x,w,b) = sign(w. x - b) How would you classify this data? Slide Source: Andrew W. Moore Linear Classifiers
CISC Machine Learning for Solving Systems Problems f x y est denotes +1 denotes -1 f(x,w,b) = sign(w. x - b) How would you classify this data? Slide Source: Andrew W. Moore Linear Classifiers
CISC Machine Learning for Solving Systems Problems f x y est denotes +1 denotes -1 f(x,w,b) = sign(w. x - b) Slide Source: Andrew W. Moore Classifier Margin Define the margin of a linear classifier as the width that the boundary could be increased by before hitting a datapoint
CISC Machine Learning for Solving Systems Problems x y est denotes +1 denotes -1 f(x,w,b) = sign(w. x - b) Slide Source: Andrew W. Moore Maximum Margin The maximum margin linear classifier is the linear classifier with the maximum margin. This is the simplest kind of SVM (Called an LSVM) Linear SVM f
CISC Machine Learning for Solving Systems Problems x y est denotes +1 denotes -1 f(x,w,b) = sign(w. x - b) Slide Source: Andrew W. Moore Maximum Margin The maximum margin linear classifier is the linear classifier with the maximum margin. This is the simplest kind of SVM (Called an LSVM) Linear SVM f Support Vectors are those datapoints that the margin pushes up against
CISC Machine Learning for Solving Systems Problems Suppose 1-dimension What would SVMs do with this data? x=0
CISC Machine Learning for Solving Systems Problems Suppose 1-dimension Not a big surprise Positive plane Negative plane x=0
CISC Machine Learning for Solving Systems Problems What can be done about this? x=0 Harder 1-dimensional dataset
CISC Machine Learning for Solving Systems Problems Harder 1-dimensional dataset Use a kernel function to project the data onto higher dimensional space x=0
CISC Machine Learning for Solving Systems Problems Harder 1-dimensional dataset x=0 Use a kernel function to project the data onto higher dimensional space
CISC Machine Learning for Solving Systems Problems Non-linear SVMs: Feature spaces Φ: x φ(x) Input spaceFeature space
CISC Machine Learning for Solving Systems Problems Non-linear SVMs: Feature spaces Kernel functions are used to transform data into a different, linearly separable feature space (.) ( ) Feature spaceInput space
CISC Machine Learning for Solving Systems Problems Non-linear SVMs:Kernel Functions Popular Kernel Functions: Linear kernel Polynomial Kernel Gaussian Radial Basis Function (RBF) kernel Sigmoid kernel
CISC Machine Learning for Solving Systems Problems Dataset Synthetic dataset based on SQL and AsteriskNow workload Process-level features Rate-based features Correlation-based features Time-based windows of execution Current window size: 50 interrupt timers Three normal datasets per workload Two abnormal datasets per workload Consists of both normal and abnormal data points
CISC Machine Learning for Solving Systems Problems Constructing Features
CISC Machine Learning for Solving Systems Problems Features
CISC Machine Learning for Solving Systems Problems Two-Class SVM Results Experiment Workload Train on Abn1 Test on Abn2 Train on Abn2 Test on Abn1 Mixed Features SQL Asterisk 0.81 Rate Features SQL Asterisk Correlation Features SQL Asterisk
CISC Machine Learning for Solving Systems Problems SQL Train on Abn1 and Test on Abn2: Time Series Plot
CISC Machine Learning for Solving Systems Problems SQL Train : Train on Abn1 and Test on Abn2: (ROC Curve)
CISC Machine Learning for Solving Systems Problems SQL Train on Abn2 and Test on Abn1: Time Series Plot
CISC Machine Learning for Solving Systems Problems SQL Train on Abn2 and Test on Abn1: ROC Curve
CISC Machine Learning for Solving Systems Problems Conclusions Two-class SVM can perform well in detecting intrusions in virtual machine environments Goal to develop accurate intrusion detection system for VMs based on machine learning techniques
CISC Machine Learning for Solving Systems Problems References [1]R. Bace and P. Mell. Intrusion Detection Systems. NIST Special Publications SP , November, [2]T. Garfinkel and M. Rosenblum. A Virtual Machine Introspection Based Architecture for Intrusion Detection. Proceedings of the Network and Distributed Systems Security Symposium, [3]Andrew Moores slides on Support Vector Machines [4]Prasads slides on Support Vector Machines [5]2005 Malware Report: Executive Summary [6]Virtual Machine