Distributed Network Intrusion Detection An Immunological Approach Steven Hofmeyr Stephanie Forrest Patrik D’haeseleer Dept. of Computer Science University.

Slides:

Advertisements

Similar presentations

Intrusion Detection Systems (I) CS 6262 Fall 02. Definitions Intrusion Intrusion A set of actions aimed to compromise the security goals, namely A set.

Advertisements

V-Detector: A Negative Selection Algorithm Zhou Ji, advised by Prof. Dasgupta Computer Science Research Day The University of Memphis March 25, 2005.

Loss-Sensitive Decision Rules for Intrusion Detection and Response Linda Zhao Statistics Department University of Pennsylvania Joint work with I. Lee,

CIFD: Computational Immunology for Fraud Detection

Architecture For An Artificial Immune System S. A. Hofmeyr and S. Forrest.

Anomaly Detection Steven M. Bellovin Matsuzaki ‘maz’ Yoshinobu 1.

Cyber Threat Analysis  Intrusions are actions that attempt to bypass security mechanisms of computer systems  Intrusions are caused by:  Attackers accessing.

Guide to Network Defense and Countermeasures Second Edition

Intrusion Detection Systems and Practices

1 Learning to Detect Objects in Images via a Sparse, Part-Based Representation S. Agarwal, A. Awan and D. Roth IEEE Transactions on Pattern Analysis and.

5/1/2006Sireesha/IDS1 Intrusion Detection Systems (A preliminary study) Sireesha Dasaraju CS526 - Advanced Internet Systems UCCS.

1 Intrusion Detection CSSE 490 Computer Security Mark Ardis, Rose-Hulman Institute May 4, 2004.

Learning Classifier Systems to Intrusion Detection Monu Bambroo 12/01/03.

Unsupervised Intrusion Detection Using Clustering Approach Muhammet Kabukçu Sefa Kılıç Ferhat Kutlu Teoman Toraman 1/29.

Beyond the perimeter: the need for early detection of Denial of Service Attacks John Haggerty,Qi Shi,Madjid Merabti Presented by Abhijit Pandey.

Immunity by Design: An Artificial Immune System Paper: Steven A. Hofmeyr, Stephanie Forrest Presentation: Joseph Niehaus.

Artificial Immune Systems Our body’s immune system is a perfect example of a learning system. It is able to distinguish between good cells and potentially.

Big Data Analytics and Challenge Presented by Saurabh Rastogi Asst. Prof. in Maharaja Agrasen Institute of Technology B.Tech(IT), M.Tech(IT)

seminar on Intrusion detection system

Lecture 11 Intrusion Detection (cont)

Department Of Computer Engineering

Intrusion Detection System Marmagna Desai [ 520 Presentation]

Intrusion Detection Systems: A Survey and Taxonomy A presentation by Emily Fetchko.

By : Anas Assiri.  Introduction  fraud detection  Immune system  Artificial immune system (AIS)  AISFD  Clonal selection.

Intrusion and Anomaly Detection in Network Traffic Streams: Checking and Machine Learning Approaches ONR MURI area: High Confidence Real-Time Misuse and.

Lucent Technologies – Proprietary Use pursuant to company instruction Learning Sequential Models for Detecting Anomalous Protocol Usage (work in progress)

1. Introduction Generally Intrusion Detection Systems (IDSs), as special-purpose devices to detect network anomalies and attacks, are using two approaches.

Data Mining for Intrusion Detection: A Critical Review Klaus Julisch From: Applications of data Mining in Computer Security (Eds. D. Barabara and S. Jajodia)

IP Addressing INTW What is an IP address? An unique identifier for a computer or device (host) on a TCP/IP network A 32-bit binary number usually.

Chirag N. Modi and Prof. Dhiren R. Patel NIT Surat, India Ph. D Colloquium, CSI-2011 Signature Apriori based Network.

1 Principles of a Computer Immune System Anil Somayaji, Steven Hofmeyr, & Stephanie Forrest Presented by: Jesus Morales.

Intrusion Detection Jie Lin. Outline Introduction A Frame for Intrusion Detection System Intrusion Detection Techniques Ideas for Improving Intrusion.

GrIDS -- A Graph Based Intrusion Detection System For Large Networks Paper by S. Staniford-Chen et. al.

Intrusion Detection Adam Ashenfelter Nicholas J. Tyrrell.

IIT Indore © Neminah Hubballi

IDS Intrusion Detection Systems CERT definition: A combination of hardware and software that monitors and collects system and network information and analyzes.

Fast Portscan Detection Using Sequential Hypothesis Testing Authors: Jaeyeon Jung, Vern Paxson, Arthur W. Berger, and Hari Balakrishnan Publication: IEEE.

Signature Based and Anomaly Based Network Intrusion Detection

INTRUSION DETECTION INTRUSION DETECTION INTRUSION DETECTION INTRUSION DETECTION INTRUSION DETECTION INTRUSION DETECTION INTRUSION DETECTION INTRUSION DETECTION.

Immune System Metaphors Applied to Intrusion Detection and Related Problems by Ian Nunn, SCS, Carleton University

Carnegie Mellon Selected Topics in Automated Diversity Stephanie Forrest University of New Mexico Mike Reiter Dawn Song Carnegie Mellon University.

23-aug-05Intrusion detection system1. 23-aug-05Intrusion detection system2 Overview of intrusion detection system What is intrusion? What is intrusion.

Detection Unknown Worms Using Randomness Check Computer and Communication Security Lab. Dept. of Computer Science and Engineering KOREA University Hyundo.

Computer System Intrusion Detection: A Survey Anita K. Jones & Robert S. Sielken Presented by Peixian Li (Rick) For CS551/651 Computer Security.

An Overview of Intrusion Detection Using Soft Computing Archana Sapkota Palden Lama CS591 Fall 2009.

Intrusion Control. CSCE Farkas2 Readings Lecture Notes Pfleeger: Chapter 7.5.

Artificial Immunity-based Intrusion Detection System Associate Prof. Fang Xian-jin Computer School of AUST.

IEEE Communications Surveys & Tutorials 1st Quarter 2008.

7.5 Intrusion Detection Systems Network Security / G.Steffen1.

1 A Network Security Monitor Paper By: Heberlein et. al. Presentation By: Eric Hawkins.

Artificial Intelligence Center,

Selective Packet Inspection to Detect DoS Flooding Using Software Defined Networking Author : Tommy Chin Jr., Xenia Mountrouidou, Xiangyang Li and Kaiqi.

Intrusion Detection System

CS526: Information Security Chris Clifton November 25, 2003 Intrusion Detection.

PANACEA: AUTOMATING ATTACK CLASSIFICATION FOR ANOMALY-BASED NETWORK INTRUSION DETECTION SYSTEMS Reporter : 鄭志欣 Advisor: Hsing-Kuo Pao.

A Blackboard-Based Learning Intrusion Detection System: A New Approach

IDS Intrusion Detection Systems CERT definition: A combination of hardware and software that monitors and collects system and network information and analyzes.

A Comparison Between Signature Based and Anomaly Based Intrusion Detection Systems By: Brandon Lokesak For: COSC 356 Date: 12/4/2008.

1. ABSTRACT Information access through Internet provides intruders various ways of attacking a computer system. Establishment of a safe and strong network.

Using Honeypots to Improve Network Security Dr. Saleh Ibrahim Almotairi Research and Development Centre National Information Centre - Ministry of Interior.

Some Great Open Source Intrusion Detection Systems (IDSs)

Security Methods and Practice CET4884

25/09/ Firewall, IDS & IPS basics. Summary Firewalls Intrusion detection system Intrusion prevention system.

IDS Intrusion Detection Systems

Intrusion Control.

Intrusion Detection Systems

Principles of Computer Security

Intrusion Detection Systems

Presentation transcript:

Distributed Network Intrusion Detection An Immunological Approach Steven Hofmeyr Stephanie Forrest Patrik D’haeseleer Dept. of Computer Science University of New Mexico Albuquerque, NM { steveah, forrest,

Introduction Intrusion detection: –Assume that systems are not secure. –Attempt to detect violations of security policy (intrusions) by monitoring and analyzing system behavior. –Construct a model of normal behavior and look for deviations from the model (anomaly detection). Building the model (defining self): –TCP/IP traffic over a broadcast LAN. –Based on Network Security Monitor (NSM). Every computer on the network should participate in IDS: –Distributed detection –Use negative-selection algorithm Diversity of protection: –Permutation masks

Background: Defining Self The right approach: –Anomaly detection –Sparsely connected graph –Normal patterns reasonably stable –Attackers highly likely to perturb graph Disadvantages: –Heavyweight –Single point of failure –Not scalable NSM: Network Security Monitor (UCDavis) {Mukherjee et al. Network Intrusion Detection. IEEE Network, pp26-41, 1994}

The Biological Viewpoint Self (proteins) = normal datapath triples Nonself (proteins) = triples generated during an attack Universe = Self  Nonself Anomaly detection: –Detection system trained on self –Detection system classifies new triples as self (normal) or nonself (anomalous) NSM: a single monolithic detector matching self (positive detection)

How the Immune System Distributes Detection Advantages of distributed negative detection: –Localized (no communication costs) –Scalable –Tunable –Robust (no single point of failure) –Negative selection algorithm minimizes false positives Immune system: Many small detectors matching nonself (negative detection).

The Negative Selection Algorithm 1.Randomly generate a detector string. 2.Does the detector string match self? NO YES 3.If no, accept If yes, go to 1. (regenerate). ACCEPT REJECT Results in a set of valid detectors

Applying Negative Detection to Network Traffic Representation: –SYN packet triples mapped to 49-bit strings Generalized detection: –Partial matching with r-contiguous bits rule Consequences of Partial Matching: –Advantage: Lightweight (few detectors per host) –Disadvantage: Holes limit detection Holes

Problem: Holes limit detection for any partial match rule. Solution: A different permutation mask for each host. Overcoming Holes Result: In the broadcast network, detection is limited by the intersection of all hole sets.

Experimental Setup UNM CS subnet of 50 machines on a switched segment. – bit string detectors per machine Training set (self): –Collected over 43 days – TCP SYN packets –3763 unique binary self strings Normal test set (supposedly self): –Collected over 7 days – TCP SYN packets –626 unique binary self strings Abnormal test set (nonself): –8 different incidents, 7 real occurrences, 1 synthetic –Real abnormal behavior includes: massive portscanning, limited probing, address-space probing, local host compromise –Synthetic: 200 random connections between internal (LAN) hosts

Experimental Results Low false positives: –P(false positive per self string) = –55 strings, but only 10 unique –Effectively: under 2 false alarms per day High detection rates with few detectors –100% successful detection: 8 out of 8 abnormal incidents detected –Only 100 detectors per host Permutation masks improve detection –Up to an order of magnitude improvement –Overcomes hole limitation Normal is reasonably stable.

The Problem of Incomplete Self Sets (Suppose the training set is incomplete) Activation threshold: –Detector is not activated on every match. –Must have exceeded x matches before activation. –No time horizon. –Helps with stealth attacks (distributed in time). –Reduced false positives by an order of magnitude. Adaptive activation: –Tune local activation thresholds dynamically. –Whenever a detector matches its first pattern, the activation threshold for that computer is reduced by 1. –Has a time horizon (threshold gradually returns to default value). –Hypothesized to help with distributed coordinated attacks.

Experimental Results Intrusions with and without permutation masks

Experimental and Theoretical Results: Permutation Masks Overcome the Hole Limit

Pushing the Immune Metaphor The analogy thus far: –Distributed networks and immunology – Combining negative detection and network intrusion detection –Diversity via permutation masks For the future: –Distributed generation of detectors –Dynamic detector sets –Adaptation and memory (misuse detection)