Machine Learning in Intrusion Detection Systems (IDS)

2 papers:  Artificial Intelligence & Intrusion Detection: Current & Future Directions [AIID] –J. Frank  Applying Genetic Programming to Intrusion Detection [GP] –M. Crosbie, G. Spafford

AIID  What is intrusion detection?  What are the issues in Intrusion Detection? –Data collection –Data reduction –Behavior Classification –Reporting –Response

AIID  AI methods are used to help solve some issues  For data classification: –Classifier systems Neural Network Decision Tree Feature Selection

AIID  Data Reduction –Data Filtering –Feature Selection –Data Clustering

AIID  Behavior Classification –Expert Systems –Anomaly Detection –Rule-Based Induction

AIID  An experiment using Feature Selection –Info. about network connections using a Network Security Monitor

AIID  3 Search algorithms used: –Backward Sequential Search (BSS) –Beam Search (BS) –Random Generation Plus Sequential Selection (RS)

AIID  Algorithm performance

AIID  Error Rate Performance (All) [I, W, T, PS, PD, DS] [T, PD, DS] Best

AIID  Error Rate Performance (SMTP) [W, T, PS, PD, DS] Best

AIID  Error Rate Performance (Login) Best [W, T, PS, PD] [T, PD, DS] RGSS

AIID  Error Rate Performance (Shell) [W, PS, PD, DS] BS & BSS Best [W, T, PS, DS] RS

GP (Applying Genetic Programming to Intrusion Detection)  An IDS that exploits the learning power of Genetic Programming  Two types of security tools : –Pro-active –Reactive : IDS falls in this catergory

GP  Components in an IDS –Anomaly May indicate a possible intrusion –So how do we know for sure? Expert-system Rule-set = model Metrics Comparing metrics & model  But … If a new intrusion scenario arises modifying the IDS is complicated

GP  A finer-grained approach IDS gets split into multiple Autonomous Agents

GP

 Using GP for learning –Instead of a monolithic static “knowledge base” –The GP paradigm allows evolution of agents that could be placed in a system to monitor audit data –GP programs are in a simple meta-language Have primitives that access audit data fields and manipulate them

GP  Internal agent architecture

GP  Learning by feedback  What do the agents monitor? –Inter-packet timing metrics: Total # of socket connections, average time between socket connections, minimum time between socket connections, maximum time between socket connections, destination port, source port –Potential intrusions looked for: Port flooding, port-walking, probing, password cracking

GP  Δ = | outcome – suspicion |  Penalty = Δ * ranking /100  Fitness = (100 – Δ) - penalty

GP  Multiple types: –Time (long int), port (int), boolean, suspicion (int)  Problems with multiple types  ADF solution to type safety –ADF: Automatically Defined Function –To monitor network timing: avg_interconn_time, min_interconn_time, max_interconn_time –For port monitoing: src_port, dest_port –For privileged port checking: is_priv_dest_port, is_priv_src_port

GP  Experimental results:

That’s it !!!

Too old a research idea … did not find any current researches in the same field