Case Based Reasoning Approach to Intrusion Detection Date: 3/14/2005 Dr. Seong-Moo Yoo Information Assurance Engineering Lab Electrical and Computer Engineering.

Slides:



Advertisements
Similar presentations
System Integration Verification and Validation
Advertisements

1 Intrusion Monitoring of Malicious Routing Behavior Poornima Balasubramanyam Karl Levitt Computer Security Laboratory Department of Computer Science UCDavis.
New Technologies Supporting Technical Intelligence Anthony Trippe, 221 st ACS National Meeting.
Aligning Employee Performance with Agency Mission
Formal Methods for Intrusion Detection Presented by Brian Kellogg CSE 914: Formal Methods for Software Development Michigan State University December 11.
Benjamin J. Deaver Advisor – Dr. LiGuo Huang Department of Computer Science and Engineering Southern Methodist University.
An Approach to Evaluate Data Trustworthiness Based on Data Provenance Department of Computer Science Purdue University.
Intrusion Detection and Containment in Database Systems Abhijit Bhosale M.Tech (IT) School of Information Technology, IIT Kharagpur.
Intrusion Detection Systems and Practices
Report on Intrusion Detection and Data Fusion By Ganesh Godavari.
Snort - an network intrusion prevention and detection system Student: Yue Jiang Professor: Dr. Bojan Cukic CS665 class presentation.
Distributed Intrusion Detection Systems (dIDS) 2/10 CIS 610.
Improved TCAM-based Pre-Filtering for Network Intrusion Detection Systems Department of Computer Science and Information Engineering National Cheng Kung.
Unsupervised Intrusion Detection Using Clustering Approach Muhammet Kabukçu Sefa Kılıç Ferhat Kutlu Teoman Toraman 1/29.
Neural Technology and Fuzzy Systems in Network Security Project Progress 2 Group 2: Omar Ehtisham Anwar Aneela Laeeq
An Authentication Service Against Dishonest Users in Mobile Ad Hoc Networks Edith Ngai, Michael R. Lyu, and Roland T. Chin IEEE Aerospace Conference, Big.
Data Mining By Archana Ketkar.
Big Data Analytics and Challenge Presented by Saurabh Rastogi Asst. Prof. in Maharaja Agrasen Institute of Technology B.Tech(IT), M.Tech(IT)
DITSCAP Phase 2 - Verification Pramod Jampala Christopher Swenson.
Certified Business Process Professional (CBPP®)
Certified Business Process Professional (CBPP®) Exam Overview
Software Verification and Validation (V&V) By Roger U. Fujii Presented by Donovan Faustino.
Lecture 11 Intrusion Detection (cont)
Department Of Computer Engineering
Intrusion and Anomaly Detection in Network Traffic Streams: Checking and Machine Learning Approaches ONR MURI area: High Confidence Real-Time Misuse and.
1. Introduction Generally Intrusion Detection Systems (IDSs), as special-purpose devices to detect network anomalies and attacks, are using two approaches.
Chirag N. Modi and Prof. Dhiren R. Patel NIT Surat, India Ph. D Colloquium, CSI-2011 Signature Apriori based Network.
SEC835 Database and Web application security Information Security Architecture.
Intrusion Detection for Grid and Cloud Computing Author Kleber Vieira, Alexandre Schulter, Carlos Becker Westphall, and Carla Merkle Westphall Federal.
Chapter 2 The process Process, Methods, and Tools
Detecting Network Violation Based on Fuzzy Class-Association-Rule Mining Using Genetic Network Programming.
IIT Indore © Neminah Hubballi
Improving Intrusion Detection System Taminee Shinasharkey CS689 11/2/00.
Operations Security (OPSEC) Introduction  Standard  Application  Objectives  Regulations and Guidance  OPSEC Definition  Indicators.
Software Engineering Lecture # 17
Data Mining Chapter 1 Introduction -- Basic Data Mining Tasks -- Related Concepts -- Data Mining Techniques.
Report on Intrusion Detection and Data Fusion By Ganesh Godavari.
An Overview of Intrusion Detection Using Soft Computing Archana Sapkota Palden Lama CS591 Fall 2009.
HIPS Host-Based Intrusion Prevention System By Ali Adlavaran & Mahdi Mohamad Pour (M.A. Team) Life’s Live in Code Life.
A System for Denial-of- Service Attack Detection Based on Multivariate Correlation Analysis.
Computers Are Your Future Tenth Edition Chapter 13: Systems Analysis & Design Copyright © 2009 Pearson Education, Inc. Publishing as Prentice Hall1.
The System and Software Development Process Instructor: Dr. Hany H. Ammar Dept. of Computer Science and Electrical Engineering, WVU.
Understanding the Human Network Martin Kruger LCDR Jodie Gooby November 2008.
1 COPYRIGHT © 2015 ALCATEL-LUCENT. ALL RIGHTS RESERVED. Cognitive Security: Security Analytics and Autonomics for Virtualized Networks Lalita Jagadeesan.
23 July 2003 PM-ITTS TSMOTSMO Information Assessment Test Tool (IATT) for IO/IW Briefing by: Darrell L Quarles Program Director U.S. Army Threat Systems.
Cryptography and Network Security Sixth Edition by William Stallings.
CHAPTER 11 MANAGING KNOWLEDGE
第 11 組 MIS 報告. Phases of any information system ~ recognition of a business problem or opportunity ~ recognition of a business problem or opportunity.
Intrusion Detection System
I NTRUSION P REVENTION S YSTEM (IPS). O UTLINE Introduction Objectives IPS’s Detection methods Classifications IPS vs. IDS IPS vs. Firewall.
Scientific Systems Not for Public Release SSCI #1301 DARPA OASIS PI MEETING – Santa Fe, NM - Jul 24-27, 2001 Intelligent Active Profiling for Detection.
Anomaly Detection. Network Intrusion Detection Techniques. Ştefan-Iulian Handra Dept. of Computer Science Polytechnic University of Timișoara June 2010.
ANTIVIRUS ANTIVIRUS Author: Somnath G. Kavalase Junior Software developer at PBWebvsion PVT.LTD.
1. ABSTRACT Information access through Internet provides intruders various ways of attacking a computer system. Establishment of a safe and strong network.
ASHRAY PATEL Protection Mechanisms. Roadmap Access Control Four access control processes Managing access control Firewalls Scanning and Analysis tools.
Introduction to Machine Learning, its potential usage in network area,
A Generic Approach to Big Data Alarms Prioritization
Threat Modeling for Cloud Computing
Snort – IDS / IPS.
MadeCR: Correlation-based Malware Detection for Cognitive Radio
Parallel Autonomous Cyber Systems Monitoring and Protection
Organization and Knowledge Management
Security Methods and Practice CET4884
BASICS OF SOFTWARE TESTING Chapter 1. Topics to be covered 1. Humans and errors, 2. Testing and Debugging, 3. Software Quality- Correctness Reliability.
Emerging Cyber Tech for Evolving Cyber Threats Chris Hankin
Department of Electrical Engineering
Identifying Slow HTTP DoS/DDoS Attacks against Web Servers DEPARTMENT ANDDepartment of Computer Science & Information SPECIALIZATIONTechnology, University.
Final Conference 18 Set 2018.
Autonomous Network Alerting Systems and Programmable Networks
Presentation transcript:

Case Based Reasoning Approach to Intrusion Detection Date: 3/14/2005 Dr. Seong-Moo Yoo Information Assurance Engineering Lab Electrical and Computer Engineering Dept. University of Alabama in Huntsville

Current IDS Systems Existed IDS systems are mostly static. Tracks known attacks signatures. Any recognized attack is blocked from entering the protected system. Other traffic (friendly and unknown) are permitted to access the system. –Malicious traffic are mostly of unknown signature type, so it will not trigger IDS Motivation for dynamic approach.

Current ID approaches and CBR Knowledge-based approaches –very efficient in detecting intruders of the type known previously, but ineffective against new forms of threat. Behavior-based approaches –it has the potential for guarding against previously unknown types of threats, is not as precisely efficient. CBR can be considered as a mix of these approaches (fuzzy approach)

Proposed CBR Approach Goal: transition from a philosophy that “denies known threats” to one that “permits confirmed friends”. Dynamic, real-time detection of friends and attacks traffic pattern within evolving environment. Completely in software.

CBR (cont’d) CBR encompasses three-pronged innovation 1.A proviso for explicit identification of true friends in addition to the traditional identification of known threats. 2.The use of CBR, hitherto not employed within the Intrusion Detection environment, to accomplish this goal. 3. An unique ongoing learning capability that enhances CBR to self-learn new threats as they arise.

CBR Steps I.Identify a viable technique to characterize a known set of threat signatures, II.Develop a similar technique to characterize known friend signatures, III.Incorporate threat intrusion detection, IV.Incorporate true friend detection, and V.Develop/demonstrate methodology to analysis of unknown signatures.

CBR Step 1 Recognizes that a growing threat signatures database exists. The goal here to –conduct an analysis to classify these known threats into logical groups, –characterize the key parameters that define each group, and –determine an acceptable set of tolerances that can be used to classify unknown signatures as likely threats.

CBR Step 2 & 3 Step 2 runs parallel to Step 1 with classification, characterization and tolerance definition determined for all known true friend signatures. Where an existing database will drive threat signature characterization, it is recognized that, for a given information system, known friend signatures must be initially decoded. Step 3 incorporates an existing IDS into the process.

CBR Step 4 Enhances the achievable level of information assurance by adding a filtering process that allows only traffic confirmed as friendly into the protected system. Operating together, the modified IDS (Threat) and newly established true-friend detector filter known threat and unknown traffic.

CBR Step 5 Facilitates the ongoing learning noted earlier by first analyzing the filtered unknown signatures for the existence of inherent, similarly characterized clusters. The goal of this analysis is to expand threat and friendly signature databases via the CBR based evaluation described above.

Three General Clusters 1.Likely friend 2.Likely threat 3.Continued unknown. the threshold mechanism will assess if the closeness is sufficient enough to be truly normal, or if there is ground to suspect a case normal behavior ‘impersonation.’

Other Jobs to Be Done Conduct a review of the arena’s state of the art capabilities to ensure no reinvention of the wheel occurs and that funding is utilized judiciously to meet the program objectives The potential for exploiting the synergy between our proposed approach and other techniques currently in use will also be investigated Our expertise in the field of information and decision fusion will be utilized in exploiting this synergy between the approaches

Jobs to Be Done (cont.) An enhanced IDS that will I.Identify incoming message streams as “true friends”, “true threats”, and “unknowns”. II.Use CBR, for the first time, to accomplish this portioning. III.Incorporate an unique ongoing learning capability that enhances CBR to self-learn new “threats” and “friends” as they arise.

Concept Demonstration Up-to-date databases of known threat and true friend mechanisms can be identified. System specific true friend and known threat signatures will then be classed, characterized and tolerance limits defined. The resulting threat signature knowledge will then be infused into an existing IDS (Threat) filter while the true friend signature characterizations will be packaged within a new true friend filter. The proposed enhanced information assurance capability will then be demonstrated by subjecting the selected system to known threat as well as true friend and unknown signature traffic.

Support Component To conduct this demonstration we need: –access to the Government selected test system to identify a emulated network, sponsorship to examine an existing Government information assurance threat database, and a realistic (operational) message traffic characterization.

Evaluation Performance evaluation of CBR will include –Comparison of effectiveness between this new IDS philosophy and current IDS capabilities. This comparison will measure such items as effect on protected system’s operating speed and level of protection provided. –Measurement of the speed and effectiveness of the True Friend Detection System (Step 4). –Measurement of the speed and effectiveness of the Analysis of Unknowns (Step 5).

Intrinsic Merit This project will help to better protect critical computer networks through an enhanced intrusion detection approach. Transition from “denies known threats” to “permits only confirmed friends”. Threshold mechanism on top of the CBR closest match identifying process

Expected Results This effort will provide proof of principle to the proposed IDS philosophy. The R&D is expected to lead to a feasible set of real- time algorithms that admit only confirmed friend while blocking known threat and unknown traffic. Ongoing learning will also demonstrate as unknown traffic is properly classified and added to the respective databases. A laboratory demonstration will facilitate the evaluation metrics.

Program Description Task 1 – Known Threat Signature Characterization –A set of known threat signature will first be identified for the selected “target” network. These threats will be characterized to document the nature and catalogue identifying features. Task 2 – Known Friend Signature Characterization –A methodology for identifying and characterizing a set of known friend signatures will be developed and tested. The methodology will enhance the “trusted network” concept by documenting the nature and catalogue identifying features truly friendly message traffic for the selected network

Program Description (cont’d) Task 3 – Threat Intrusion Detection –The results of task 1 will be incorporated into a Threat IDS package and tested to ensure that known threats are blocked based on the identified signature characterization. Task 4 – True Friend Detection –The results of task 2 will be incorporated into a Friendly IDS package and tested to ensure that known friendly message traffic are passed to the target network based on positive matching to the identified friendly signature characterization.

Program Description (cont’d) Task 5 – Analysis of Unknown Signatures –CBR based screening process will first be used to identify probable threat and friendly traffic. This traffic will be passed, to the threat signatures data base and on to the targeted network.

Project Schedule Task 1: Known Threat Signature Characterization Task 2: Known Friend Signature Characterization Task 3: Threat Intrusion Detection Task 4: True Friend Detection Task 5: Analysis of Unknown Signatures Task 6: Reporting

References –D. A. Frinckea and M. -Y. Huang, “Recent advances in intrusion detection systems,” Computer Networks, Vol. 34, No. 4, pp , October –H. Debar, M. Dacier and A. Wespi, “Towards a Taxonomy of Intrusion-Detection Systems,” Computer Networks, Volume 31, Issue 8, pp , 23 April –B. V. Dasarathy, Nearest Neighbor (NN) Norms - NN Pattern Classification Techniques, IEEE Computer Society Press, Los Alamitos, CA., –B. V. Dasarathy, “Nosing Around the Neighborhood - A New System Structure and Classification Rule for Recognition in Partially Exposed Environments,” IEEE Transactions on Pattern Analysis and Machine Intelligence, Vol. PAMI-2, No. 1, pp , January –B. V. Dasarathy, “There Goes the Neighborhood - An ALIEN Identification Approach to Recognition in Partially Exposed Environments,” Proceedings of the 5th International Conference on Pattern Recognition, pp , December 1980

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2024 SlidePlayer.com. Inc. All rights reserved.