Hybrid Intelligent Systems for Network Security Lane Thames Georgia Institute of Technology Savannah, GA

Presentation Overview Discuss the goals of this project Overview of Self Organizing Maps Overview of Bayesian Learning Networks Describe the details of the Hybrid System Review the Experimental Results Discuss Conclusions and Future Work Q&A

Internet Growth Internet Growth is Steadily Increasing Many different types of applications are now using the Internet as a communication channel

Data Source:

The life of a network security professional

Data Source:

Current Issues with Security Short time between disclosure of vulnerability and attack Huge Rule Base Huge Signature Databases Lag time between attack detection and signature creation Lag time between vulnerability discovery and patch deployment

Project Goals Develop an Intelligent System that works reliably with data that can be collected purely within a Computer Network Why? If security mechanisms are difficult to use, people will not use them. Using data from the network takes some of the burden off the end user

Hybrid Intelligent Systems A system was developed that made use of two types of Intelligence Algorithms: Self-Organizing Maps Self-Organizing Maps Bayesian Learning Networks Bayesian Learning Networks

Training and Testing Data Set KDD-CUP 99 Data Set The Data set used for the Third International Knowledge Discovery and Data Mining Tools Competition

Training and Testing Data Set 41 Total Features Categorized as: Basic TCP/IP features Basic TCP/IP features Content Features Content Features Time Based Traffic Features Time Based Traffic Features Host Based Traffic Features Host Based Traffic Features

Self Organizing Maps—SOM Pioneered by Dr. Teuvo Kohonen An algorithm that transforms high dimensional input data domains to elements of a low dimensional array of nodes

Self-Organizing Maps Input Data Vectors Parametric Vector associated with each element, i, of the grid

Self-Organizing Map A decoder function is defined on the basis of distance between the input vector and the parametric vector. The decoder function is used to map the image of the input vector onto the SOM grid. The decoder function is usually chosen to be either the Manhattan or Euclidean distance metric.

Self-Organizing Maps A Best Matching Unit, denoted as the index c, is chosen as the node on the SOM grid that is closest to the input vector

Self-Organizing Maps The dynamics of the SOM algorithm demand that the M i be shifted towards the order of X such that a set of values {M i } are obtained as the limit of convergence of the following:

Bayesian Learning Networks—BLN A BLN is a probabilistic model, and the network is built on the basis of a Directed Acyclic Graph (DAG) The directed edges of the graph represent relationships among the variables

Bayesian Learning Networks The Fundamental Equation: Bayes Theorem

Bayesian Learning Networks In Bayesian learning, we calculate the probability of an hypothesis and make predictions on that basis

Bayesian Learning Networks With BLN, we have conditional probabilities for each node given its parents The graph shows causal connections between the variables Prediction and abduction x1x1x1x1 x3x3x3x3 x2x2x2x2 x5x5x5x5 x4x4x4x4

Naïve Bayesian Learning Network The Naïve BLN is a special case of the general BLN It contains one root node which is called the class variable, C The leaf nodes are the attribute variables (X 1 … X i ) It is Naïve because it assumes the attributes are conditionally independent given the class C x3x3x3x3 x2x2x2x2 x1x1x1x1

The Naïve BLN Classifier Once the network is trained, it can be used to classify new examples where the attributes are given and the class variable is unobserved—abduction The Goal: Find the most probable class value given a set of attribute instantiations (X 1 … X i )

Hybrid System Details SOM Training Training Data Subset

Hybrid System Details Data BN Development Module Modified Data Trained SOM

Hybrid System Details BN Development Module Training Data Bayesian Training Structure File

Hybrid System Details Bayesian/SOMClassifier Classification File Test Data

Experimental Results 4 types of analyses were made with the dataset BLN analysis with network and host based data BLN analysis with network and host based data BLN analysis with network data BLN analysis with network data Hybrid analysis with network and host based data Hybrid analysis with network and host based data Hybrid analysis with network based data Hybrid analysis with network based data

Experimental Results BLN- Host/Network Based BLN- Network Based Hybrid- Host/Network Based Hybrid- Network Based Total Cases 65,50562,04765,50562,047 Correctly Classified 65,01959,73465,23861,631 % Correctly Classified 99.26%96.27%99.59%99.33% Number of Incorrectly Classified

Future and Current Work HoneyNet Project Resource Management System with Intelligent System Processing at the Core

Conclusions Intelligent System algorithms are very useful tools for applications in Network Security

Conclusions Questions remain to be answered: How will the system behave as the data becomes very noisy with respect to training data How will the system behave as the data becomes very noisy with respect to training data How will other intelligence algorithms compare in performance—training time, accuracy, robustness in noise How will other intelligence algorithms compare in performance—training time, accuracy, robustness in noise