A Blackboard-Based Learning Intrusion Detection System: A New Approach Presented by: Preeti Anday Dept of Computer & Information Sciences University of Delaware
What is a blackboard?
Blackboard Architecture KS Controller Knowledge Sources (KS)
What is an IDS? An intrusion detection system (IDS) is a device (or application) that monitors network and/or system activities for malicious activities or policy violations.
Intrusion Detection Anomaly Detection Misuse Detection
Intrusion Detection Based on Network system area they audit: Host based Security system that is detecting inside abuses in a computer system Network based Capable of identifying abusive uses or attempts of unauthorized usage of the computer network from outside the system
Prior Approaches Rule based analysis: Predefined rule set Expert systems Drawbacks Inability to detect attack scenarios Lack flexibility Variations in the attack sequence reduce effectiveness of the system
Common Types Of Malicious Attacks Denial-of-service Attack (DoS) Guessing rlogin Attack Scanning Attack
Autonomous Agents What are Autonomous agents? Software agents that perform certain security monitoring functions at the host Independent entities Have minimal overhead and can resist subversion Dynamically reconfigurable, scalable and easily adaptable Degrade gracefully
Learning Intrusion Detection System Architecture
Tier 1 Contains autonomous agents required for initial alert feature, A1: Network reader Collects network data with the help of a program called tcpdump Pastes them on the blackboard A2: Initial Analyzer Calls a rule based classifier that is written as a dll in C++ A3: Display/Output agent Reports the initial analysis to the user
Tier 2 Contains agents that analyze the system specific information, A4: System reader Gathers system specific information on the protected system Posts it on the blackboard A5: Attack classifier Identifies different subclasses of intrusions present in the network Send information from blackboard to the classifier which performs the diagnosis and posts the results on the Blackboard
Tier 2 contd. Memory usage Number of connections Connection attempts The information gathered in A4 includes, Available network bandwidth CPU Usage Network packets Memory usage Number of connections Connection attempts Protocol Packet length
Tier 2 contd. The classifier used in A5 is a micro genetic algorithm based classifier that uses the multiple fault diagnosis concept to perform the necessary function. The result states what of attack is present and what is its probability of presence in the data set. The genetic algorithm is capable of determining the sub-classifications of attacks.
Tier 3 Contains autonomous agents that give full details of the attacks A6: Analyzer with ANN Analyzes information Decides which type of ANN will be useful for further analysis If the analysis finds no attack in the dataset, the agent flags the dataset as false positive alarm
Tier 3 A7: Teaching agent Updates the rule set of A2 A8: Report generation Displays a complete report of the analysis to the user Since the agents are autonomous, a control pattern is included to ensure that each agent gets at least one chance to look at the blackboard in one process cycle.
Questions