1. Implementation of Genetic Algorithms into SNORT, a Network Intrusion Detection System By Brian E. Lavender March 21, 2010 Advisor: Dr. Scott Gordon Department of Computer Science California State University, Sacramento

2. Overview ● Network Intrusion Detection System (NIDS) ● Genetic Algorithms ● Existing Research (Gong et al.) ● Extension

3. Network Intrusion Detection System(NIDS)

4. SNORT Rule alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-IIS CodeRed v2 root.exe access"; flow:to_server, established; uricontent:"/root.exe"; nocase; reference:url, www.cert.org/advisories/CA-2001-19.html; classtype:web-application-attack; sid:1256; rev:8;) Experts required to write rules

5. System that Detects an Attack System will categorize connections into normal or attack types

6. DARPA audit and test data We can evolve rules to identify the attacks!

7. Genetic Algorithm Overview

8. Generate Random Individual fitness = w1 * support + w2 * confidence = 0.2 * 0.1 + 0.8 * 0.5 = 0.42 and )( 1010 Support = = 0.1 and )( Confidence = = 0.5 w1 = 0.2, w2 = 0.8

9. Crossover and Mutation Evolve rules and integrate attribute detection into SNORT. Use top 25 rules.

10. What has been learned ● SNORT integration plugin ● Run snort with test data Still to Do ● Creating random Individuals ● More descriptive attributes for chromosome ● Systems for classifying data. Formal methods ● Something what seems so easy is not.