Presentation is loading. Please wait.

Presentation is loading. Please wait.

Evaluating a Real-time Anomaly-based IDS

Similar presentations


Presentation on theme: "Evaluating a Real-time Anomaly-based IDS"— Presentation transcript:

1 Evaluating a Real-time Anomaly-based IDS
A.B. Ruighaver P.G. Thorne K. Tan Computer Forensic and System Security Group University of Melbourne, Australia

2 Anomaly-based Intrusion Detection
To detect the unauthorized use, misuse or abuse of a computer system. Not attack based (use a misuse IDS) Can detect masqueraders Finger prints user behavior Other intrusions ? Subjective (what is an intrusion ?) Anomaly only indicates possible intrusion

3 A Real-time Anomaly-based IDS
Neural network based Uses simple feed forward networks Does not predict next action in sequence, but whether current action is “normal behavior” Needs to be able to forget old behavior Uses standard system logs No need to permanently run auditing software Consumes minimal system resources Portability

4 Behavioral profiles Separate networks for each behavioral characteristic Commands Activity Time CPU usage Login Host Correlation network to build user profile

5 Evaluation Finger Print uniqueness Intrusive behavior
only briefly tested, seems to work well not sure whether we can identify an attacker Intrusive behavior external attacks (easy) insider threat (more difficult) Initial test data Student machine for one semester Host identification not reliable and removed

6 Preliminary Evaluation results
Some clear intrusions Some clear non-intrusions Most anomalies can not be classified A few accounts generate most anomalies Known incidents have been detected Command-time anomalies prevalent Many repeated anomalies Command is not a good indicator

7 Lessons Need good data set Need more behavior
No artificial data set, need varied behavior Need audit data to explain behavior May need to filter out repeated intrusions Need more behavior Tailor system to generate complex behavior Prevent detection of non-intrusive anomalies Need to have better response capabilities

8 Conclusions Finger print based on individual behavior
Indicates any change in individual behavior To identify intrusions need group behavior Need to create more behavior in system Anomaly-based IDS is not only a tool for detection but also a tool for prevention -> use it as a behavioral monitor


Download ppt "Evaluating a Real-time Anomaly-based IDS"

Similar presentations


Ads by Google