Presentation is loading. Please wait.

Presentation is loading. Please wait.

Using decision trees to improve signature-based intrusion detection

Published byEmerald Banks Modified over 5 years ago

Similar presentations

Presentation on theme: "Using decision trees to improve signature-based intrusion detection"— Presentation transcript:

1 Using decision trees to improve signature-based intrusion detection
Yaxuan Qi FIT NSLab Dec 15, 2005

2 Outline Main Idea Decision Tree Construction Decision Tree Traversing
String Matching in a Sub-ruleset Experiments Discussion

3 Main Idea Rule Clustering using Decision Tree
Reduce the number of rules that need to be compared Based on rules, not the experiences or statistics Using a variant of the ID3 algorithm Example:

4 Decision Tree Construction
We have AC, BM…, Why still need a decision tree? Parallel algorithms may consume EXCESSIVE memory BM requires EXPENSIVE multi-string matches. Rule clusters in Snort (by dIP & dPort): It is still too large, so simple clustering is not enough…

5 Decision Tree Construction
Building The Decision Tree Feature selection

6 Decision Tree Construction
Building The Decision Tree: Entropy Computation: Maximum number of Rules in S Entropy of rule set S The probability of a rule to be triggered. If Smax=n and pi=1/n If Smax=n and pi=1/n

7 Decision Tree Construction
Building The Decision Tree: The ID3 algorithm: To maximize the Information Gain Information Gain of feature F on set S Number of rules with an identical value v for feature F The set of different values of feature F Number of rules in S

8 Decision Tree Construction
Building The Decision Tree Rules with wildcard

9 Decision Tree Traversing
Feature Comparison Range matching: using binary search. E.g. if dPort=21, then we go through: (1) 21<25 ; (2) 21<23; (3) 0<=21<=22. This takes O(logN) time.

10 Decision Tree Traversing
Feature Comparison Finding correct successor node: by pointer array 1 2 3 4 5 7 6 8 9 10 11 12 p1 E.g. if dPort=21, we must first load p1, then can we know where is node2. This takes O(1) time.

11 String Matching in a Sub-ruleset
Algorithm Selection: AC, BM or others? The number of rules in a sub-ruleset might ranges from 1 to several hundreds (no experiment result in this paper). BM is efficient for small number of rules; AC is efficient for rules with a common, identical prefix. This paper adopts Fisk-Varghese approach which delivers good performance for medium sized strong sets (containing a few up to a few dozens elements)

12 Experiments Snort vs. Snort NG: processing time comparison
X-axis: test traffics of 10 different days, ranging from 216MB to 838MB. Y-axis: processing time (seconds). Snort NG is 5~103% faster than Snort.

13 Experiments Snort vs. Snort NG: processing time comparison
X-axis: number of rules, ranging from 150 to Using the traffic of the first day. Y-axis: processing time (seconds). Better with more rules??

14 What happened around here??
Experiments Snort NG: memory consumption X-axis: number of rules, ranging from 150 to Using the traffic of the first day. Y-axis: memory used by Snort NG (KByte). What happened around here??

15 Experiments Summary: Platform: P4 1.8G
System: RedHat Linux kernel; Code: Snort (for Snort NG); Snort 2.0 (for Snort) Traffic data: 1999 DARPA intrusion detection evaluation traffics (MIT Lincoln Labs data sets). Rule transformation: 1581 to 2398 with different topologies (as needed for MIT/LL data). Average performance improvement: 40.3% Preprocessing time: <12 seconds

16 Discussion Critics from WUSTL: Critics from NSLab?
Focus on the header, why not the content? Why not HiCuts? The usefulness of the information gain techniques? Do not plot Snort memory consumption Critics from NSLab? Binary search in a tree node, is it efficient? What’s the exact worst-case: tree depth, leaf-node size Packet Classification rules vs. Snort rules

17 THANKS

Download ppt "Using decision trees to improve signature-based intrusion detection"

Similar presentations

Introduction to Computer Science 2 Lecture 7: Extended binary trees

Introduction to Computer Science 2 Lecture 7: Extended binary trees
Packet Classification using Hierarchical Intelligent Cuttings

Packet Classification using Hierarchical Intelligent Cuttings
Multi-dimensional Packet Classification on FPGA: 100Gbps and Beyond

Multi-dimensional Packet Classification on FPGA: 100Gbps and Beyond
Balajee Vamanan, Gwendolyn Voskuilen, and T. N. Vijaykumar School of Electrical & Computer Engineering SIGCOMM 2010.

Balajee Vamanan, Gwendolyn Voskuilen, and T. N. Vijaykumar School of Electrical & Computer Engineering SIGCOMM 2010.
Efficient Memory Utilization on Network Processors for Deep Packet Inspection Piti Piyachon Yan Luo Electrical and Computer Engineering Department University.

Efficient Memory Utilization on Network Processors for Deep Packet Inspection Piti Piyachon Yan Luo Electrical and Computer Engineering Department University.
M. Waldvogel, G. Varghese, J. Turner, B. Plattner Presenter: Shulin You UNIVERSITY OF MASSACHUSETTS, AMHERST – Department of Electrical and Computer Engineering.

M. Waldvogel, G. Varghese, J. Turner, B. Plattner Presenter: Shulin You UNIVERSITY OF MASSACHUSETTS, AMHERST – Department of Electrical and Computer Engineering.
Modified Data Structure of Aho-Corasick Project ECE-526 Spring 2006 Benfano Soewito, Ed Flanigan and John Pangrazio Southern Illinois University Carbondale.

Modified Data Structure of Aho-Corasick Project ECE-526 Spring 2006 Benfano Soewito, Ed Flanigan and John Pangrazio Southern Illinois University Carbondale.
Deterministic Memory- Efficient String Matching Algorithms for Intrusion Detection Nathan Tuck, Timothy Sherwood, Brad Calder, George Varghese Department.

Deterministic Memory- Efficient String Matching Algorithms for Intrusion Detection Nathan Tuck, Timothy Sherwood, Brad Calder, George Varghese Department.
1 On Constructing Efficient Shared Decision Trees for Multiple Packet Filters Author: Bo Zhang T. S. Eugene Ng Publisher: IEEE INFOCOM 2010 Presenter:

1 On Constructing Efficient Shared Decision Trees for Multiple Packet Filters Author: Bo Zhang T. S. Eugene Ng Publisher: IEEE INFOCOM 2010 Presenter:
Efficient IP-Address Lookup with a Shared Forwarding Table for Multiple Virtual Routers Author: Jing Fu, Jennifer Rexford Publisher: ACM CoNEXT 2008 Presenter:

Efficient IP-Address Lookup with a Shared Forwarding Table for Multiple Virtual Routers Author: Jing Fu, Jennifer Rexford Publisher: ACM CoNEXT 2008 Presenter:
1 Energy Efficient Multi-match Packet Classification with TCAM Fang Yu

1 Energy Efficient Multi-match Packet Classification with TCAM Fang Yu
Efficient Multi-Match Packet Classification with TCAM Fang Yu

Efficient Multi-Match Packet Classification with TCAM Fang Yu
1 Energy Efficient Packet Classification Hardware Accelerator Alan Kennedy, Xiaojun Wang HDL Lab, School of Electronic Engineering, Dublin City University.

1 Energy Efficient Packet Classification Hardware Accelerator Alan Kennedy, Xiaojun Wang HDL Lab, School of Electronic Engineering, Dublin City University.
Modified Data Structure of Aho-Corasick Project ECE-526 Spring 2006 Benfano Soewito, Ed Flanigan and John Pangrazio Southern Illinois University Carbondale.

Modified Data Structure of Aho-Corasick Project ECE-526 Spring 2006 Benfano Soewito, Ed Flanigan and John Pangrazio Southern Illinois University Carbondale.
Deep Packet Inspection with Regular Expression Matching Min Chen, Danny Guo {michen, CSE Dept, UC Riverside 03/14/2007.

Deep Packet Inspection with Regular Expression Matching Min Chen, Danny Guo {michen, CSE Dept, UC Riverside 03/14/2007.
Presentation by : Samad Najjar Enhancing the performance of intrusion detection system using pre-process mechanisms Supervisor: Dr. L. Mohammad Khanli.

Presentation by : Samad Najjar Enhancing the performance of intrusion detection system using pre-process mechanisms Supervisor: Dr. L. Mohammad Khanli.
High-Performance Packet Classification on GPU Author: Shijie Zhou, Shreyas G. Singapura and Viktor K. Prasanna Publisher: HPEC 2014 Presenter: Gang Chi.

High-Performance Packet Classification on GPU Author: Shijie Zhou, Shreyas G. Singapura and Viktor K. Prasanna Publisher: HPEC 2014 Presenter: Gang Chi.
Comparing the Parallel Automatic Composition of Inductive Applications with Stacking Methods Hidenao Abe & Takahira Yamaguchi Shizuoka University, JAPAN.

Comparing the Parallel Automatic Composition of Inductive Applications with Stacking Methods Hidenao Abe & Takahira Yamaguchi Shizuoka University, JAPAN.
Today  Table/List operations  Parallel Arrays  Efficiency and Big ‘O’  Searching.

Today  Table/List operations  Parallel Arrays  Efficiency and Big ‘O’  Searching.
Wire Speed Packet Classification Without TCAMs ACM SIGMETRICS 2007 Qunfeng Dong (University of Wisconsin-Madison) Suman Banerjee (University of Wisconsin-Madison)

Wire Speed Packet Classification Without TCAMs ACM SIGMETRICS 2007 Qunfeng Dong (University of Wisconsin-Madison) Suman Banerjee (University of Wisconsin-Madison)

Similar presentations

Ads by Google