1. Anomaly Based Intrusion Detection System
Using Naive Bayesian and
Hidden Markov Models
By Jonathan Lally
ID:

2. What is an IDS? Proxy: Process Request & hide IP
Firewall: Blocks unwanted connections (FTP)
IDS: Analyses packet data
Hack ESB

3. What is an IDS Goals Identify Prevent Learn
Denial of Service Attack (DoS)

4. Location
Backbone

5. Misuse Detectors Analyses Signatures IP address Port and count
Packet flags
SYN Flags: DoS
Local Bouncer: Not you Bob

6. Misuse Detectors Advantages Disadvantages Known attacks Quick
Regular patches
Adaptive attackers
Snort
Adaptive Attackers: Changing attacks implementation

7. Anomaly Detectors Knows user habits Flags odd behaviour
Blocks persistently flagged connections
Club Bouncer

8. Anomaly Detectors Advantages Disadvantages Powerful Slow
Blocks Unknown Attacks
Disadvantages
Slow
False Positives
Training
Users aren’t predictable
Safe Training Data

9. Hidden Markov Model
Finite State Analysis

10. Hidden Markov Model Watches State Transitions Advantages Disadvantages
Accurate
Disadvantages
Slow
Memory Usage

11. Naive Bayesian Model Probability distribution of packet type
Average connection:
< 3RSTs, 8 SYNs, 48 ACKs, 1 FIN/ACKs, 40 PSH/ACKs >
DoS attack:
< 0 RSTs, 100 SYNs, 0 ACKs, 0 FIN/ACKs, 0 PSH/ACKs >
Flooding with Hello packets

12. Naive Bayesian Model Advantages Disadvantages Fast Effective
High False positives

13. My Experiment
Hybrid Naive Bayesian Model with Hidden Markov Model

14. Previous Experiments Naive Bayesian based IDS Hidden Markov Model
Vijayasarathy, R., Raghavan, S. V., & Ravindran, B. in “A system approach to network modeling for DDoS detection using a Naìve Bayesian classifier” 2011.
Hidden Markov Model
Rangadurai Karthick, R., Hattiwale, V. P., & Ravindran, B. In “Adaptive network intrusion detection system using a hybrid approach” in 2012
This Experiment: Time based Training data