Presentation is loading. Please wait.

Presentation is loading. Please wait.

Packet Anomaly Intrusion Detection PAID Constantine Manikopoulos and Zheng Zhang New Jersey Center for Wireless Networking and Security (NJWINS) at NJIT.

Published byBlanche Norton Modified over 9 years ago

Similar presentations

Presentation on theme: "Packet Anomaly Intrusion Detection PAID Constantine Manikopoulos and Zheng Zhang New Jersey Center for Wireless Networking and Security (NJWINS) at NJIT."— Presentation transcript:

1 Packet Anomaly Intrusion Detection PAID Constantine Manikopoulos and Zheng Zhang New Jersey Center for Wireless Networking and Security (NJWINS) at NJIT George Mason University September 24-26, 2003

2 The HIDE/PAID Project NJWINS – US Army SBIR Phase II Research and Development Effort Prototype and Evaluate an Intrusion Detection System for the Tactical Internet of the Digital Battlefield

3 System Architecture Components –Probe –Event preprocessor –NN classifier –Post processor

4 System Architecture

5 Multi-layer Detection

6 PDF Representation Binned PDF Representation S be the sample space of a random variable events E 1­, E 2,…, E k a mutually exclusive partition of S P i is the expected probability of the occurrence of the event E i P i ’ be the frequency of the occurrence of E i during a given time interval

7 Similarity Measuring Algorithms  2 -like test. Kolmogorov-Smirnov test. Anderson-Darling’s statistic. Kupier’s statistic. Others.

8 Similarity Measuring Algorithms p i is the expected probability of event E i. P i ’ is the observed probability of event E i during a time interval. f(N) is a function that takes into account the total number of occurrences during a time window.

9 Reference Model Updating Reference Model Updating Algorithm p old is the reference model before updating P new is the reference model after updating  is a programmable predefined adaptation rate s is a learning rate determined by the outputs of the neural network

10 HIDE/PAID: User Interface

11 Two-Dimensional Scatter Plots

12 Two-dimensional Scatter Plots

13 Sample Visualization Normal Attack traffic

14 Data Description DARPA’98 Intrusion Detection Evaluation Data Set –Seven weeks of training data –Two weeks of testing data (not used because the attack truth is not available) –Categories of the simulated attacks: DOS, Probe, R2L, U2R

15 System Configuration Only Non-stealthy DOS attacks are tested: –Neptune (SYN flooding), –Pod (Ping-of-Death), –Smurf (ICMP flooding), –Teardrop (Pathetic IP Fragmentation) PDF Observation Time Window: 30s. Classifier: Backpropagation with 4 hidden neurons

16 Detection Results on y98w1d3 # of Samples1970 # of Attacks2 # of True Positives2 # of True Negatives1968 # of False Positives0 # of False Negatives0 # of Misclassifications0

17 Detection Results on y98w3d4 # of Samples2520 # of Attacks104 # of True Positives104 # of True Negatives2416 # of False Positives0 # of False Negatives0 # of Misclassifications0

18 Detection Results on y98w4d2 # of Samples1769 # of Attacks15 # of True Positives14 # of True Negatives1742 # of False Positives12 # of False Negatives1 # of Misclassifications13

19 Detection Results on y98w4d3 # of Samples1649 # of Attacks2 # of True Positives2 # of True Negatives1647 # of False Positives0 # of False Negatives0 # of Misclassifications0

20 Detection Results on y98w5d1 # of Samples926 # of Attacks64 # of True Positives64 # of True Negatives862 # of False Positives0 # of False Negatives0 # of Misclassifications0

21 Detection Results on y98w5d2 # of Samples2335 # of Attacks3 # of True Positives3 # of True Negatives2332 # of False Positives0 # of False Negatives0 # of Misclassifications0

22 Detection Results on y98w5d4 # of Samples519 # of Attacks176 # of True Positives171 # of True Negatives343 # of False Positives0 # of False Negatives5 # of Misclassifications5

23 Detection Results on y98w5d5 # of Samples2315 # of Attacks108 # of True Positives108 # of True Negatives2207 # of False Positives0 # of False Negatives0 # of Misclassifications0

24 Detection Results on y98w6d1 # of Samples4911 # of Attacks11 # of True Positives11 # of True Negatives4885 # of False Positives15 # of False Negatives0 # of Misclassifications15

25 Detection Results on y98w6d2 # of Samples2438 # of Attacks1 # of True Positives1 # of True Negatives2437 # of False Positives0 # of False Negatives0 # of Misclassifications0

26 Detection Results on y98w6d3 # of Samples2504 # of Attacks107 # of True Positives107 # of True Negatives2397 # of False Positives0 # of False Negatives0 # of Misclassifications0

27 Detection Results on y98w6d4 # of Samples1202 # of Attacks284 # of True Positives284 # of True Negatives912 # of False Positives6 # of False Negatives0 # of Misclassifications6

28 Detection Results on y98w6d5 # of Samples1297 # of Attacks54 # of True Positives53 # of True Negatives1242 # of False Positives1 # of False Negatives0 # of Misclassifications1

29 Detection Results on y98w7d2 # of Samples2438 # of Attacks1 # of True Positives1 # of True Negatives2437 # of False Positives0 # of False Negatives0 # of Misclassifications0

30 Detection Results on y98w7d3 # of Samples1897 # of Attacks1 # of True Positives0 # of True Negatives1895 # of False Positives1 # of False Negatives1 # of Misclassifications2

31 Detection Results on y98w7d4 # of Samples5154 # of Attacks4 # of True Positives4 # of True Negatives5150 # of False Positives0 # of False Negatives0 # of Misclassifications0

32 Detection Results on y98w7d5 # of Samples1369 # of Attacks119 # of True Positives111 # of True Negatives1250 # of False Positives0 # of False Negatives8 # of Misclassifications8

33 Summary (1) Total # of Samples39015 Total # of Attacks1060 Total # of Misclassifications50 Total # of False Positives35 Total # of False Negatives15 Misclassification Rate0.128% False Positive Rate0.0898% False Negative Rate1.42%

34 Summary (2) Attack# of Samples# of False Negatives False Negative Rate Neptune786131.65% Pod2400 Smurf26600 Teardrop9222.2%

Download ppt "Packet Anomaly Intrusion Detection PAID Constantine Manikopoulos and Zheng Zhang New Jersey Center for Wireless Networking and Security (NJWINS) at NJIT."

Similar presentations

Intrusion Detection Systems (I) CS 6262 Fall 02. Definitions Intrusion Intrusion A set of actions aimed to compromise the security goals, namely A set.

Intrusion Detection Systems (I) CS 6262 Fall 02. Definitions Intrusion Intrusion A set of actions aimed to compromise the security goals, namely A set.
V-Detector: A Negative Selection Algorithm Zhou Ji, advised by Prof. Dasgupta Computer Science Research Day The University of Memphis March 25, 2005.

V-Detector: A Negative Selection Algorithm Zhou Ji, advised by Prof. Dasgupta Computer Science Research Day The University of Memphis March 25, 2005.
REFLEX INTRUSION PREVENTION SYSTEM.. OVERVIEW The Reflex Interceptor appliance is an enterprise- level Network Intrusion Prevention System. It is designed.

REFLEX INTRUSION PREVENTION SYSTEM.. OVERVIEW The Reflex Interceptor appliance is an enterprise- level Network Intrusion Prevention System. It is designed.
Loss-Sensitive Decision Rules for Intrusion Detection and Response Linda Zhao Statistics Department University of Pennsylvania Joint work with I. Lee,

Loss-Sensitive Decision Rules for Intrusion Detection and Response Linda Zhao Statistics Department University of Pennsylvania Joint work with I. Lee,
Learning Rules from System Call Arguments and Sequences for Anomaly Detection Gaurav Tandon and Philip Chan Department of Computer Sciences Florida Institute.

Learning Rules from System Call Arguments and Sequences for Anomaly Detection Gaurav Tandon and Philip Chan Department of Computer Sciences Florida Institute.
Chapter 4 Pattern Recognition Concepts: Introduction & ROC Analysis.

Chapter 4 Pattern Recognition Concepts: Introduction & ROC Analysis.
Application of Bayesian Network in Computer Networks Raza H. Abedi.

Application of Bayesian Network in Computer Networks Raza H. Abedi.
Performance Evaluation of the Fuzzy ARTMAP for Network Intrusion Detection Nelcileno Araújo Ruy de Oliveira Ed’Wilson Tavares Ferreira Valtemir Nascimento.

Performance Evaluation of the Fuzzy ARTMAP for Network Intrusion Detection Nelcileno Araújo Ruy de Oliveira Ed’Wilson Tavares Ferreira Valtemir Nascimento.
Network Traffic Anomaly Detection Based on Packet Bytes Matthew V. Mahoney Florida Institute of Technology

Network Traffic Anomaly Detection Based on Packet Bytes Matthew V. Mahoney Florida Institute of Technology
Anomaly Based Intrusion Detection System

Anomaly Based Intrusion Detection System
Computer Security Fundamentals by Chuck Easttom Chapter 4 Denial of Service Attacks.

Computer Security Fundamentals by Chuck Easttom Chapter 4 Denial of Service Attacks.
1 Learning to Detect Objects in Images via a Sparse, Part-Based Representation S. Agarwal, A. Awan and D. Roth IEEE Transactions on Pattern Analysis and.

1 Learning to Detect Objects in Images via a Sparse, Part-Based Representation S. Agarwal, A. Awan and D. Roth IEEE Transactions on Pattern Analysis and.
5/1/2006Sireesha/IDS1 Intrusion Detection Systems (A preliminary study) Sireesha Dasaraju CS526 - Advanced Internet Systems UCCS.

5/1/2006Sireesha/IDS1 Intrusion Detection Systems (A preliminary study) Sireesha Dasaraju CS526 - Advanced Internet Systems UCCS.
Fast Detection of Denial-of-Service Attacks on IP Telephony Hemant Sengar, Duminda Wijesekera and Sushil Jajodia Center for Secure Information Systems,

Fast Detection of Denial-of-Service Attacks on IP Telephony Hemant Sengar, Duminda Wijesekera and Sushil Jajodia Center for Secure Information Systems,
Fast Detection of Denial-of-Service Attacks on IP Telephony Hemant Sengar, Duminda Wijesekera and Sushil Jajodia Center for Secure Information Systems,

Fast Detection of Denial-of-Service Attacks on IP Telephony Hemant Sengar, Duminda Wijesekera and Sushil Jajodia Center for Secure Information Systems,
Neural Networks. R & G Chapter 8 8.1 Feed-Forward Neural Networks otherwise known as The Multi-layer Perceptron or The Back-Propagation Neural Network.

Neural Networks. R & G Chapter Feed-Forward Neural Networks otherwise known as The Multi-layer Perceptron or The Back-Propagation Neural Network.
Statistical based IDS background introduction. Statistical IDS background Why do we do this project Attack introduction IDS architecture Data description.

Statistical based IDS background introduction. Statistical IDS background Why do we do this project Attack introduction IDS architecture Data description.
An Illustrative Example

An Illustrative Example
Copyright 2002, Center for Secure Information Systems 1 Panel: Role of Data Mining in Cyber Threat Analysis Professor Sushil Jajodia Center for Secure.

Copyright 2002, Center for Secure Information Systems 1 Panel: Role of Data Mining in Cyber Threat Analysis Professor Sushil Jajodia Center for Secure.
Mining Behavior Models Wenke Lee College of Computing Georgia Institute of Technology.

Mining Behavior Models Wenke Lee College of Computing Georgia Institute of Technology.

Similar presentations

Ads by Google