Download presentation
Presentation is loading. Please wait.
Published byDarlene Allison Modified over 9 years ago
1
1. Introduction Generally Intrusion Detection Systems (IDSs), as special-purpose devices to detect network anomalies and attacks, are using two approaches including misuse detection and anomaly detection. In misuse detection the search for evidence of attacks is based on known attacks' signatures. In anomaly detection, the deviation from the normal model will be considered as an attack or anomaly. Both kinds of IDSs have their own advantages and disadvantages. The advantages of misuse detection approaches are their good accuracy, low false alarm rate and giving enough information about the type of detected attacks to system administrator On the contrary, their drawbacks include the difficulty of gathering the required information on the known attacks and keeping it up-to-date with new vulnerabilities. The main advantage of anomaly detection approach over misuse detection is that it can detect attempts to exploit new and unforeseen vulnerabilities. However, this approach has high false alarm rate. Fusing Multiple Sensors to Detect Network Traffic Anomalies - A Control Theoretic Model Mahsa Kiani, Wei Lu, Mahbod Tavallaee and Ali A. Ghorbani Faculty of Computer Science, UNB Fredericton 6. Conclusions Although the number of correct alerts reported by hybrid system is a little bit smaller than the number reported by one of the individual detectors, the hybrid system reduces the number of false alerts largely (24%). The future work consists of using more detectors, developing more evaluation metrics to judge the fusion performance and improving the system through dynamic programming. 2. Motivation In order to combine the advantages of both misuse and anomaly detection, the idea of hybrid detection has been proposed. Currently two ways exist to combine IDSs: sequence based (figure 1) and parallel based (figure 2). The sequence based approaches might not provide a full coverage for the attack types due to the filtering of malicious (normal) traffic and also the sequence process will prolong the detection and make a real-time detection impossible. In contrast, parallel based hybrid IDSs provide a wide coverage for intrusions and has the potential to detect previously unknown attacks. One of the biggest challenges for parallel based IDSs is how to make accurate inferences that minimize the number of false alarms and maximize the detection accuracy. In particular, TRW Sjfi is the trust-reputation weight for feature f i in S j,. denotes the attacking probability generated by feature f i and detection sensor S j. Notation FACount is the number of false alerts obtained from historical alerting reports. Based on FACount, penalty factor and reward factor are used to adjust the value of RW fiSj and RW Sj in order to reach the minimize FACount. 3. General Architecture of the Proposed Detection Framework Feature Analysis Multi-Sensor based IDS Sensor 1Sensor 2Sensor m Raw Packets Features based on Flows Flows with Attacking Probabilities Proposed multi-sensor IDS has been evaluated with the full 1999 DARPA intrusion detection dataset based on network flow data for each specific day. 15 features has been considered to describe entire traffic behavior on networks (Table I). Two detectors using non-parametric Cumulative SUM algorithm and Expectation-Maximization based clustering technique are considered and historical reputation matrix is set up according to the detection rate (DR) and the false positive rate (FPR) for each detector over a long time history. The ratio of DR to FPR is used to measure the performance of each detector. Average value of DR, FPR and the ratio of DR to FPR for each feature over 9 days for both detectors have been illustrated in Table II and Table III. Obtained results show that the correct alerts generated by hybrid system is 105, which is smaller than the 161 correct alerts generated by the detector using EM based clustering algorithm. The number of false alerts reported by the hybrid system, however, is 189, which is much smaller than the 799 false alerts by the clustering based detector. 4. Formalized Model for Multi-Sensor IDS In the following model, F(,..... ) refers to features that might be based on flows, packets, host logs, firewall/alert events, traffic behaviour, biometric. Detection sensors are denoted by S (S 1, S 2, S 3, …,S m ) that include m different detection algorithms for intrusion detection. Notation TRW refers to the Trust-Reputation Weight matrix and it measures the credibility degree of decisions. 5. Experimental Results
Similar presentations
© 2025 SlidePlayer.com. Inc.
All rights reserved.