Presentation is loading. Please wait.

Presentation is loading. Please wait.

CS548 Spring 2015 Anomaly Detection Showcase Anomaly-based Network Intrusion Detection (A-NIDS) by Nitish Bahadur, Gulsher Kooner, Caitlin Kuhlman 1.

Published byElinor Day Modified over 9 years ago

Similar presentations

Presentation on theme: "CS548 Spring 2015 Anomaly Detection Showcase Anomaly-based Network Intrusion Detection (A-NIDS) by Nitish Bahadur, Gulsher Kooner, Caitlin Kuhlman 1."— Presentation transcript:

1 CS548 Spring 2015 Anomaly Detection Showcase Anomaly-based Network Intrusion Detection (A-NIDS) by Nitish Bahadur, Gulsher Kooner, Caitlin Kuhlman 1

2 1.PALANTIR CYBER An End-to-End Cyber Intelligence Platform for Analysis & Knowledge Management [Online]. Available: https://www.palantir.com/solutions/cyber/ https://www.palantir.com/solutions/cyber/ 2.Bhuyan, Monowar H., D. K. Bhattacharyya, and Jugal K. Kalita. "Network anomaly detection: methods, systems and tools." Communications Surveys & Tutorials, IEEE 16.1 (2014): 303-336. 3.Garcia-Teodoro, Pedro, et al. "Anomaly-based network intrusion detection: Techniques, systems and challenges." computers & security 28.1 (2009): 18-28. 4. Denning, Dorothy E., "An Intrusion Detection Model," Proceedings of the Seventh IEEE Symposium on Security and Privacy, May 1986, pages 119–131 5.Sommer, Robin, and Vern Paxson. "Outside the closed world: On using machine learning for network intrusion detection." Security and Privacy (SP), 2010 IEEE Symposium on. IEEE, 2010. 6.Dokas, Paul, et al. "Data mining for network intrusion detection." Proc. NSF Workshop on Next Generation Data Mining. 2002. 7.Minnesota INtrusion Detection System [Online]. Available: http://minds.cs.umn.edu/ http://minds.cs.umn.edu/ References 2

3  Problem - Why is Network Intrustion Detection important?  Relevance - How is it related to Anomaly Detection / Data Mining?  Description - What is Anomaly Based Network Intrustion Detection?  Hypothetical Solution - Case Study Overview 3

4  What is Network Intrustion Detection?  Why is Network Intrustion Detection important? Problem 4

5 Network Instrusion Detection System monitors network traffic and attempts to identify unusual or suspicious activity Passive system: alerts are reported to analyst for further investigation What is NIDS? 5

6 A conservative estimate would be $375 billion in losses in 2013, while the maximum could be as much as $575 billion Economic Impact http://www.mcafee.com/us/resources/reports/rp-economic-impact-cybercrime2.pdfhttp://www.mcafee.com/us/resources/reports/rp-economic-impact-cybercrime2.pdf (Page 2) https://media.licdn.com/mpr / 6

7 7

8 Types of computer attacks [2] Virus Worm Trojan Denial of service Network Attack Physical Attack Password Attack Information Gathering Attack User to Root (U2R) attack Remote to Local (R2L) attack Probe 8

9 How is IDS related to Anomaly Detection? Types of Intrusion Detection Misuse basedAnomaly basedHybrid Misue (signature) Based – given a database of known misuses you compare a intrusion detection pattern against this database Anomaly Based - estimate what is normal and raise an alarm when the event is an anomaly based on some metric. 9

10 …is a little vague [2] Network Intrusion Detection Systems “…anomaly-based intrusion detection in networks refers to the problem of finding exceptional patterns in network traffic that do not conform to the expected normal behavior.” [2] Systems have been developed since the 1980’s [4] Still a robust research area Many methods and tools available 10

11 Challenges with supervised methods Data distribution is very skewed – attacks represent a very small amount of network activity Training data is hard/impossible to obtain -network data often contains proprietary information, and is very labor intensive for an analyst to label. Unsupervised Anomaly Detection Doesn’t require training data Can detect previously unseen attacks Machine Learning for Intrusion Detection 11

12 Common Intrusion Detection Framework [2] 12

13 Types of features: Source and destination IP addresses, ports, packet headers, network traffic statistics Tools Tcpdump command line tool Snort open source IDS packet capture and signature matching Wireshark popular open source packet sniffer Data Collection 13

14 Features 14 Construction Time based statistics Ratio of data coming in and out of network Packet inspection

15 Density based clustering to detect outliers Minnesota INtrusion Detection System (MINDS) [6][6] 15

16 Anomaly score assigned to each instance based on degree of being an outlier - local outlier factor (LOF) Comparison of anomaly detection methods 16

17 Limitations of Anomaly Based NIDS High Cost of Errors Limit false positives with post processing Semantic Gap Better interpretation of results- find ways to distinguish “anomalies” from “attacks” Relate features to behaviors Diversity of Network Traffic Tailor system to environment Target certain types of attacks Difficulties with Evaluation Outdated benchmark datasets Need real publicly available network traffic ChallengesPossible Solutions 17

18 Solutions – Case Study DISCLAIMER: The software/solutions presented here is part of our research effort for Data Mining showcase. The presenters have no association with the corporation or institution developing or designing the software / solutions presented in this showcase. Please do your due diligence before using a solution. 18

19 PALANTIR CYBER 19 An End-to-End Cyber Intelligence Platform for Analysis & Knowledge Management Knowledge management Complex & adaptive Threats Against external and internal FUSING INTERNAL AND EXTERNAL CYBER DATA Structured network logs Contextual data Unstructured reporting and third party data

20 ANOMALY DETECTION 20 Clusterable, distributed data store Open source technologies Apache’s™ Hadoop Comb through data archives Detect anomalies by creating clusters Visualizations: risk scores, pie charts, and heat maps Drill down and investigate further

21 THE CYBER MESH 21 Shared set of cyber threats P2P sharing among enterprises Automatic censoring of sensitive data

22 THE PALANTIR SOLUTION 22 INSIDER THREAT DETECTION Identify suspicious or abnormal employee behavior IDENTITY ACCESS AND MANAGEMENT Access logs, Active Directory records, HR files, VPN activity

23 ANALYTICAL APPLICATIONS 23 NETWORK DASHBOARDS WEB-BASED IP REPUTATION ENGINE

24 PATTERN DETECTION AND WORKFLOW 24

25 Palantir – Uncovering Cyber Fraud 25

26 26 Thank You !!

27 Appendix – I – Statistical Network Anomaly Detection Methods 27

28 Appendix – 2 – Classification Network Anomaly Detection Methods 28

29 Appendix – 3 – Clustering & Outlier based Network Anomaly Detection Methods 29

30 Appendix – 4 – Soft Computing based Network Anomaly Detection Methods 30

31 Appendix – 5 – Knowledge based Network Anomaly Detection Methods 31

32 Appendix – 6 – Fusion based Network Anomaly Detection Methods 32

Download ppt "CS548 Spring 2015 Anomaly Detection Showcase Anomaly-based Network Intrusion Detection (A-NIDS) by Nitish Bahadur, Gulsher Kooner, Caitlin Kuhlman 1."

Similar presentations

Intrusion Detection Systems (I) CS 6262 Fall 02. Definitions Intrusion Intrusion A set of actions aimed to compromise the security goals, namely A set.

Intrusion Detection Systems (I) CS 6262 Fall 02. Definitions Intrusion Intrusion A set of actions aimed to compromise the security goals, namely A set.
REFLEX INTRUSION PREVENTION SYSTEM.. OVERVIEW The Reflex Interceptor appliance is an enterprise- level Network Intrusion Prevention System. It is designed.

REFLEX INTRUSION PREVENTION SYSTEM.. OVERVIEW The Reflex Interceptor appliance is an enterprise- level Network Intrusion Prevention System. It is designed.
Loss-Sensitive Decision Rules for Intrusion Detection and Response Linda Zhao Statistics Department University of Pennsylvania Joint work with I. Lee,

Loss-Sensitive Decision Rules for Intrusion Detection and Response Linda Zhao Statistics Department University of Pennsylvania Joint work with I. Lee,
Application of Bayesian Network in Computer Networks Raza H. Abedi.

Application of Bayesian Network in Computer Networks Raza H. Abedi.
Data Mining and Intrusion Detection

Data Mining and Intrusion Detection
Cyber Threat Analysis  Intrusions are actions that attempt to bypass security mechanisms of computer systems  Intrusions are caused by:  Attackers accessing.

Cyber Threat Analysis  Intrusions are actions that attempt to bypass security mechanisms of computer systems  Intrusions are caused by:  Attackers accessing.
Intrusion Detection Systems and Practices

Intrusion Detection Systems and Practices
Report on Intrusion Detection and Data Fusion By Ganesh Godavari.

Report on Intrusion Detection and Data Fusion By Ganesh Godavari.
Snort - an network intrusion prevention and detection system Student: Yue Jiang Professor: Dr. Bojan Cukic CS665 class presentation.

Snort - an network intrusion prevention and detection system Student: Yue Jiang Professor: Dr. Bojan Cukic CS665 class presentation.
5/1/2006Sireesha/IDS1 Intrusion Detection Systems (A preliminary study) Sireesha Dasaraju CS526 - Advanced Internet Systems UCCS.

5/1/2006Sireesha/IDS1 Intrusion Detection Systems (A preliminary study) Sireesha Dasaraju CS526 - Advanced Internet Systems UCCS.
Unsupervised Intrusion Detection Using Clustering Approach Muhammet Kabukçu Sefa Kılıç Ferhat Kutlu Teoman Toraman 1/29.

Unsupervised Intrusion Detection Using Clustering Approach Muhammet Kabukçu Sefa Kılıç Ferhat Kutlu Teoman Toraman 1/29.
Sanjay Goel, School of Business/Center for Information Forensics and Assurance University at Albany Proprietary Information 1 Unit Outline Information.

Sanjay Goel, School of Business/Center for Information Forensics and Assurance University at Albany Proprietary Information 1 Unit Outline Information.
© 2006 Cisco Systems, Inc. All rights reserved. Implementing Secure Converged Wide Area Networks (ISCW) Module 6: Cisco IOS Threat Defense Features.

© 2006 Cisco Systems, Inc. All rights reserved. Implementing Secure Converged Wide Area Networks (ISCW) Module 6: Cisco IOS Threat Defense Features.
Copyright 2002, Center for Secure Information Systems 1 Panel: Role of Data Mining in Cyber Threat Analysis Professor Sushil Jajodia Center for Secure.

Copyright 2002, Center for Secure Information Systems 1 Panel: Role of Data Mining in Cyber Threat Analysis Professor Sushil Jajodia Center for Secure.
Mining Behavior Models Wenke Lee College of Computing Georgia Institute of Technology.

Mining Behavior Models Wenke Lee College of Computing Georgia Institute of Technology.
School of Computer Science and Information Systems

School of Computer Science and Information Systems
Report on statistical Intrusion Detection systems By Ganesh Godavari.

Report on statistical Intrusion Detection systems By Ganesh Godavari.
IBM Security Network Protection (XGS)

IBM Security Network Protection (XGS)
seminar on Intrusion detection system

seminar on Intrusion detection system
Testing Intrusion Detection Systems: A Critic for the 1998 and 1999 DARPA Intrusion Detection System Evaluations as Performed by Lincoln Laboratory By.

Testing Intrusion Detection Systems: A Critic for the 1998 and 1999 DARPA Intrusion Detection System Evaluations as Performed by Lincoln Laboratory By.

Similar presentations

Ads by Google