Presentation is loading. Please wait.

Presentation is loading. Please wait.

Loss-Sensitive Decision Rules for Intrusion Detection and Response Linda Zhao Statistics Department University of Pennsylvania Joint work with I. Lee,

Published byJonathan Stokes Modified over 11 years ago

Similar presentations

Presentation on theme: "Loss-Sensitive Decision Rules for Intrusion Detection and Response Linda Zhao Statistics Department University of Pennsylvania Joint work with I. Lee,"— Presentation transcript:

1 Loss-Sensitive Decision Rules for Intrusion Detection and Response Linda Zhao Statistics Department University of Pennsylvania Joint work with I. Lee, L. Unger, J. Wang and X. Lei

2 Topics 1.Intrusion detection 2.Attack taxonomy and loss evaluation 3.Decision rules 4.Data collection and data anlaysis 5.Challenges

3 Current ID Systems IDS is the mechanism of detecting inappropriate, incorrect, or anomalous activity. –Host-based IDS and network-based IDS –Misuse IDS and Anomaly IDS Figure 1. Typical Disparate Alert Analysis Module Deployment Internet Network Misuse ID Network Anomaly ID Firewall Host Misuse ID Host Anomaly ID Protected Intranet Alert Analysis Module Protected Host

4 Misuse ID Systems (SNORT) Advantages: –The potential for relatively low false alarm rates in comparison with anomaly alerts –Detailed contextual information makes preventive actions easier Disadvantages: –Misuse ID systems dont work for unknown attacks, its detection rate depends on the signature base –Not effective to resource abuse activities –The difficulty of keeping signature databases up to date –Environment dependent –False alarm rates remain high

5 Anomaly ID Systems (LERAD) Anomaly: by observing a deviation from normal behavior. Learning: The process to derive the behavior profiles or models to describe normality Advantages: –Can be effective for novel and unknown attacks Disadvantages: –High false positive –Currently must have clean data for training –Currently alert without any contextual information

6 Issues Unacceptably high false alarm and false negative alert rate –As an example (SNORT) False alarm rate (current protocol): 1-304/7988=96% Detection rate: 304/962=32% Lack of loss evaluation and sensible decision rules

7 Current Research Classify attacks and propose loss evaluation Modify MIT 1999 network design: –Insert more attacks (new types and increased frequency) –Simultaneously deploy 5 ID systems Generate new data Combine the information given from SNORT and LERAD, use Bayesian decision rule with classification tools (also use other IDS data) Use original TCP/IP packet data to find new detection rules

8 Current Research Because of large volume of traffic, ID system can not keep up with all the packets and currently ignores many. A multiple quieing system according to priority is needed. Decision rules which are not too sensitive to the loss are needed.

9 Further Challenges Identify hacking activities in a real network Small probability events causes unstable statistical procedures Online efficient detection

Download ppt "Loss-Sensitive Decision Rules for Intrusion Detection and Response Linda Zhao Statistics Department University of Pennsylvania Joint work with I. Lee,"

Similar presentations

Intrusion Detection Systems (I) CS 6262 Fall 02. Definitions Intrusion Intrusion A set of actions aimed to compromise the security goals, namely A set.

Intrusion Detection Systems (I) CS 6262 Fall 02. Definitions Intrusion Intrusion A set of actions aimed to compromise the security goals, namely A set.
Enhancing Security Using Mobile Based Anomaly Detection in Cellular Mobile Networks Bo Sun, Fei Yu, KuiWu, Yang Xiao, and Victor C. M. Leung. Presented.

Enhancing Security Using Mobile Based Anomaly Detection in Cellular Mobile Networks Bo Sun, Fei Yu, KuiWu, Yang Xiao, and Victor C. M. Leung. Presented.
Guide to Network Defense and Countermeasures Third Edition

Guide to Network Defense and Countermeasures Third Edition
Network Traffic Anomaly Detection Based on Packet Bytes Matthew V. Mahoney Florida Institute of Technology

Network Traffic Anomaly Detection Based on Packet Bytes Matthew V. Mahoney Florida Institute of Technology
IDPS (Intrusion Detection & Prevention System )

IDPS (Intrusion Detection & Prevention System )
1. AGENDA History. WHAT’S AN IDS? Security and Roles Types of Violations. Types of Detection Types of IDS. IDS issues. Application.

1. AGENDA History. WHAT’S AN IDS? Security and Roles Types of Violations. Types of Detection Types of IDS. IDS issues. Application.
Anomaly Based Intrusion Detection System

Anomaly Based Intrusion Detection System
Cyber Threat Analysis  Intrusions are actions that attempt to bypass security mechanisms of computer systems  Intrusions are caused by:  Attackers accessing.

Cyber Threat Analysis  Intrusions are actions that attempt to bypass security mechanisms of computer systems  Intrusions are caused by:  Attackers accessing.
Guide to Network Defense and Countermeasures Second Edition

Guide to Network Defense and Countermeasures Second Edition
IDS/IPS Definition and Classification

IDS/IPS Definition and Classification
NETWORK SECURITY INTRUSION DETECTION SYSTEMS (IDS) KANDIAH.M Clarkson University, Potsdam, New York.

NETWORK SECURITY INTRUSION DETECTION SYSTEMS (IDS) KANDIAH.M Clarkson University, Potsdam, New York.
Behavior Intrusion Detection: Enhanced Hakan Evecek Rodolfo Ortiz Hakan Evecek Rodolfo Ortiz.

Behavior Intrusion Detection: Enhanced Hakan Evecek Rodolfo Ortiz Hakan Evecek Rodolfo Ortiz.
Intrusion Detection Systems and Practices

Intrusion Detection Systems and Practices
Snort - an network intrusion prevention and detection system Student: Yue Jiang Professor: Dr. Bojan Cukic CS665 class presentation.

Snort - an network intrusion prevention and detection system Student: Yue Jiang Professor: Dr. Bojan Cukic CS665 class presentation.
5/1/2006Sireesha/IDS1 Intrusion Detection Systems (A preliminary study) Sireesha Dasaraju CS526 - Advanced Internet Systems UCCS.

5/1/2006Sireesha/IDS1 Intrusion Detection Systems (A preliminary study) Sireesha Dasaraju CS526 - Advanced Internet Systems UCCS.
Statistical based IDS background introduction. Statistical IDS background Why do we do this project Attack introduction IDS architecture Data description.

Statistical based IDS background introduction. Statistical IDS background Why do we do this project Attack introduction IDS architecture Data description.
© 2006 Cisco Systems, Inc. All rights reserved. Implementing Secure Converged Wide Area Networks (ISCW) Module 6: Cisco IOS Threat Defense Features.

© 2006 Cisco Systems, Inc. All rights reserved. Implementing Secure Converged Wide Area Networks (ISCW) Module 6: Cisco IOS Threat Defense Features.
Copyright 2002, Center for Secure Information Systems 1 Panel: Role of Data Mining in Cyber Threat Analysis Professor Sushil Jajodia Center for Secure.

Copyright 2002, Center for Secure Information Systems 1 Panel: Role of Data Mining in Cyber Threat Analysis Professor Sushil Jajodia Center for Secure.
Mining Behavior Models Wenke Lee College of Computing Georgia Institute of Technology.

Mining Behavior Models Wenke Lee College of Computing Georgia Institute of Technology.
Intrusion Detection CS-480b Dick Steflik. Hacking Attempts IP Address Scans scan the range of addresses looking for hosts (ping scan) Port Scans scan.

Intrusion Detection CS-480b Dick Steflik. Hacking Attempts IP Address Scans scan the range of addresses looking for hosts (ping scan) Port Scans scan.

Similar presentations

Ads by Google