Presentation is loading. Please wait.

Presentation is loading. Please wait.

PANACEA: AUTOMATING ATTACK CLASSIFICATION FOR ANOMALY-BASED NETWORK INTRUSION DETECTION SYSTEMS Reporter : 鄭志欣 Advisor: Hsing-Kuo Pao.

Published byDennis Casey Modified over 9 years ago

Similar presentations

Presentation on theme: "PANACEA: AUTOMATING ATTACK CLASSIFICATION FOR ANOMALY-BASED NETWORK INTRUSION DETECTION SYSTEMS Reporter : 鄭志欣 Advisor: Hsing-Kuo Pao."— Presentation transcript:

1

2 PANACEA: AUTOMATING ATTACK CLASSIFICATION FOR ANOMALY-BASED NETWORK INTRUSION DETECTION SYSTEMS Reporter : 鄭志欣 Advisor: Hsing-Kuo Pao

3 Reference  Damiano Bolzoni, Sandro Etalle and Pieter Hartel. Panacea: Automating Attack Classification for Anomaly-based Network Intrusion Detection Systems. RAID"09,2010

4 Outline  Introduction to Intrusion Detection  PANACEA:AUTOMATIC ATTACK CLASSIFICATION  Experiment  Summary

5 Intrusion Detection  Primary assumption: user and program activities can be monitored and modeled  An Intrusion Detection System is an important part of the Security Management system for computers and networks.

6 Approaches to IDS TechniqueMisuse(signature) BasedAnomaly Based Concept  Model well-known attacks  use these known patterns to identify intrusion.  Are trained using normal behavior of the system  Try to flag the deviation from normal pattern as intrusion Pros and Cons  Specific to attacks can not extend to unknown intrusion patterns ( False Negatives)  Usual changes due to traffic etc may lead higher number of false alarms

7 IT’S A HARD LIFE IN THE REAL WORLD FOR AN ANOMALY-BASED IDS…  Training sets are not “clean by default”  Threshed values must be manually set  Alerts must be manually classified lack of usability → nobody will deploy such an IDS

8 WHY ALERT CLASSIFICATION SHOULD BE AUTOMATED?  Use alert correlation/verification and attack trees techniques  so far, only available for signature-based IDSs  Automatic countermeasures activated based on attack classification/impact  block the source IP in case of a buffer overflow  Reduce the required user knowledge and workload less knowledge and workload → less $$$

9 PANACEA AUTOMATIC ATTACK CLASSIFICATION  Idea:  attacks in the same class share some common content  Goals:  effective 75% of correct classifications, with no human intervention  flexible allow both automatic and manual alert classification in training mode allow pre-and user-defined attack classes allow users to tweak the alert classification model

10 PANACEA

11 ALERT INFORMATION EXTRACTOR  Uses a Bloom filter to store occurrences of n-grams  data are sparse, few collisions  can handle N-grams (N >> 3)  Stores thousands of alerts, for “batch training”

12 ATTACK CLASSIFICATION ENGINE  Two different classification algorithms  non-incremental learning, more accurate than incremental ones  process 3000 alerts in less than 40s  Support Vector Machine (SVM)  black box, users have a few “tweak” points  RIPPER  generates human-readable rules

13 RIPPER  Examples of output RIPPER rules:  IF bf[i] = 1 AND... AND bf[k] = 1 THEN class = cross- site scripting  IF bf[l] = 1 AND... AND bf[n] = 1 THEN class = sql injection

14 AUTOMATIC MODE -DATASET A  3000+ Snort alerts  pre-defined alert classes (10)  alerts generated by Nessus and a proprietary VA tool  no manual classification  cross-folding validation

15 MANUAL MODE-DATASET B  1500+ Snort web alertsalerts generated by Nessus, Nikto and Milw0rm attacks  attacks are manually classified (WASC taxonomy)  cross-folding validation

16 MANUAL MODE -DATASET C  Training set: Dataset B  Testing set: 100 anomaly-based alerts  alerts have been captured in the wild by our POSEIDON (analyzes packet payloads) and Sphinx (analyzes web requests)

17 SUMMARY  SVM performs better than RIPPER on a class with few samples (~50)  RIPPER performs better than SVM on a class with a sufficient number of samples (~70)  SVM performs better than RIPPER on a class with a high intra-class diversity and when attack payloads have not been observed during training

Download ppt "PANACEA: AUTOMATING ATTACK CLASSIFICATION FOR ANOMALY-BASED NETWORK INTRUSION DETECTION SYSTEMS Reporter : 鄭志欣 Advisor: Hsing-Kuo Pao."

Similar presentations

Intrusion Detection Systems (I) CS 6262 Fall 02. Definitions Intrusion Intrusion A set of actions aimed to compromise the security goals, namely A set.

Intrusion Detection Systems (I) CS 6262 Fall 02. Definitions Intrusion Intrusion A set of actions aimed to compromise the security goals, namely A set.
Intrusion Detection/Prevention Systems Charles Poff Bearing Point.

Intrusion Detection/Prevention Systems Charles Poff Bearing Point.
Loss-Sensitive Decision Rules for Intrusion Detection and Response Linda Zhao Statistics Department University of Pennsylvania Joint work with I. Lee,

Loss-Sensitive Decision Rules for Intrusion Detection and Response Linda Zhao Statistics Department University of Pennsylvania Joint work with I. Lee,
Detecting suspicious behaviors. BBAC currently examines data streams of HTTP requests and TCP traffic within a distributed stream processing framework.

Detecting suspicious behaviors. BBAC currently examines data streams of HTTP requests and TCP traffic within a distributed stream processing framework.
Reporter: Jing Chiu Advisor: Yuh-Jye Lee 2015/7/181Data Mining & Machine Learning Lab.

Reporter: Jing Chiu Advisor: Yuh-Jye Lee /7/181Data Mining & Machine Learning Lab.
IDS In Depth Search: Ideas, Descriptions, and Solutions Presentation by Marshall Washburn November 30 th, 2010 CPSC 420/620 w/ Dr. Grossman.

IDS In Depth Search: Ideas, Descriptions, and Solutions Presentation by Marshall Washburn November 30 th, 2010 CPSC 420/620 w/ Dr. Grossman.
TransAD: A Content Based Anomaly Detector Sharath Hiremagalore Advisor: Dr. Angelos Stavrou October 23, 2013.

TransAD: A Content Based Anomaly Detector Sharath Hiremagalore Advisor: Dr. Angelos Stavrou October 23, 2013.
1.  To analyze and explain the IDS placement in network topology  To explain the relationship between honey pots and IDS  To explain, analyze and evaluate.

1.  To analyze and explain the IDS placement in network topology  To explain the relationship between honey pots and IDS  To explain, analyze and evaluate.
By Damiano Bolzoni, Sandro Etalle, Pieter H. Hartel --James O’Reilly presenting.

By Damiano Bolzoni, Sandro Etalle, Pieter H. Hartel --James O’Reilly presenting.
NETWORK SECURITY INTRUSION DETECTION SYSTEMS (IDS) KANDIAH.M Clarkson University, Potsdam, New York.

NETWORK SECURITY INTRUSION DETECTION SYSTEMS (IDS) KANDIAH.M Clarkson University, Potsdam, New York.
Intrusion Detection Systems and Practices

Intrusion Detection Systems and Practices
Snort - an network intrusion prevention and detection system Student: Yue Jiang Professor: Dr. Bojan Cukic CS665 class presentation.

Snort - an network intrusion prevention and detection system Student: Yue Jiang Professor: Dr. Bojan Cukic CS665 class presentation.
5/1/2006Sireesha/IDS1 Intrusion Detection Systems (A preliminary study) Sireesha Dasaraju CS526 - Advanced Internet Systems UCCS.

5/1/2006Sireesha/IDS1 Intrusion Detection Systems (A preliminary study) Sireesha Dasaraju CS526 - Advanced Internet Systems UCCS.
Intrusion Detection/Prevention Systems. Objectives and Deliverable Understand the concept of IDS/IPS and the two major categorizations: by features/models,

Intrusion Detection/Prevention Systems. Objectives and Deliverable Understand the concept of IDS/IPS and the two major categorizations: by features/models,
Unsupervised Intrusion Detection Using Clustering Approach Muhammet Kabukçu Sefa Kılıç Ferhat Kutlu Teoman Toraman 1/29.

Unsupervised Intrusion Detection Using Clustering Approach Muhammet Kabukçu Sefa Kılıç Ferhat Kutlu Teoman Toraman 1/29.
Neural Technology and Fuzzy Systems in Network Security Project Progress 2 Group 2: Omar Ehtisham Anwar 2005-02-0129 Aneela Laeeq 2005-02-0023.

Neural Technology and Fuzzy Systems in Network Security Project Progress 2 Group 2: Omar Ehtisham Anwar Aneela Laeeq
Copyright 2002, Center for Secure Information Systems 1 Panel: Role of Data Mining in Cyber Threat Analysis Professor Sushil Jajodia Center for Secure.

Copyright 2002, Center for Secure Information Systems 1 Panel: Role of Data Mining in Cyber Threat Analysis Professor Sushil Jajodia Center for Secure.
Mining Behavior Models Wenke Lee College of Computing Georgia Institute of Technology.

Mining Behavior Models Wenke Lee College of Computing Georgia Institute of Technology.
Leveraging User Interactions for In-Depth Testing of Web Applications Sean McAllister, Engin Kirda, and Christopher Kruegel RAID ’08 1 Seoyeon Kang November.

Leveraging User Interactions for In-Depth Testing of Web Applications Sean McAllister, Engin Kirda, and Christopher Kruegel RAID ’08 1 Seoyeon Kang November.
Big Data Analytics and Challenge Presented by Saurabh Rastogi Asst. Prof. in Maharaja Agrasen Institute of Technology B.Tech(IT), M.Tech(IT)

Big Data Analytics and Challenge Presented by Saurabh Rastogi Asst. Prof. in Maharaja Agrasen Institute of Technology B.Tech(IT), M.Tech(IT)

Similar presentations

Ads by Google