Data Mining For Intrusion Detection Systems. Monique Wooten. Professor Robila



Similar documents
Intrusion Detection Systems

IDS / IPS. James E. Thiel S.W.A.T.

SURVEY OF INTRUSION DETECTION SYSTEM

A Review of Anomaly Detection Techniques in Network Intrusion Detection System

Intrusion Detection System in Campus Network: SNORT the most powerful Open Source Network Security Tool

Intrusion Detection for Mobile Ad Hoc Networks

Intrusion Detection Systems. Overview. Evolution of IDSs. Oussama El-Rawas. History and Concepts of IDSs

Intrusion Detection Systems and Supporting Tools. Ian Welch NWEN 405 Week 12

A Review on Network Intrusion Detection System Using Open Source Snort

Observation and Findings

CSCE 465 Computer & Network Security

INTRUSION DETECTION SYSTEMS and Network Security

Marlicia J. Pollard East Carolina University ICTN 4040 SECTION 602 Mrs. Boahn Dr. Lunsford

Taxonomy of Intrusion Detection System

Performance Evaluation of Intrusion Detection Systems

STANDARDISATION AND CLASSIFICATION OF ALERTS GENERATED BY INTRUSION DETECTION SYSTEMS

KEITH LEHNERT AND ERIC FRIEDRICH

Salvatore J. Stolfo 606 CEPSR

Intrusion Detections Systems

THE ROLE OF IDS & ADS IN NETWORK SECURITY

Introduction... Error! Bookmark not defined. Intrusion detection & prevention principles... Error! Bookmark not defined.

Intrusion Detection System Based Network Using SNORT Signatures And WINPCAP

Configuring Personal Firewalls and Understanding IDS. Securing Networks Chapter 3 Part 2 of 4 CA M S Mehta, FCA

CS 356 Lecture 19 and 20 Firewalls and Intrusion Prevention. Spring 2013

Efficient Security Alert Management System

Intrusion Detection: Game Theory, Stochastic Processes and Data Mining

Our Security. History of IDS Cont d In 1983, Dr. Dorothy Denning and SRI International began working on a government project.

Integration Misuse and Anomaly Detection Techniques on Distributed Sensors

NETWORK INTRUSION DETECTION SYSTEM USING HYBRID CLASSIFICATION MODEL

Intrusion Detection in AlienVault

Role of Anomaly IDS in Network

Module II. Internet Security. Chapter 7. Intrusion Detection. Web Security: Theory & Applications. School of Software, Sun Yat-sen University

Chapter 9 Firewalls and Intrusion Prevention Systems

IDS Categories. Sensor Types Host-based (HIDS) sensors collect data from hosts for

Radware s Smart IDS Management. FireProof and Intrusion Detection Systems. Deployment and ROI. North America. International.

Development of a Network Intrusion Detection System

A SURVEY ON GENETIC ALGORITHM FOR INTRUSION DETECTION SYSTEM

Intrusion Detection Systems Submitted in partial fulfillment of the requirement for the award of degree Of Computer Science

A Survey on Intrusion Detection System with Data Mining Techniques

Intrusion Detection Systems

NETWORK SECURITY (W/LAB) Course Syllabus

Web Application Security

Comparison of Firewall and Intrusion Detection System

IntruPro TM IPS. Inline Intrusion Prevention. White Paper

IDS : Intrusion Detection System the Survey of Information Security

Rule 4-004M Payment Card Industry (PCI) Monitoring, Logging and Audit (proposed)

Layered Approach of Intrusion Detection System with Efficient Alert Aggregation for Heterogeneous Networks

CMSC 421, Operating Systems. Fall Security. URL: Dr. Kalpakis

Advancement in Virtualization Based Intrusion Detection System in Cloud Environment

Network packet payload analysis for intrusion detection

Intrusion Detection Categories (note supplied by Steve Tonkovich of CAPTUS NETWORKS)

CHAPETR 3. DISTRIBUTED DEPLOYMENT OF DDoS DEFENSE SYSTEM

AN INTRODUCTION TO NETWORK AND HOST BASED INTRUSION DETECTION

CHAPTER 1 INTRODUCTION

Hybrid Model For Intrusion Detection System Chapke Prajkta P., Raut A. B.

Speedy Signature Based Intrusion Detection System Using Finite State Machine and Hashing Techniques

Preprocessing Web Logs for Web Intrusion Detection

JAVA FRAMEWORK FOR SIGNATURE BASED NETWORK INTRUSION DETECTION SYSTEM

Network Based Intrusion Detection Using Honey pot Deception

A Proposed Architecture of Intrusion Detection Systems for Internet Banking

Introducing IBM s Advanced Threat Protection Platform

Intrusion and Anomaly Detection Systems

IDS 4.0 Roadshow. Module 1- IDS Technology Overview. 2003, Cisco Systems, Inc. All rights reserved. IDS Roadshow

Intrusion Detection Systems with Correlation Capabilities

Introduction of Intrusion Detection Systems

A Review on Intrusion Detection System to Protect Cloud Data

Deployment of Snort IDS in SIP based VoIP environments

Intrusion Detection from Simple to Cloud

International Journal of Enterprise Computing and Business Systems ISSN (Online) :

Peeling Back the Layers of the Network Security with Security Onion Gary Smith, Pacific Northwest National Laboratory

How To Prevent Network Attacks

Denial of Service attacks: analysis and countermeasures. Marek Ostaszewski

CS 356 Lecture 17 and 18 Intrusion Detection. Spring 2013

Security Advisory. Some IPS systems can be easily fingerprinted using simple techniques.

Firewall Cracking and Security By: Lukasz Majowicz Dr. Stefan Robila 12/15/08

Intrusion Detection Systems

Network Intrusion Detection Systems

INTRUSION DETECTION SYSTEM (IDS) D souza Adam Jerry Joseph I MCA

An Alternative Model Of Virtualization Based Intrusion Detection System In Cloud Computing

Security Toolsets for ISP Defense

Network- vs. Host-based Intrusion Detection

Name. Description. Rationale

Intrusion Detection. Tianen Liu. May 22, paper will look at different kinds of intrusion detection systems, different ways of

BotHunter: Detecting Malware Infection Through IDS-Driven Dialog Correlation

10 Key Things Your VoIP Firewall Should Do. When voice joins applications and data on your network

Intrusion Detection and Cyber Security Monitoring of SCADA and DCS Networks

Two State Intrusion Detection System Against DDos Attack in Wireless Network

How To Protect A Network From Attack From A Hacker (Hbss)

Application of Data Mining Techniques in Intrusion Detection

WHITE PAPER PROCESS CONTROL NETWORK SECURITY: INTRUSION PREVENTION IN A CONTROL SYSTEMS ENVIRONMENT

Intrusion Detection & SNORT. Fakrul Alam fakrul@bdhbu.com

MODEL OF SOFTWARE AGENT FOR NETWORK SECURITY ANALYSIS

An Inspection on Intrusion Detection and Prevention Mechanisms

Denial-Of -Service Attack Detection Using KDD

Transcription:

Data Mining For Intrusion Detection Systems Monique Wooten Professor Robila December 15, 2008

Wooten 2 ABSTRACT The paper discusses the use of data mining techniques applied to intrusion detection systems. The goal of these Data Mining based Intrusion Detection Systems is to discover patterns of program and user behavior, and determine what set of events indicate an attack. The paper includes information on what intrusion detection and data mining are, the significance of data mining based IDS, and major data mining techniques that have been applied to preexisting intrusion detection systems.

Wooten 3 Introduction Several layers of security are necessary to reduce the potential for malicious attacks on a system. An Intrusion Detection System (IDS) is one of these layers of defense against malicious attacks. In IDS a stream of data is inspected and rules are applied in order to determine whether some attack is taking place. Intrusion Detection Systems typically operate within a managed network between a firewall and internal network elements. The idea of Intrusion Detection Systems has been around since the 1980 s, beginning with James P. Anderson s study on ways to improve computer security auditing and surveillance at customer sites [7]. The IDS field has made significant advancements over the years. Today there are a number of security options available. Even though there are a large number of security measures available, there are still many instances in which malicious users succeed in attacking systems. These attacks can sometimes result in loss of crucial data. In some cases, this is due to errors in configuring security systems and insider attacks, which can operate behind security walls. Security policies that aren t structured sufficiently can make a system more susceptible to insider attacks. Intrusion Detection Systems An Intrusion Detection System (IDS) is software that detects unwanted behavior. There are different types of intrusion detection systems. These include Network Intrusion Detection (NIDS), Host-based Intrusion Detection (HIDS), Hybrid Intrusion Detection, and Network Node Intrusion Detection (NNID) [8]. NIDS analyze packets flowing through the system, HIDS are run on a host and monitor activity on the host. These intrusion detection systems search for abnormal activity such as, misuse and anomalies. Misuse detection involves sorting through data, examining sequences of calls and comparing them to a list of signatures for known attacks. Anomaly detection looks at the state of the network, making sure it matches a predefined normal state. Advancements in IDS The earliest IDSs were developed with string matching rules looking for command sequences used by known attacks. These string-matching approaches have limited use and are easy to foil. Other attacks focus on communication protocols (TCP/IP, for example) and seek to exploit vulnerabilities in specific protocol implementations. These more sophisticated attacks are dynamic in nature. Some current IDSs (Grids, STAT, etc.) that are based upon dynamic. [7] The rapid increase in network bandwidth from megabits to gigabits per second is making it progressively more difficult in carrying out analysis for detecting network attacks in a timely and accurate manner [7]. Studies using Data Mining based IDS Applying Data Mining to Snort This section will discuss instances in which data mining techniques have been applied to a well known Intrusion Detection System, Snort.

Wooten 4 What is Snort? Snort is a popular open source IDS created by Martin Roesch. It monitors network traffic, and uses content searching and matching to detect denial of service and buffer overflow, as well as other attacks. The main difference between Snort and commercial IDS is that they don't have customer support to help you out and you have to teach yourself how to install, configure and maintain your IDS. Some researchers have used Snort to apply data mining IDS techniques. It was stated in [1] that Snort is known for triggering a large number of false alerts, and it when giving a warning about an attack it doesn t state what kind of attack it is. Clustering Approach used on Snort Alerts [1] The paper [1] presented a clustering approach for handling Snort alerts more effectively. One of problems with using Snort is the fact that a large percentage of alerts generated were false positives. It was believed that the cause of this problem was the way in which the packets were being analyzed. It was suggested that instead of looking at each individual packet, all the alerts should be assembled into an XML document which would allow for analysis of patters of alerts. All the alerts in a session are placed in an Intrusion Detection Message Exchange Format (IDMEF), an XML format. This XML file represents patterns of alerts that may be used to identify an attack. The information in multiple files is then made into a cluster using a distance measure. The following is the example given of an IDMEF file. <?xml version="1.0"?> <IDMEF-Message version="1.0"> <Alert ident="12773"> <Analyzer analyzerid="snort00" model="snort" </Analyzer> <CreateTime ntpstamp="0xb9225b23.0x9113836a">1998-06-05t11:55:15z</createtime> <Source> </Source> <Target> </Target> <Classification origin="vendor-specific"> <name>msg=icmp PING</name> <url>none</url> </Classification> <Classification origin="vendor-specific"> <name>sid=384</name> <url>http://www.snort.org/snortdb/sid.html?sid=384</url> </Classification> <Classification origin="vendor-specific"> <name>class=misc-activity</name> <url>none</url> </Classification> <Classification origin="vendor-specific"> <name>priority=3</name> <url>none</url> </Classification> <Assessment> <Impact severity="high" /> </Assessment> <AdditionalData meaning="sig_rev" type="string">5</additionaldata> <AdditionalData meaning="packet Payload" type="string">2a2a20202020202020202000aaea020097a4020075da</additionaldata> </Alert> </IDMEF-Message> Implementation After reading multiple articles in which the researcher was able to use an existing intrusion detection system and data mining methods to evaluate the efficiency of data mining techniques used with IDS, I decided to attempt implementation. The goal was not to create a data mining based intrusion detection system, but to run intrusion data sets in data mining software, observe how the data mining software correctly or incorrectly classified the data, and then evaluating the efficiency of the results. Implementation was attempted with two data sets, KDD and DARPA, and two data mining softwares, WEKA and CART. WEKA was chosen because it s an open-source data mining software

Wooten 5 that was used in the [6] research experiment. CART was chosen because its speed and clarity of results is greater than that of WEKA. Preprocessing the data The data had already been preprocessed, but the original file formats were incompatible with the software being used. Since CART appeared to be a more powerful data mining tool than WEKA, implementation began by attempting to load DARPA s tcpdump data set into the CART software. It was immediately realized that it would not be possible to use DARPA s data set for this experiment. The data appeared in the form of a table of two unlabeled columns with various symbols. Initially it was not possible to use WEKA with the data sets because the amount of memory it required was too large. It was necessary to increase the Java heap size for WEKA. Once this was accomplished, I attempted to run the KDD data set in WEKA, but the software never completed loading the data. This problem was most likely caused by incapability of the computer system that the experiments were being performed on. Next, I attempted to load the KDD data into CART. The data successfully loaded, but the labels for the data did not appear. Attempts to edit the data file included the use of Excel, Notepad, and Microsoft Word. Excel was able to open an editable view of the data, but less then 10% was able to load since the file sizes of the data sets were so large. Limited memory was the main problem, so I downloaded TextPad, a text editor that s memory has no upward bound. Results of Experiment The goal of running tests on the intrusion detection data sets was not attained. After successfully preprocessing some of the KDD data sets, the CART software experienced an error, and I have not been able to get the CART software running again. Attempts to find other open-source or trial versions of data mining software with CART s capabilities have been successful. Qt Orange Canvas is slower, but appears to have more capabilities than CART.

Wooten 6 There are still some bugs to be worked out. For example, I was able to run tests, but not able to chose the target. Without identifying the target attribute, testing is pointless.

Wooten 7

Wooten 8 Conclusion Due to a series of complications I was unable to make a conclusion based on my own experiments. However, conclusions have been drawn from others experiments. Data mining can be implemented as an added portion to a preexisting IDS. When implemented properly, data mining can improve the classification process resulting in a lowered number of false positive alerts [2]. Data mining allows the IDS to analyze a sequence of events as opposed to one event at a time. Data mining will continue to be researched and applied, and more beneficial results will come from the implementation of data mining based intrusion detection systems.

Wooten 9 References [1] Distinguishing False From True Alerts in Snort by Data Mining Patterns of Alerts, 2006, Florida State University. <http://ww2.cs.fsu.edu/~jidolong/publications/finalspie.pdf> [2] A Data Mining Framework for Building Intrusion Detection Models <http://www.google.com/url?sa=u&start=2&q=http://www.snort.org/docs/ieee_sp99_lee.ps&ei =lidgszlkgzh2eeamopei&usg=afqjcne33fo2hbx3zqbpxhoallb6i1rc3w> [3] Data Mining for Network Intrusion Detection <http://www.google.com/url?sa=u&start=10&q=http://wwwusers.cs.umn.edu/~kumar/presentation/minds.ppt&ei=lidgszlkgzh2eeamopei&usg=afqjcnhc C7pN_u6hTV4huXWchFFAxFW3Zw> [4] Data Mining Approaches for Intrusion Detection <http://www1.cs.columbia.edu/~sal/hpapers/usenix/usenix.html> [5] Data Mining-based Intrusion Detectors: An Overview of the Columbia IDS Project, 2001 [6] Application of Data Mining to Network Intrusion Detection: Classifier Selection Model <http://www.google.com/url?sa=u&start=3&q=http://www.apnoms.org/2008/data/papers/tec hnical/10-3.pdf&ei=zblgsyp0f5taeul0jnii&usg=afqjcnh97r5i3n_ghsox2s8aguaokuyepw> [7] The History and Evolution of Intrusion Detection <http://www.sans.org/reading_room/whitepapers/detection/344.php> [8] The Evolution of Intrusion Detection Systems <http://www.securityfocus.com/infocus/1514>

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information