Intrusion Detection: Game Theory, Stochastic Processes and Data Mining

Intrusion Detection: Game Theory, Stochastic Processes and Data Mining Joseph Spring 7COM1028 Secure Systems Programming 1

Discussion Points Introduction Firewalls Intrusion Detection Schemes Models Stochastic Profiling (Anomaly Detection) Rule Based (Anomaly Detection & Expert Systems) SNORT and BRO Game Theory Stochastic Processes Data Mining 2

Introduction Defence We have discussed the role of firewalls and cryptography (in the form of VPN s) employed as cybersecurity defence tools at the perimeter of systems that we seek to defend Detection We have also discussed the role and nature of intrusion detection schemes employed as cybersecurity tools for the detection of penetrations into systems that we seek to protect 3

Introduction Detection In particular we have considered A taxonomy of attackers Audit Records Stochastic Profiling (Anomaly Detection) Rule Based (Anomaly Detection & Expert Systems) Examples include and are by no means limited to: SNORT BRO» https://www.snort.org/» http://en.wikipedia.org/wiki/snort_(software)» https://www.bro.org/ Gauges and Metrics 4

Introduction Papers We have during the last three weeks been reading a selection of recent intrusion detection papers We consider three areas from the perspectives of: Game Theory Game theoretic models for detecting network intrusions Stochastic Processes First order versus higher order stochastic models for computer intrusion detection Data Mining Network intrusion detection using data mining and network behaviour analysis 5

Introduction Areas considered for each model: 1. Understand the Problem 2. What are the Assumptions 3. What is the Model 4. What is the Solution 5. Is the solution fit for purpose 6

Introduction Game Theory Game theory has been successfully applied to many areas: economics, political science, control, computer science, quantum information, is seen as appropriate mathematical framework for the Analysis Modeling Decision and control of information security and intrusion detection For intrusion detection we model attackers and intrusions detection systems as players in a non cooperative game 7

Game Theory Model The Problem Intrusion detection systems are required as a second line of defense, in order to detect intrusion and generate an appropriate response Detection is typically carried out by monitoring and analyzing network traffic data for unusual activity Approach 1: Analyze all of the data Costly in terms of time, energy and resources (memory, CPU) Approach 2: Analyze a portion of the traffic (sampling) Less costly, but can miss potential intrusions due to sampling methodology, smart intruders, cooperative intruders building intrusion via multiple independent fragments 8

Game Theory Model The Problem Problem: To find a strategy that enhances the probability of detecting intruders whilst using a sampling approach 9

Game Theory Model Assumptions For intrusion detection we can model attackers and intrusions detection systems as players in a non cooperative game 10

Game Theory Model Model 1 Smart intruder Ability to divide an intrusion into different fragments to attack a particular node to select the routing paths used to inject fragments in attempt to decrease the chance of being detected IDS objective to sample according to sampling budget to collect at least m out of n fragments, where n denotes the total number of fragments, m the min # fragments for successful detection 11

Game Theory Model Model 2 Group of cooperative intruders Ability to send series of fragments from different sources using different routes IDS objective to divide the sampling budget over the intruders to sample for each one according to the new budget to collect and analyze all fragments (required in order to detect an intrusion) 12

Game Theory Model 1. The intention of the game theoretic model is to guide the IDS toward an optimal sampling strategy in order to detect malicious packets 2. The strategy of the attacker is to evaluate the probability of choosing each path upon which to send its malicious packet 3. The optimal strategy for the IDS is therefore to assign sampling rates to each link, maximizing the probability of detection without exceeding the total sampling budget We consider Model 1 13

Game Theory Model 1 Setting up the Problem Network Model and Assumptions Introducing the Games Game objectives and Constraints Strategies for the Two Players Game Formulation Single Intruder with Multiple Packets Solution Evaluation Numerical Simulations 14

Stochastic Processes For this approach we have discussed profile based anomaly detection methods rule based anomaly detection methods Discuss each of these approaches under the following headings: What is the Problem? What are the Assumptions? What are the Models? What are the Solutions? Are the solutions fit for purpose? 15

Data Mining, NBA and IDS Data Mining Techniques Feature Selection Data Analysis Classification Analysis Clustering Analysis Association and Correlation Analysis Stream Data Analysis Distributed Data Mining Visualisation and Querying Tools Network Behaviour Analysis 16

Summary Introduction Firewalls Intrusion Detection Schemes Models SNORT and BRO Stochastic Profiling (Anomaly Detection) Rule Based (Anomaly Detection & Expert Systems) Game Theory Stochastic Processes Data Mining 17

Reference 1. 2. 3. 4. 5. 18