CSC574 - Computer and Network Security Module: Intrusion Detection

Similar documents
CS Computer and Network Security: Intrusion Detection

CSCE 465 Computer & Network Security

The Base Rate Fallacy and its Implications for the Difficulty of Intrusion Detection

Role of Anomaly IDS in Network

Web Application Security

Observation and Findings

SURVEY OF INTRUSION DETECTION SYSTEM

IDS / IPS. James E. Thiel S.W.A.T.

Detecting Anomaly IDS in Network using Bayesian Network

Performance Evaluation of Intrusion Detection Systems

Intrusion Detection for Mobile Ad Hoc Networks

CHAPTER 1 INTRODUCTION

Intrusion Detection Systems and Supporting Tools. Ian Welch NWEN 405 Week 12

Anomaly-based Intrusion Detection in Software as a Service

STANDARDISATION AND CLASSIFICATION OF ALERTS GENERATED BY INTRUSION DETECTION SYSTEMS

Data Mining For Intrusion Detection Systems. Monique Wooten. Professor Robila

How To Protect A Network From Attack From A Hacker (Hbss)

A Review of Anomaly Detection Techniques in Network Intrusion Detection System

How To Prevent Network Attacks

A TWO LEVEL ARCHITECTURE USING CONSENSUS METHOD FOR GLOBAL DECISION MAKING AGAINST DDoS ATTACKS

Contents. Intrusion Detection Systems (IDS) Intrusion Detection. Why Intrusion Detection? What is Intrusion Detection?

CSCI 4250/6250 Fall 2015 Computer and Networks Security

Prediction of DDoS Attack Scheme

Using Static Code Analysis Tools for Detection of Security Vulnerabilities

Network Intrusion Detection Systems

CS52600: Information Security

Mahalanobis Distance Map Approach for Anomaly Detection

Performance Measures for Machine Learning

Radware s Behavioral Server Cracking Protection

Spam Detection in Voice-over-IP Calls through Semi-Supervised Clustering

Web Forensic Evidence of SQL Injection Analysis

CMSC 421, Operating Systems. Fall Security. URL: Dr. Kalpakis

BotHunter: Detecting Malware Infection Through IDS-Driven Dialog Correlation

Intrusion Detection Systems

Transparent Monitoring of a Process Self in a Virtual Environment

Knowledge Discovery and Data Mining

Measuring Intrusion Detection Capability: An Information-Theoretic Approach

INTRUSION DETECTION SYSTEM (IDS) D souza Adam Jerry Joseph I MCA

A Survey on Intrusion Detection System with Data Mining Techniques

INTRUSION DETECTION SYSTEMS and Network Security

Application of Data Mining Techniques in Intrusion Detection

Intrusion Detection Systems

Intrusion Detection Systems

Application Intrusion Detection

CSC574 - Computer and Network Security Module: Introduction

Security Management of Cloud-Native Applications. Presented By: Rohit Sharma MSc in Dependable Software Systems (DESEM)

An analysis of suitable parameters for efficiently applying K-means clustering to large TCPdump data set using Hadoop framework

Intrusion Detection for Grid and Cloud Computing

Evaluation & Validation: Credibility: Evaluating what has been learned

Outline Intrusion Detection CS 239 Security for Networks and System Software June 3, 2002

Center of Academic Excellence Cyber Operations Program 2013 Application

Intrusion Detection via Machine Learning for SCADA System Protection

Network Based Intrusion Detection Using Honey pot Deception

Development of a Network Intrusion Detection System

Intrusion Detection Systems

THE ROLE OF IDS & ADS IN NETWORK SECURITY

Leak Detection Theory: Optimizing Performance with MLOG

IDS Categories. Sensor Types Host-based (HIDS) sensors collect data from hosts for

System Specification. Author: CMU Team

CSE543 - Introduction to Computer and Network Security. Module: Final review

Cryptography and Network Security Prof. D. Mukhopadhyay Department of Computer Science and Engineering Indian Institute of Technology, Kharagpur

Intrusion Detection. Overview. Intrusion vs. Extrusion Detection. Concepts. Raj Jain. Washington University in St. Louis

A Secure Online Reputation Defense System from Unfair Ratings using Anomaly Detections

Performance Evaluation of Intrusion Detection Systems using ANN

Intrusion Detection in AlienVault

Detecting Flooding Attacks Using Power Divergence

A Quantitative Approach to Security Monitor Deployment

Application of Data Mining based Malicious Code Detection Techniques for Detecting new Spyware

Defending against Flooding-Based Distributed Denial-of-Service Attacks: A Tutorial

Firewalls, Tunnels, and Network Intrusion Detection

Intrusion Detection Systems. Overview. Evolution of IDSs. Oussama El-Rawas. History and Concepts of IDSs

International Journal of Computer Science Trends and Technology (IJCST) Volume 3 Issue 3, May-June 2015

Intrusion Detection. Tianen Liu. May 22, paper will look at different kinds of intrusion detection systems, different ways of

Closing Wireless Loopholes for PCI Compliance and Security

Modeling System Calls for Intrusion Detection with Dynamic Window Sizes

Banking Security using Honeypot

Intrusion Detection Systems Submitted in partial fulfillment of the requirement for the award of degree Of Computer Science

CYBER ATTACKS EXPLAINED: PACKET CRAFTING

Software Vulnerability Assessment

Complete Protection against Evolving DDoS Threats

CNT Computer and Network Security Review/Wrapup

Passive Vulnerability Detection

CHAPTER 5 INTELLIGENT TECHNIQUES TO PREVENT SQL INJECTION ATTACKS

Transcription:

CSC574 - Computer and Network Security Module: Intrusion Detection Prof. William Enck Spring 2013 1

Intrusion An authorized action... that exploits a vulnerability... that causes a compromise... and thus a successful attack. Authentication and Access Control Are No Help! 2

Example Intrusions Network Malformed (and unauthenticated) packet Let through the firewall Reaches the network-facing daemon Can we detect intrusions from packet contents? Host Input to daemon Triggers a vulnerability (buffer overflow) Injects attacker code Performs malicious action Can we detect intrusions from process behavior? 3

Intrusion Detection (def. by Forrest) An IDS system find anomalies The IDS approach to security is based on the assumption that a system will not be secure, but that violations of security policy (intrusions) can be detected by monitoring and analyzing system behavior. [Forrest 98] However you to it, it requires Training the IDS (training) Looking for anomalies (detection) This is active area of computer security, that has led to lots of new tools, applications, and an entire industry 4

Intrusion Detection Systems IDS s claim to detect adversary when they are in the act of attack Monitor operation Trigger mitigation technique on detection Monitor: Network or Host (Application) events A tool that discovers intrusions after the fact are called forensic analysis tools E.g., from system logfiles IDS s really refer to two kinds of detection technologies Anomaly Detection Misuse Detection 5

Anomaly Detection Compares profile of normal systems operation to monitored state Hypothesis: any attack causes enough deviation from profile (generally true?) Q: How do you derive normal operation? AI: learn operational behavior from training data Expert: construct profile from domain knowledge Black-box analysis (vs. white or grey?) Q: Is normal the same for all environments? Pitfall: false learning 6

Misuse Detection Profile signatures of known attacks Monitor operational state for signature Hypothesis: attacks of the same kind has enough similarity to distinguish from normal behavior This is largely pattern matching Q: Where do these signatures come from? Record: recorded progression of known attacks Expert: domain knowledge AI: Learn by negative and positive feedback 7

The confusion matrix! What constitutes a intrusion/anomaly is really just a matter of definition!a system can exhibit all sorts of behavior Legal Normal Abnormal Reality T F Detection Result T F True False Positive Negative False True Positive Negative! Quality determined by consistency with a given definition!context sensitive 8

Sequences of System Calls Forrest et al. in early-mid 90s, attempt to understand the characteristics of an intrusion Event Steam OPEN READ WRITE MMAP CLOSE System Profile READ WRITE MMAP Idea: match sequence of system calls with profiles n-grams of system call sequences (learned) Match sliding windows of sequences Record the number of mismatches Use n-grams of length 5, 6, 11. If found, then it is normal (w.r.t. learned sequences) 9

Evaluating Forrest et al. The qualitative measure of detection is the departure of the trace from the database of n-grams They measure how far a particular n-gram i departs by computing the minimum Hamming distance of the sample from the database (really pairwise mismatches) d min (i) = min( d(i,j) for all normal j in n-gram database) this is called the anomaly signal. Result: on lpr, sendmail, etc. About.05-.07% false pos. rates And signal of anomaly, [S A = max{ dmin(i) for all i}] / k =~.04 Is this good? 10

"gedanken experiment Assume a very good anomaly detector (99%) And a pretty constant attack rate, where you can observe 1 out of 10000 events are malicious Are you going to detect the adversary well? 11

Bayes Rule Pr(x) function, probability of event x Pr(sunny) =.8 (80% of sunny day) Pr(x y), probability of x given y Conditional probability Pr(cavity toothache) =.6 60% chance of cavity given you have a toothache Bayes Rule (of conditional probability) Pr(B A) = Pr(A B) Pr(B) Pr(A) Now: Pr(cavity) =.5, Pr(toothache) =.1 12

The Base-Rate Bayesian Fallacy Setup Pr(I) is attack (intrusion) probability, 1/10,000 Pr(I) =0.0001 Pr(A) is probability of an alarm, unknown Pr(A I) is 99% accurate (higher than most techniques) Pr(A I) =0.99, Pr(!A I) =0.01, Pr(A!I) =0.01, Pr(!A!I) =0.99 Deriving Pr(A) Pr(A) =Pr(A I) Pr(I)+Pr(A!I) Pr(!I) Pr(A) =(0.99)(0.0001) + (0.01)(0.9999) = 0.010098 Now, what s Pr(I A)? 13

The Base-Rate Fallacy (cont.) Now plug it in to Bayes Rule Pr(I A) = Pr(A I) Pr(I) Pr(A) = 0.99 0.0001 0.010098 =0.0098 So, a 99% accurate detector leads to 1% accurate detection. With 99 false alarms per true alarm This is a central problem with ID Suppression of false alarms real issue Open question, makes some systems unusable 14

Where is Anomaly Detection Useful? System Intrusion Density P(I) Detector Alarm Pr(A) Detector Accuracy Pr(A I) True Alarm P(I A) A 0.1 0.65 B 0.001 0.99 C 0.1 0.99 D 0.00001 0.99999 Pr(B A) = Pr(A B) Pr(B) Pr(A) 15

Where is Anomaly Detection Useful? System Intrusion Density P(I) Detector Alarm Pr(A) Detector Accuracy Pr(A I) True Alarm P(I A) A 0.1 0.38 0.65 0.171 B 0.001 0.01098 0.99 0.090164 C 0.1 0.108 0.99 0.911667 D 0.00001 0.00002 0.99999 0.5 Pr(B A) = Pr(A B) Pr(B) Pr(A) 16

The ROC curve Receiver Operating Characteristic (ROC) Curve that shows that detection/false positive ratio (for a binary classifier system as its discrimination threshold is varied) Ideal Axelsson talks about the real problem with some authority and shows how this is not unique to CS Medical, criminology (think super-bowl), financial 17

Example ROC Curve You are told to design an intrusion detection algorithm that identifies vulnerabilities by solely looking at transaction length, i.e., the algorithm uses a packet length threshold T that determines when a packet is marked as an attack. More formally, the algorithm is defined: where k is the packet length of a suspect packet in bytes, T is the length threshold, and (0,1) indicate that packet should or should not be marked as an attack, respectively. You are given the following data to use to design the algorithm. attack packet lengths: 1, 1, 2, 3, 5, 8 non-attack packet lengths: 2, 2, 4, 6, 6, 7, 8, 9 Draw the ROC curve. D(k,T) [0, 1] 18

Solution attack packet lengths: 1, 1, 2, 3, 5, 8 non-attack packet lengths: 2, 2, 4, 6, 6, 7, 8, 9 1 0.8 TP%=TPR = FP%=FPR = TP TP + FN FP FP + TN True Positive Rate 0.6 0.4 0.2 0 0 0.2 0.4 0.6 0.8 1 False Positive Rate T 0 1 2 3 4 5 6 7 8 9 TP 0 2 3 4 4 5 5 5 6 6 TP% 0.00 33.33 50.00 66.67 66.67 83.33 83.33 83.33 100.00 100.00 FP 0 0 2 2 3 3 5 6 7 8 FP% 0.00 0.00 25.00 25.00 37.50 37.50 62.50 75.00 87.50 100.00 19

The reality Intrusion detections systems are good at catching demonstrably bad behavior (and some subtle) Alarms are the problem How do you suppress them? and not suppress the true positives? This is a limitation of probabilistic pattern matching, and nothing to do with bad science Beware: the fact that an IDS is not alarming does not mean the network is safe All too often: used as a tool to demonstrate all safe, but is not really appropriate for that. 20

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information