machine learning in intrusion detection systems (ids)
DESCRIPTION
Machine Learning in Intrusion Detection Systems (IDS). 2 papers:. Artificial Intelligence & Intrusion Detection: Current & Future Directions [AIID] J. Frank Applying Genetic Programming to Intrusion Detection [GP] M. Crosbie, G. Spafford. AIID. What is intrusion detection? - PowerPoint PPT PresentationTRANSCRIPT
![Page 1: Machine Learning in Intrusion Detection Systems (IDS)](https://reader035.vdocument.in/reader035/viewer/2022062322/568150a1550346895dbe9dec/html5/thumbnails/1.jpg)
Machine Learning in Intrusion Detection Systems
(IDS)
![Page 2: Machine Learning in Intrusion Detection Systems (IDS)](https://reader035.vdocument.in/reader035/viewer/2022062322/568150a1550346895dbe9dec/html5/thumbnails/2.jpg)
2 papers:
Artificial Intelligence & Intrusion Detection: Current & Future Directions [AIID]– J. Frank
Applying Genetic Programming to Intrusion Detection [GP]– M. Crosbie, G. Spafford
![Page 3: Machine Learning in Intrusion Detection Systems (IDS)](https://reader035.vdocument.in/reader035/viewer/2022062322/568150a1550346895dbe9dec/html5/thumbnails/3.jpg)
AIID
What is intrusion detection? What are the issues in Intrusion Detection?
– Data collection– Data reduction– Behavior Classification– Reporting– Response
![Page 4: Machine Learning in Intrusion Detection Systems (IDS)](https://reader035.vdocument.in/reader035/viewer/2022062322/568150a1550346895dbe9dec/html5/thumbnails/4.jpg)
AIID
AI methods are used to help solve some issues
For data classification:– Classifier systems
• Neural Network
• Decision Tree
• Feature Selection
![Page 5: Machine Learning in Intrusion Detection Systems (IDS)](https://reader035.vdocument.in/reader035/viewer/2022062322/568150a1550346895dbe9dec/html5/thumbnails/5.jpg)
AIID
Data Reduction– Data Filtering– Feature Selection– Data Clustering
![Page 6: Machine Learning in Intrusion Detection Systems (IDS)](https://reader035.vdocument.in/reader035/viewer/2022062322/568150a1550346895dbe9dec/html5/thumbnails/6.jpg)
AIID
Behavior Classification– Expert Systems– Anomaly Detection– Rule-Based Induction
![Page 7: Machine Learning in Intrusion Detection Systems (IDS)](https://reader035.vdocument.in/reader035/viewer/2022062322/568150a1550346895dbe9dec/html5/thumbnails/7.jpg)
AIID
An experiment using Feature Selection– Info. about network connections using a
Network Security Monitor
![Page 8: Machine Learning in Intrusion Detection Systems (IDS)](https://reader035.vdocument.in/reader035/viewer/2022062322/568150a1550346895dbe9dec/html5/thumbnails/8.jpg)
AIID
3 Search algorithms used:– Backward Sequential Search (BSS)– Beam Search (BS)– Random Generation Plus Sequential Selection
(RS)
![Page 9: Machine Learning in Intrusion Detection Systems (IDS)](https://reader035.vdocument.in/reader035/viewer/2022062322/568150a1550346895dbe9dec/html5/thumbnails/9.jpg)
AIID
Algorithm performance
![Page 10: Machine Learning in Intrusion Detection Systems (IDS)](https://reader035.vdocument.in/reader035/viewer/2022062322/568150a1550346895dbe9dec/html5/thumbnails/10.jpg)
AIID
Error Rate Performance (All)
[I, W, T, PS, PD, DS]
[T, PD, DS]Best
![Page 11: Machine Learning in Intrusion Detection Systems (IDS)](https://reader035.vdocument.in/reader035/viewer/2022062322/568150a1550346895dbe9dec/html5/thumbnails/11.jpg)
AIID
Error Rate Performance (SMTP)
[W, T, PS, PD, DS]
Best
![Page 12: Machine Learning in Intrusion Detection Systems (IDS)](https://reader035.vdocument.in/reader035/viewer/2022062322/568150a1550346895dbe9dec/html5/thumbnails/12.jpg)
AIID
Error Rate Performance (Login)
Best[W, T, PS, PD]
[T, PD, DS]RGSS
![Page 13: Machine Learning in Intrusion Detection Systems (IDS)](https://reader035.vdocument.in/reader035/viewer/2022062322/568150a1550346895dbe9dec/html5/thumbnails/13.jpg)
AIID
Error Rate Performance (Shell)
[W, PS, PD, DS]BS & BSS
Best
[W, T, PS, DS] RS
![Page 14: Machine Learning in Intrusion Detection Systems (IDS)](https://reader035.vdocument.in/reader035/viewer/2022062322/568150a1550346895dbe9dec/html5/thumbnails/14.jpg)
GP (Applying Genetic Programming to Intrusion Detection)
An IDS that exploits the learning power of Genetic Programming
Two types of security tools :– Pro-active– Reactive : IDS falls in this catergory
![Page 15: Machine Learning in Intrusion Detection Systems (IDS)](https://reader035.vdocument.in/reader035/viewer/2022062322/568150a1550346895dbe9dec/html5/thumbnails/15.jpg)
GP
Components in an IDS– Anomaly
• May indicate a possible intrusion
– So how do we know for sure? Expert-system• Rule-set = model• Metrics• Comparing metrics & model
But …If a new intrusion scenario arises modifying the
IDS is complicated
![Page 16: Machine Learning in Intrusion Detection Systems (IDS)](https://reader035.vdocument.in/reader035/viewer/2022062322/568150a1550346895dbe9dec/html5/thumbnails/16.jpg)
GP
A finer-grained approach
IDS gets split into multiple Autonomous Agents
![Page 17: Machine Learning in Intrusion Detection Systems (IDS)](https://reader035.vdocument.in/reader035/viewer/2022062322/568150a1550346895dbe9dec/html5/thumbnails/17.jpg)
GP
![Page 18: Machine Learning in Intrusion Detection Systems (IDS)](https://reader035.vdocument.in/reader035/viewer/2022062322/568150a1550346895dbe9dec/html5/thumbnails/18.jpg)
GP
Using GP for learning– Instead of a monolithic static “knowledge base”– The GP paradigm allows evolution of agents
that could be placed in a system to monitor audit data
– GP programs • are in a simple meta-language
• Have primitives that access audit data fields and manipulate them
![Page 19: Machine Learning in Intrusion Detection Systems (IDS)](https://reader035.vdocument.in/reader035/viewer/2022062322/568150a1550346895dbe9dec/html5/thumbnails/19.jpg)
GP
Internal agent architecture
![Page 20: Machine Learning in Intrusion Detection Systems (IDS)](https://reader035.vdocument.in/reader035/viewer/2022062322/568150a1550346895dbe9dec/html5/thumbnails/20.jpg)
GP
Learning by feedback What do the agents monitor?
– Inter-packet timing metrics:
Total # of socket connections, average time between socket connections, minimum time between socket connections, maximum time between socket connections, destination port, source port
– Potential intrusions looked for:Port flooding, port-walking, probing, password cracking
![Page 21: Machine Learning in Intrusion Detection Systems (IDS)](https://reader035.vdocument.in/reader035/viewer/2022062322/568150a1550346895dbe9dec/html5/thumbnails/21.jpg)
GP
Δ = | outcome – suspicion |
Penalty = Δ * ranking /100
Fitness = (100 – Δ) - penalty
![Page 22: Machine Learning in Intrusion Detection Systems (IDS)](https://reader035.vdocument.in/reader035/viewer/2022062322/568150a1550346895dbe9dec/html5/thumbnails/22.jpg)
GP Multiple types:
– Time (long int), port (int), boolean, suspicion (int) Problems with multiple types ADF solution to type safety
– ADF: Automatically Defined Function– To monitor network timing:
avg_interconn_time, min_interconn_time, max_interconn_time
– For port monitoing:src_port, dest_port
– For privileged port checking:is_priv_dest_port, is_priv_src_port
![Page 23: Machine Learning in Intrusion Detection Systems (IDS)](https://reader035.vdocument.in/reader035/viewer/2022062322/568150a1550346895dbe9dec/html5/thumbnails/23.jpg)
GP
Experimental results:
![Page 24: Machine Learning in Intrusion Detection Systems (IDS)](https://reader035.vdocument.in/reader035/viewer/2022062322/568150a1550346895dbe9dec/html5/thumbnails/24.jpg)
That’s it !!!
![Page 25: Machine Learning in Intrusion Detection Systems (IDS)](https://reader035.vdocument.in/reader035/viewer/2022062322/568150a1550346895dbe9dec/html5/thumbnails/25.jpg)
Too old a research idea … did not find any current researches in the same field