Associate Prof. Fang Xianjin()

naivenorthΤεχνίτη Νοημοσύνη και Ρομποτική

8 Νοε 2013 (πριν από 3 χρόνια και 7 μήνες)

185 εμφανίσεις

Advance in Intrusion Detection
Techniques

Associate Prof. Fang Xianjin(
方贤进
)

Computer Science & Engineering School of AUST

Outline


Context of computer security problem


Brief summaries of computer security system


What is IDS?


Architecture and Classification of IDS


Intrusion detection techniques


My current research works


Questions and answer

Context of computer security problem

2006 Annual Report
by
CNCERT/CC


Context of computer security problem

2006 Annual Report
by
CNCERT/CC


Context of computer security problem

From 19th June to 31st December in 2006,
18,912 sample had been captured by
CNCERT/CC’s honeynet.


Brief summaries of computer security
system

Multi
-
layer defense:


First layer is static access mechanisms,
such as passwords and file permissions.

Disadvantages:


Limited to provide comprehensive security;


Overly restrictive for legitimate users of
computer system;

Brief summaries of computer security
system

Multi
-
layer defense:


second layer is cryptography, which is used
for providing secure channels and host
authentication


Another layer is firewall, which filters out
undesirable network traffic in a network
system.

Brief summaries of computer security
system

Multi
-
layer defense:


The latest layer of defense is provided by
dynamic protection systems that can
detect and prevent intrusion, namely, is
known as Intrusion Detection System(IDS).

What is IDS?

Mathematical description for IDS:

U

universe set,

S: normal/legitimate/acceptable pattern set (self set ),

N: anomalous/illegitimate/unacceptable pattern set (nonself
set),

S

N=U, S

N=Ф

IDS=

f, M), f is a nonlinear classification function, M is
detection range of detection system,

f: U*
×
U

{normal, anomalous}






otherwise
anomalous
M
s
normal
s
M
f
,
,
)
,
(
Nonself

Self

False
positives

False
negatives

U

M

IDS’ Architecture and Classification for
IDS


Architecture of IDS

Sensor

Analyzer

Knowledge base

Response/control

Policy/control info

Alert

Analysis console

IDS’ Architecture and Classification for
IDS


Classification of IDS


On the basis of detection techniques:


Misuse detection (signature
-
based): high detection rate
high false negative rate, low false positive rate


Anomaly detection: low detection rate, high false
positive rate


On the basis of data input


HIDS


NIDS


Hybrid IDS

Intrusion Detection Techniques


Misuse detection


Method based on Expert system (P
-
BEST)

Firstly, according to experiment, creating knowledge
base (attack signature base)

Secondly, updating knowledge by using learning
and adaptive capacity

For example:

EMERALD
,
eXpert
-
BSM

(SRI
-
international
developed)

Intrusion Detection Techniques


Misuse detection


Method based on TCP/IP Protocol Analysis

Decoding each packet from all kinds of layers of TCP/IP
architecture

For example:

When the value of SYN and FIN of a TCP packet is “1”, we
can think that a port
-
scanning attack occurred.

Features:

High performance, more accurate, anti
-
evade attack, low
resource requirement

Intrusion Detection Techniques


Misuse detection


Method based on Pattern
-
matching

For example:

SNORT IDS (Open source code software,
Sourcefire Company)

Intrusion Detection Techniques


Anomaly detection


Statistic and Analysis methodology


Creating profile database of normal behavior by
analyzing a lot of system data;


Adaptively learning normal pattern database;


Comparing auditing data on system with normal
behavior profile, if comparison result exceed the
threshold, an attack event may happened.

Conventional statistic models:


Average value and standard deviation model


Markovian model


Time/session/connection sequence model

Intrusion Detection Techniques


Anomaly detection


Method based on Artificial Neural Network


Creating signature profile of system
by learning a lot of samples in training
set


Predicting the relationship between
input data and output data


Comparison with threshold



Intrusion Detection Techniques


Anomaly detection


Data mining approaches for intrusion detection

The key ideas are to use data mining
techniques to discover consistent and useful
patterns of system features that describe
program and user behavior, and use the set
of relevant system features to compute
(inductively learned) classifiers that can
recognize anomalies and known intrusions.

Intrusion Detection Techniques


Anomaly detection


Agent
-
based distributed intrusion detection
framework

Intrusion Detection Techniques


Anomaly detection


Artificial immune model for intrusion detection system

Some terms in Natural Immunity System(NIS):


T
-
cell, B
-
cell


Antigen, epitope, receptor


Antibody, paratope


Affinity


Immune recognition


Immune tolerance


Immune memory


Autoimmune response


vaccnine

Intrusion Detection Techniques


Anomaly detection


Artificial immune model for intrusion detection
system


Self set (learning by using training set)


generating randomly Detector set


Negative selection algorithm (non
-
self set)


Anomaly detection


Clonal selection algorithm


Dynamic Clonal selection algorithm


Genetic algorithm based on immunity


r
-
contiguous match algorithm

Intrusion Detection Techniques


Anomaly detection


Artificial immune model for intrusion detection
system

LISYS Model is as follows:

Intrusion Detection Techniques

Intrusion Detection Techniques


Anomaly detection


Artificial immune model for intrusion detection
system

The following is Kim’s conceptual model for


intrusion detection:

Intrusion Detection Techniques

My current research works


Topic: research on immune model for intrusion
detection system


Design An Artificial Immune model with Vaccine
operator for Network Intrusion Detection


Study Immune Evolutionary Algorithm of
detectors population.


Implement intrusion detection on network layer,
transport layer and application layer


Analyze detection rate, false positive rate
detector cover, detector hole in theory

References

1.
http://searchwin2000.techtarget.com/tip/1,289483,sid1
-
gci851241,00.html?from
Taxonomy=%2fpr%2f5e3,2004

2.
CERT/CC Statistics 1998
-
2002. http://www.cert.org/stats/,2003

3.
康勇建,姚京松,林鹏
. “
基于
P2DR
模型的银行计算机网络动态适应安全系统”
.
中国金融电脑
2001
年第
2


4.
IDC
有关网络安全产品市场研究报告信息安全与通信保密
2001.12

12

(

12

):66
-
67

5.
Richard. Lippmann, Joshua W. Haines. "
The 1999 Darpa Off
-
Line Intrusion Detection
Evaluation
". Computer Networks,34 (4),p5 79
-
595,2000

6.
Third Edition of the Intrusion Detection System
http://www.nss.co.uk/ids/edition3/index.html

7.
Stephanie Forrest, Steven A. Hofineyr. "
John Holland's Invisible Hand: An Artificial
Immune System
". 2000.

8.
Steven A. Hofineyr. "
An Interpretative Introduction to the Immune System Design
Principles for the Immune System and other Distributed Autonomous Systems
”. Oxford
University Press, Eds, I. Cohen and L. Segel. 2000.

9.
J.PAnderson. “
Computer security threat monitoring and surveillance”
. Technical,
James P. Anderson Company, Fort Washington, Pennsylvania, April 1980.

10.
Dorothy E. Denning. "
An Intrusion Detection Model
". IEEE TRANSACTIONS on
Software Engineering VoL SE
-
13,No.2,FEBRUARY pp.222
-
232,1987.

References

11.
Henry S.Teng, Kaihu chen

stephen c
-
y lu. "
Adaptive Realtime Anomaly Detection
Using Inductively Generated Sequential Paterns
". Proceeding of the 1990 IEEE
Symposium on security and Privacy 1990.

12.
S.Stainford
-
Chen. “
Common intrusion detection framework
”.
http://seclab.cs.ucdavis.edu/cidf 1998.

13.
Nicholas J.Puketza ,Kui Zhang Mandy chung ,Biswanath Mukheriee,Ronald A.Oisson.
"
A Methodology for Testing Intrusion Detection Systems
". IEEE Transaction of
Software Engineering Vol.22,No.10,pp719
-
729,1996.

14.
Kristopher Kendall. "
A Database of Computer Attacks for the Evaluation of Intrusion
Detection Systems
". MIT Master Thesis 1999.

15.
Ulf Lindqvist Phillip A.Porras. "
Detecting Computer and Network Misuse Through the
Production
-
Based Expert System Tool set (P
-
BEST)
". IEEE Symposium on Security
and Privacy pp.146
-
166, 1999.

16.
Eugene H.Spaford, Diego Zamboni. “
Intrusion Detection Using Autonomous Agents
”.
Computer Network 34(2000) pp.547
-
570,2000.

17.
Weake Lee Salvatore J.Stolfo Kui W.Mok "
A Data Mining Framework for Building
Intrusion Detection Models
". IEEE Symposium on Security and privacy pp.120
-
132,1999.

References

18.
S. Staniford
-
Chen, S. Cheung, R. Crawford, M. Dilger, J. Frai

J. Hoagland, K. Levitt,
C.Wee, R.Yip, and D.Zerkle. “
GrIDS

A Graph Based Intrusion Detection System for
large networks
” .In Proceedings of the 20th National Information Systems Security
Conference volume 1 ,pages 361
-
370,October 1996.

19.
Anup K .Ghosh and Aaron Schwartzbard. "
A Study in Using Neural Networks for
Anomaly and Misuse Detection
". Proceeding of the 8th USENIS Security Symposium
on Washington, D.C.,USA. pp.23
-
26,1999.

20.
Tim Bass "
Multi sensor Data Fusion for Next Generation Distributed Intrusion
Detection System
".1999 IRIS NATIONAL SYMPOSIUM 1999.

21.
马恒太
,
蒋建春,陈伟锋,卿斯汉
.“
基于
AGENT
的分布式入侵检测系统模型”
.

件学报
Vol.1l pp.1312
-
1319,2000.

22.
蒋建春,马恒太,任党恩,卿斯汉
.“
网络安全入侵检测
:
研究综述”
.
软件学报

Vol.
11 , pp.1460
-
1465,2000.

23.
陈光英,张千里,李星
. “
基于
SVM
分类机的入侵检侧系统”,通信学报,
Vol.23,No.5,2002

24.
夏春和

张欣
.“
网络入侵检测系统的研究”
.
系统仿真学报
, VOL.12, NO.4: pp.375
-
399,2000.

25.
李鸿培

王新梅
.“
基于神经网络的入侵检测系统模型’,西安电子科技大学学报
,
Vol.26,No.5,1999.

26.
李鸿培
.“
入侵检测中几个关键问题的研究”
.
博士学位论文西安电子科技大学
2001.

References

27.
李信满
,
赵大哲
,
赵宏
,
刘积仁
.“
基于应用的高速网络入侵检测系统研究”
.
通信学

Vo1.23 No.9 2002 pp. l
-
7.

28.
李之堂
,
杨红云
. “
模糊入侵检侧模型”
.
计算机工程与科学
, Vol.22,No.2,pp.49
-
53,2000

29.
李之棠
,
李家春
. “
模糊神经网络在入侵检测中的应用”
.
小型微型计算机系统
2002
Vol.23 No.10: pp. 1235
-
1238.

30.
S. Forrest, A. S. Perelson, L. Allen and R. Cherukuri. “
Self
-
nonself discrimination in a
computer
”. In Proceedings of the IEEE Symposium on Research in Security and
Privacy. 1994.

31.
J. E. Hunt and D. E. Cooke, “
An Adaptive and distributed Learning System based on
the Immune System
”. In Proc. of the IEEE International Conference on SMC, pp. 2494
-
2499, 1995.

32.
L. C. Jiao and L. Wang. “
A novel genetic algorithm based on immunity
”. IEEE Trans.
Systems, Man and Cybernetics. 30(5): pp. 552
-
561. 2000.

33.
张军,刘克胜,王煦法
.
一种基于免疫调节算法的
BP
网络设计,安徽大学学报
(自然科学版),
1999

23

1
):
63
-
66.

34.
张军,刘克胜,王煦法
.
一种基于免疫调节和共生进化的神经网络优化设计方法,
计算机研究与发展,
2000

37

8
):
924
-
930.

35.
Forrest, S., Hofmeyr, S. A., & Somayaji, A. (1997). “
Computer immunology
”.
Communications of the ACM, 40(10), 88

96.

References

[36] Jiao L C, Wang L. “A novel genetic algorithm based on immunity”. IEEE Trans. On
Systems, Man, And Cybernetics
-
Part A: System and Humans, 2000,30(5):552~561.

[37] J.Kim, EBentley. “Immune Memory in the Dynamic Clonal Selection Algorithm”. In:
Proc of the 1st International Conference on Artificial Immune Systems, Canterbury,
UK ,2002:57
-
65.

[38]Tarakanov A, Dasgupta D. “A formal model of an artificial immune system”.
BioSystems, 2000, 55: 151~158.

[39]Tarakanov A O. “Towards immunocompute”.
http://solvayins.ulb.ac.be/fixed/immune/Demosoft.html, 2004.

[40]Timmis J, Neal M. “A resource limited artificial immune system for data analysis”.
Knowledge Based Systems, 2001,14(3
-
4):121~130.

[41]Nunes de Castro L, Von Zuben F J. “An evolutionary immune network data clustering”.
Proceeding of the sixth Brazilian Symposium on Neural networks, 2000, 84~89.

[42] Stephanie Forrest, Alan s.Perelson, Lawrence Allen. "Self
-
Nonself Discrimination in a
Computer". In proceedings of the 1994 IEEE symposium on Research in Security and
privacy, LosAlamos, CA, 1994.

[43]Stephanie Forrest, Thomas A.Longstaf steven A. Hofmeyr. "A sense of self for Unix
processes". In proceeding of the 1996 IEEE Symposium on security and Privacy.

References

[44]

Steven Andrew Hofmeyr. "An Immunological Model of Distributed Detection
and its Application to Computer Security". Ph.D. Dissertation. University of New
Mexico,1999.

[45]

Paul D .Williams, Kevin P Anchor, John L. Bebo, Gregg H.Gunsch, Gray
D.Lamout. "CDIS: Towards a Computer Immune System for Detecting Network
Intrusions". Proceedings 4th International Symposium, RAID 2001 Davis, CA,USA,
October 10
-
12,2001.

[46]

Kim and Bentley P. "The Human Immune System and Network Intrusion
Detection",7th European Congress on Intelligent Techniques and Soft Computing( EUFIT
'99), Aachen Germany, September 13
-
19.

[47]

Kim, J. and Bentley, P., (1999), "The Artificial Immune Model for Network
Intrusion Detection". 7th European Congress on Intelligent Techniques and Soft
Computing( EUFIT’99), Aachen, Germany, September 13
-
19.

[48]

Kim, J. and Bentley, E J. (1999). "Negative Selection and Niching by an
Artificial Immune System for Network Intrusion Detection"

Genetic and Evolutionary
Computation Conference (GECCO '99),Orlando, Florida, Ju ly13
-
17.pp .149
-
158.

References

[49]

Jungwon Kim, Peter J. Bertley. “An Evaluation of Negative Selection In an
Artificial Immune System for Network Intrusion Detection”. Genetic and evolutionary
computation conference 2001(GECCO
-
2001), San Francisco, pp. 1330
-
1337, July 7
-
11,2001.

[50]

Jungwon Kim, Peter J. Bertley. “Towards an artificial immune system for
network intrustion detection: an investigation of clonal selection with a negative selection
operator”. Congress on evolutionary computation (CEC
-
2001), Seoul, Korea, pp. 1244
-
1252, May 27
-
30,2001.

[51]

Dipankar Dasgupta, Fabio A.Gonzalez. "An Immunogenetic Approach to
Intrusion Detection". Technical Report No.CS
-
01
-
001 May,2001.

[52]

Fabio A .Gonzalez, Dipankar Dasgupta. "An Immunogenetic Technique to
Detect Anomalies in Network Traffic". In Gecco 2002: proceedings of the genetic and
evolutionary computation coference,pages1081
-
1088, NewYork,9
-
13 July 2002. Morgan
Kaufmann Publishers.

[53]

Fabio A .Gonzalez, Dipankar Dasgupta, Robert Kozma. "Combining Negative
Selection and Classification Technique for Anomaly Detection". In Proceedings of the
Congress on Evolutionary Computation. Pages 705
-
710,Honolulu,HI,May 2002.IEEE.

References

[54]

Dipankar Dasgupta, Fabio Gonzalez "An Immunity
-
Based Technique to
Characterize Intrusions in Computer Networks" IEEE Transactions on Evolutionary
Computation Vol 6 No.3 June 2002:281
-
291.

[55]

LUO Wen
-
jian, ZHANG Si
-
hai

LIHANG Wen, CAO Xian
-
bin, WANG Xu
-
fa,
“NIDS Research Advance Based on Artificial Immunology”, Journal of University of
Science and Technology, Vol. 35, No 5, Oct. 2002.

[56]

张四海
,
罗文坚
,
曹先彬
,
王煦法
.
用于网络入侵检测的免疫学习子系统
.

型微型计算机系统
, Vol. 24 No. 8, Aug. 2003.

[57]

罗文坚
.
面向入侵检测的人工免疫模型和算法研究
,
中国科技大学博士论文,
2003.5

[58]

闫巧
.
基于免疫机理的入侵检测系统研究
.
西安电子科技大学博士学位论文
,
2003.4.

[59]

杨华玲
.
基于改进
Kim
模型的检测器生成算法研究
.
燕山大学硕士学位论文
,
2006.2

[60]

Cohen F. Computer viruses. Computer & Security, 1987, 22
-
35.

Thank you!

Questions?