Learning Intrusion Detection

1
Learning Intrusion Detection

• Tomas SingliarCS2510 Final Paper Presentation
• April 19, 2004

2
Intrusion detection

• Intrusions happen in computer networks
• Do something gt must know whats up
• What is an intrusion and what is not?
• misuse detection (a.k.a. pattern recognition)
• Wait a minute! I saw this one before!
• good precision, ignores novelty attacks
• anomaly detection
• Heh? Never saw anything like that before!
• will detect novel patterns (and a lot more)

3
Pittfalls

• Assume learner with 99.9 accuracy
• 100 packets per second, almost all legitimate
• 1 false alarm every 10 seconds
• User acceptance suffers
• Extremely high specificities required

4
Knowledge Representation

• Rule based system - collection of rules
• Probabilistic model
• Bayesian Belief Network (example)
• Hidden Markov Model (sequence learning)
• Memory-based learning (scalability?!)

if (src_ip in protected network) and (dst_ip
66.28.101.143) then Proxy-Regate Trojan active
at src_ip
if number_of_connections_in_last_1_min(src_ip) gt
100 and then portscan conducted from src_ip
5
Learning

• Learn the knowledge representation
• Symbolical formalisms
• RIPPER
• Probabilistic formalisms
• Neural networks
• Naïve Bayes General Bayes Network
• Support Vector Machines
• More advanced systems combine them

6
Conclusions

• Prevention not enough by itself
• policy, education, firewalls, antivirus
• Break-ins will happen, youd best know
• Layered reasoning scales
• fast rule-based feature construction
• sound ( slow) reasoning at abstract level
• No ultimate solution unending arms race

7
Thank you!

• Questions?
• Have a fun summer!