Intrusion Detection using Genetic Programming

1
Intrusion Detection using Genetic Programming

• Presented by Chris Chambers

2
Overview

• General idea
• Body very good at distinguishing between
  self/not-self
• Has a memory for old intrusions
• If only IDSs were that good!
• It is to be noted that the mechanisms of the
  immune system are remarkably complex and poorly
  understood, even by immunologists.
• Dasgupta, Attoh-Okine

3
Overview

• Fuzzy Data Mining and GA Applied to Intrusion
  Detection
• New Paradigms for ID Using GP (CHIMERA)

4
Fuzzy Data Mining and GA Applied to Intrusion
Detection

• S. Bridges, R. Vaughn, Mississippi State
  University, NISSC 2000
• Premise
• Body is good at detecting intrusions by pattern
  matching
• Can use this for securing systems
• Given a learning trace, evolve a program over a
  series of generations to detect intrusions
• Novel idea
• Using training data and rules develops rules
  over-specific to training data
• Fuzzy rules are less specific

5
What is fuzziness?
6
Technique

• Fuzzy Data Mining
• Fuzzy Association Rules computed for baseline
• Example rule time 11-12pm gt load LOW
• Compared with rules for abnormals
• Distance computed
• Fuzzy Frequency Episodes
• (grouping data into repetitive sequences)
• Same trick, distance computed between series

7
Technique (cont)

• Misuse Detection expert system also used
• Hardwired rules, like, gt3 login attempts bad
• Genetic Algorithms used to tune fuzzy sets

8
Swiped from http//csrc.nist.gov/nissc/2000/procee
dings/papers/005slide.pdf
9
Results
Anomaly anomalies detected / actual
anomalies
10
More Results
11
Conclusions

• GA only used to optimize results
• Fuzzy data mining works okay
• Fuzzy results ?

12
New Paradigms for Intrusion Detection Using
Genetic Programming

• Bob Adolf, 2003 (from Northwestern?)
• Premise
• Body is good at detecting intrusions by pattern
  matching
• Can use this for securing systems
• Given a learning trace, evolve a program over a
  series of generations to detect intrusions

13
Design of CHIMERA

• Linear phenome
• string of 1s and 0s vs. tree program
• Brood Recombination
• lots of kids per parent
• Small mutations
• more like life
• Code Locality number
• Supposed to help crossover

14
Evaluation of CHIMERA

• Cool trace 3 days long, 20 flagged intrusions
• 100 generations, 10k members / generation, top
  100 kept as survivors

15
Results and Conclusion

16
Results and Conclusion

• Total failure of CHIMERA
• Best members not as good as random strings
• Code locality numbers didnt work (no coherent
  code blocks)
• Conclusion
• GP requires way more resources and generations
  than normal programs
• IDS is hard for GP. 20 intrusions in a trace of
  tens of millions of events is magnificently
  sparse

17
Final Conclusion

• Using GP to Improve IDS
• Still formative
• Poorly understood