Machine Learning in Intrusion Detection Systems IDS

1
Machine Learning in Intrusion Detection Systems
(IDS)
2
2 papers

• Artificial Intelligence Intrusion Detection
  Current Future Directions AIID
• J. Frank
• Applying Genetic Programming to Intrusion
  Detection GP
• M. Crosbie, G. Spafford

3
AIID

• What is intrusion detection?
• What are the issues in Intrusion Detection?
• Data collection
• Data reduction
• Behavior Classification
• Reporting
• Response

4
AIID

• AI methods are used to help solve some issues
• For data classification
• Classifier systems
• Neural Network
• Decision Tree
• Feature Selection

5
AIID

• Data Reduction
• Data Filtering
• Feature Selection
• Data Clustering

6
AIID

• Behavior Classification
• Expert Systems
• Anomaly Detection
• Rule-Based Induction

7
AIID

• An experiment using Feature Selection
• Info. about network connections using a Network
  Security Monitor

8
AIID

• 3 Search algorithms used
• Backward Sequential Search (BSS)
• Beam Search (BS)
• Random Generation Plus Sequential Selection (RS)

9
AIID

• Algorithm performance

10
AIID

• Error Rate Performance (All)

T, PD, DS
Best
I, W, T, PS, PD, DS
11
AIID

• Error Rate Performance (SMTP)

Best
W, T, PS, PD, DS
12
AIID

• Error Rate Performance (Login)

T, PD, DSRGSS
Best
W, T, PS, PD
13
AIID

• Error Rate Performance (Shell)

Best
W, T, PS, DS RS
W, PS, PD, DSBS BSS
14
GP (Applying Genetic Programming to Intrusion
Detection)

• An IDS that exploits the learning power of
  Genetic Programming
• Two types of security tools
• Pro-active
• Reactive IDS falls in this catergory

15
GP

• Components in an IDS
• Anomaly
• May indicate a possible intrusion
• So how do we know for sure? Expert-system
• Rule-set model
• Metrics
• Comparing metrics model
• But
• If a new intrusion scenario arises modifying the
  IDS is complicated

16
GP

• A finer-grained approach
• IDS gets split into multiple Autonomous Agents

17
GP
18
GP

• Using GP for learning
• Instead of a monolithic static knowledge base
• The GP paradigm allows evolution of agents that
  could be placed in a system to monitor audit data
• GP programs
• are in a simple meta-language
• Have primitives that access audit data fields and
  manipulate them

19
GP

• Internal agent architecture

20
GP

• Learning by feedback
• What do the agents monitor?
• Inter-packet timing metrics
• Total of socket connections, average time
  between socket connections, minimum time between
  socket connections, maximum time between socket
  connections, destination port, source port
• Potential intrusions looked for
• Port flooding, port-walking, probing, password
  cracking

21
GP

• ? outcome suspicion
• Penalty ? ranking /100
• Fitness (100 ?) - penalty

22
GP

• Multiple types
• Time (long int), port (int), boolean, suspicion
  (int)
• Problems with multiple types
• ADF solution to type safety
• ADF Automatically Defined Function
• To monitor network timing
• avg_interconn_time, min_interconn_time,
  max_interconn_time
• For port monitoing
• src_port, dest_port
• For privileged port checking
• is_priv_dest_port, is_priv_src_port

23
GP

• Experimental results

24
Thats it !!!
25
Too old a research idea did not find any
current researches in the same field