Bayesian Classifiers and Software Sensors for Intrusion Detection Systems.

1
Bayesian Classifiers and Software Sensors for
Intrusion Detection Systems.

• By Kaushal Mittal
• Guide Prof. Sunita Sarawagi

2
Bayesian Classifiers

• Classification
• Supervised learning
• Classes known
• Number of classes known
• Statistical classifiers
• Based on bayes theorem
• Calculates probability of a sample belonging to a
  class.

3
Naive Bayesian classifier

• Assumes attributes values to be conditionally
  independent given the target class.
• Each training sample X is a vector of n
  attributes an.
• Set of classes C cm .
• Every new sample S is labeled to class with
  maximum posterior probability.

4
Application

• Text Classification.
• All words as attributes.
• Assume attributes to be independent.
• Use Naive bayes classifier.
• M. Shavlik and J. Shavlik have used naive
  bayesian classifiers for intrusion detection
  system.
• Low detection rate of 59.2.
• Proposed a Winnow based Algorithm.

5
Intrusion Detection System

• Intrusion detection system
• Anomaly detection
• Misuse detection
• Goals
• High detection rates
• Low false negative alarms
• Low false positive alarms
• Less CPU cycles
• Quick detection rates

6
IDS Cont.

• Problem
• Detect intrusion quickly with low false alarm
  rate and high intrusion detection rate.
• Approaches
• Naive Bayes Classifiers
• Winnow based Algorithm
• Alternative approaches
• Density based Local Outlier approach
• Elman Network

7
IDS - Phases

Data Collection
Discretization
Training
Tuning
Operational
8
Data Collection

• The training data
• system properties like CPU, memory, network
  connections, number of threads.
• Use of Perfmon on windows, strace on linux.
• Features Like
• Actual value measured.
• Average of Last 10 values
• Average of last 100 values
• Difference between current and previous values
• Difference between current and average of last 10
• Difference between current and average of last
  100
• Difference between average of previous 10 and
  previous 100

9
IDS - Phases

Data Collection
Discretization
Training
Tuning
Operational
10
Discretization

• Data is continuous
• Discretized into 10 bins
• Divide the samples into 10 bins
• Selects the best distribution function
• Uniform
• Guassian
• Exponential
• Erlang

11
IDS - Phases

Data Collection
Discretization
Training
Tuning
Operational
12
Training

• Initialize weights for each feature
• For each training sample
• Calculate votes for each feature
• Relative probability for value of feature
• Adjust weights
• In Naive bayes approach
• Use exact probability of feature.

13
IDS - Phases

Data Collection
Discretization
Training
Tuning
Operational
14
Tuning

• Goal To calculate W, threshmini , threshfull
• W window to avoid overlapping.
• Threshmin threshold for mini alarm
• Threshfull threshold for intrusion detection.
• Test set used.

15
Analysis

• False negative alarms
• System learning intruders behaviour.
• False Positive alarms
• Comparison to Naïve bayes classifier approach.

16
Alternatives

• All suffer from false learning and false alarms.
• Another approach can be
• Elman networks.
• Density based