Case Based Reasoning Approach to Intrusion Detection - PowerPoint PPT Presentation

About This Presentation
Title:

Case Based Reasoning Approach to Intrusion Detection

Description:

Case Based Reasoning Approach to Intrusion Detection Date: 3/14/2005 Dr. Seong-Moo Yoo Information Assurance Engineering Lab Electrical and Computer Engineering Dept. – PowerPoint PPT presentation

Number of Views:117
Avg rating:3.0/5.0
Slides: 25
Provided by: mohammad
Learn more at: https://www.csm.ornl.gov
Category:

less

Transcript and Presenter's Notes

Title: Case Based Reasoning Approach to Intrusion Detection


1
Case Based Reasoning Approach to Intrusion
Detection
  • Date 3/14/2005
  • Dr. Seong-Moo Yoo
  • Information Assurance Engineering Lab
  • Electrical and Computer Engineering Dept.
  • University of Alabama in Huntsville

2
Current IDS Systems
  • Existed IDS systems are mostly static.
  • Tracks known attacks signatures.
  • Any recognized attack is blocked from entering
    the protected system.
  • Other traffic (friendly and unknown) are
    permitted to access the system.
  • Malicious traffic are mostly of unknown signature
    type, so it will not trigger IDS
  • Motivation for dynamic approach.

3
Current ID approaches and CBR
  • Knowledge-based approaches
  • very efficient in detecting intruders of the type
    known previously, but ineffective against new
    forms of threat.
  • Behavior-based approaches
  • it has the potential for guarding against
    previously unknown types of threats, is not as
    precisely efficient.
  • CBR can be considered as a mix of these
    approaches (fuzzy approach)

4
Proposed CBR Approach
  • Goal transition from a philosophy that denies
    known threats to one that permits confirmed
    friends.
  • Dynamic, real-time detection of friends and
    attacks traffic pattern within evolving
    environment.
  • Completely in software.

5
CBR (contd)
  • CBR encompasses three-pronged innovation
  • A proviso for explicit identification of true
    friends in addition to the traditional
    identification of known threats.
  • The use of CBR, hitherto not employed within the
    Intrusion Detection environment, to accomplish
    this goal.
  • An unique ongoing learning capability that
    enhances CBR to self-learn new threats as they
    arise.

6
(No Transcript)
7
CBR Steps
  1. Identify a viable technique to characterize a
    known set of threat signatures,
  2. Develop a similar technique to characterize known
    friend signatures,
  3. Incorporate threat intrusion detection,
  4. Incorporate true friend detection, and
  5. Develop/demonstrate methodology to analysis of
    unknown signatures.

8
CBR Step 1
  • Recognizes that a growing threat signatures
    database exists.
  • The goal here to
  • conduct an analysis to classify these known
    threats into logical groups,
  • characterize the key parameters that define each
    group, and
  • determine an acceptable set of tolerances that
    can be used to classify unknown signatures as
    likely threats.

9
CBR Step 2 3
  • Step 2 runs parallel to Step 1 with
    classification, characterization and tolerance
    definition determined for all known true friend
    signatures. Where an existing database will
    drive threat signature characterization, it is
    recognized that, for a given information system,
    known friend signatures must be initially
    decoded.
  • Step 3 incorporates an existing IDS into the
    process.

10
CBR Step 4
  • Enhances the achievable level of information
    assurance by adding a filtering process that
    allows only traffic confirmed as friendly into
    the protected system.
  • Operating together, the modified IDS (Threat) and
    newly established true-friend detector filter
    known threat and unknown traffic.

11
CBR Step 5
  • Facilitates the ongoing learning noted earlier by
    first analyzing the filtered unknown signatures
    for the existence of inherent, similarly
    characterized clusters.
  • The goal of this analysis is to expand threat and
    friendly signature databases via the CBR based
    evaluation described above.

12
Three General Clusters
  • Likely friend
  • Likely threat
  • Continued unknown.
  • the threshold mechanism will assess if the
    closeness is sufficient enough to be truly
    normal, or if there is ground to suspect a case
    normal behavior impersonation.

13
Other Jobs to Be Done
  • Conduct a review of the arenas state of the art
    capabilities to ensure no reinvention of the
    wheel occurs and that funding is utilized
    judiciously to meet the program objectives
  • The potential for exploiting the synergy between
    our proposed approach and other techniques
    currently in use will also be investigated
  • Our expertise in the field of information and
    decision fusion will be utilized in exploiting
    this synergy between the approaches

14
Jobs to Be Done (cont.)
  • An enhanced IDS that will
  • Identify incoming message streams as true
    friends, true threats, and unknowns.
  • Use CBR, for the first time, to accomplish this
    portioning.
  • Incorporate an unique ongoing learning capability
    that enhances CBR to self-learn new threats and
    friends as they arise.

15
Concept Demonstration
  • Up-to-date databases of known threat and true
    friend mechanisms can be identified.
  • System specific true friend and known threat
    signatures will then be classed, characterized
    and tolerance limits defined.
  • The resulting threat signature knowledge will
    then be infused into an existing IDS (Threat)
    filter while the true friend signature
    characterizations will be packaged within a new
    true friend filter.
  • The proposed enhanced information assurance
    capability will then be demonstrated by
    subjecting the selected system to known threat as
    well as true friend and unknown signature
    traffic.

16
Support Component
  • To conduct this demonstration we need
  • access to the Government selected test system to
    identify a emulated network , sponsorship to
    examine an existing Government information
    assurance threat database, and a realistic
    (operational) message traffic characterization.

17
Evaluation
  • Performance evaluation of CBR will include
  • Comparison of effectiveness between this new IDS
    philosophy and current IDS capabilities. This
    comparison will measure such items as effect on
    protected systems operating speed and level of
    protection provided.
  • Measurement of the speed and effectiveness of the
    True Friend Detection System (Step 4).
  • Measurement of the speed and effectiveness of the
    Analysis of Unknowns (Step 5).

18
Intrinsic Merit
  • This project will help to better protect critical
    computer networks through an enhanced intrusion
    detection approach.
  • Transition from denies known threats to
    permits only confirmed friends.
  • Threshold mechanism on top of the CBR closest
    match identifying process

19
Expected Results
  • This effort will provide proof of principle to
    the proposed IDS philosophy.
  • The RD is expected to lead to a feasible set of
    real-time algorithms that admit only confirmed
    friend while blocking known threat and unknown
    traffic.
  • Ongoing learning will also demonstrate as unknown
    traffic is properly classified and added to the
    respective databases.
  • A laboratory demonstration will facilitate the
    evaluation metrics.

20
Program Description
  • Task 1 Known Threat Signature Characterization
  • A set of known threat signature will first be
    identified for the selected target network.
    These threats will be characterized to document
    the nature and catalogue identifying features.
  • Task 2 Known Friend Signature Characterization
  • A methodology for identifying and characterizing
    a set of known friend signatures will be
    developed and tested. The methodology will
    enhance the trusted network concept by
    documenting the nature and catalogue identifying
    features truly friendly message traffic for the
    selected network

21
Program Description (contd)
  • Task 3 Threat Intrusion Detection
  • The results of task 1 will be incorporated into a
    Threat IDS package and tested to ensure that
    known threats are blocked based on the identified
    signature characterization.
  • Task 4 True Friend Detection
  • The results of task 2 will be incorporated into a
    Friendly IDS package and tested to ensure that
    known friendly message traffic are passed to the
    target network based on positive matching to the
    identified friendly signature characterization.

22
Program Description (contd)
  • Task 5 Analysis of Unknown Signatures
  • CBR based screening process will first be used to
    identify probable threat and friendly traffic.
    This traffic will be passed, to the threat
    signatures data base and on to the targeted
    network.

23
Project Schedule
Task 1 Known Threat Signature Characterization Ta
sk 2 Known Friend Signature Characterization Task
3 Threat Intrusion Detection Task 4 True
Friend Detection Task 5 Analysis of Unknown
Signatures Task 6 Reporting
24
References
  • D. A. Frinckea and M. -Y. Huang, Recent advances
    in intrusion detection systems, Computer
    Networks, Vol. 34, No. 4, pp. 541-545, October
    2000.
  • H. Debar, M. Dacier and A. Wespi, Towards a
    Taxonomy of Intrusion-Detection Systems,
    Computer Networks, Volume 31, Issue 8, pp.
    805-822, 23 April 1999.
  • B. V. Dasarathy, Nearest Neighbor (NN) Norms - NN
    Pattern Classification Techniques, IEEE Computer
    Society Press, Los Alamitos, CA., 1991.
  • B. V. Dasarathy, Nosing Around the Neighborhood
    - A New System Structure and Classification Rule
    for Recognition in Partially Exposed
    Environments, IEEE Transactions on Pattern
    Analysis and Machine Intelligence, Vol. PAMI-2,
    No. 1, pp. 67-71, January 1980.
  • B. V. Dasarathy, There Goes the Neighborhood -
    An ALIEN Identification Approach to Recognition
    in Partially Exposed Environments, Proceedings
    of the 5th International Conference on Pattern
    Recognition, pp. 91-93, December 1980
Write a Comment
User Comments (0)
About PowerShow.com