1 / 1

1. Introduction

1. Introduction

heather-cox
Download Presentation

1. Introduction

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. 1. Introduction Generally Intrusion Detection Systems (IDSs), as special-purpose devices to detect network anomalies and attacks, are using two approaches including misuse detection and anomaly detection. In misuse detection the search for evidence of attacks is based on known attacks' signatures. In anomaly detection, the deviation from the normal model will be considered as an attack or anomaly. Both kinds of IDSs have their own advantages and disadvantages. The advantages of misuse detection approaches are their good accuracy, low false alarm rate and giving enough information about the type of detected attacks to system administrator On the contrary, their drawbacks include the difficulty of gathering the required information on the known attacks and keeping it up-to-date with new vulnerabilities. The main advantage of anomaly detection approach over misuse detection is that it can detect attempts to exploit new and unforeseen vulnerabilities. However, this approach has high false alarm rate . In particular, TRWSjfi is the trust-reputation weight for feature fi in Sj,. denotes the attacking probability generated by feature fi and detection sensor Sj. Notation FACount is the number of false alerts obtained from historical alerting reports. Based on FACount, penalty factor and reward factor are used to adjust the value of RWfiSj and RWSj in order to reach the minimize FACount. Fusing Multiple Sensors to Detect NetworkTraffic Anomalies - A Control Theoretic Model Mahsa Kiani, Wei Lu, Mahbod Tavallaee and Ali A. Ghorbani Faculty of Computer Science, UNB Fredericton 2. Motivation In order to combine the advantages of both misuse and anomaly detection, the idea of hybrid detection has been proposed. Currently two ways exist to combine IDSs: sequence based (figure 1) and parallel based (figure 2). The sequence based approaches might not provide a full coverage for the attack types due to the filtering of malicious (normal) traffic and also the sequence process will prolong the detection and make a real-time detection impossible. In contrast, parallel based hybrid IDSs provide a wide coverage for intrusions and has the potential to detect previously unknown attacks. One of the biggest challenges for parallel based IDSs is how to make accurate inferences that minimize the number of false alarms and maximize the detection accuracy. Proposed multi-sensor IDS has been evaluated with the full 1999 DARPA intrusion detection dataset based on network flow data for each specific day. 15 features has been considered to describe entire traffic behavior on networks (Table I). Two detectors using non-parametric Cumulative SUM algorithm and Expectation-Maximization based clustering technique are considered and historical reputation matrix is set up according to the detection rate (DR) and the false positive rate (FPR) for each detector over a long time history. The ratio of DR to FPR is used to measure the performance of each detector. Average value of DR, FPR and the ratio of DR to FPR for each feature over 9 days for both detectors have been illustrated in Table II and Table III. Obtained results show that the correct alerts generated by hybrid system is 105, which is smaller than the 161 correct alerts generated by the detector using EM based clustering algorithm. The number of false alerts reported by the hybrid system, however, is 189, which is much smaller than the 799 false alerts by the clustering based detector. 5. Experimental Results 3. General Architecture of the Proposed Detection Framework f TRW S1 ΣS Raw Packets Feature Analysis f TRW TR Features based on Flows f TRW Multi-Sensor based IDS Σ FACount Sensor 1 Sensor 2 Sensor m f TRW S 2 ΣS f TRW TR f TRW Flows with Attacking Probabilities 4. Formalized Model for Multi-Sensor IDS In the following model, F( , ..... ) refers to features that might be based on flows, packets, host logs, firewall/alert events, traffic behaviour, biometric. Detection sensors are denoted by S (S1, S2, S3, …,Sm) that include m different detection algorithms for intrusion detection. Notation TRW refers to the Trust-Reputation Weight matrix and it measures the credibility degree of decisions. f Sm TRW ΣS f TRW TR 6. Conclusions Although the number of correct alerts reported by hybrid system is a little bit smaller than the number reported by one of the individual detectors, the hybrid system reduces the number of false alerts largely (24%). The future work consists of using more detectors, developing more evaluation metrics to judge the fusion performance and improving the system through dynamic programming. f TRW TRWfi TRWSk Penalty Factor

More Related