Information integration and assurance laboratory iee594 presentation
This presentation is the property of its rightful owner.
Sponsored Links
1 / 25

Information Integration and Assurance Laboratory IEE594 Presentation PowerPoint PPT Presentation


  • 36 Views
  • Uploaded on
  • Presentation posted in: General

Information Integration and Assurance Laboratory IEE594 Presentation. Xiangyang Li Dept. of Industrial Engineering Arizona State University Box 875906, Tempe, AZ 85287-5906, USA. Current People. Director Dr. Nong Ye. Students Master: Syed Masum Emran Ph.D.: Qiang Chen Xiangyang Li

Download Presentation

Information Integration and Assurance Laboratory IEE594 Presentation

An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -

Presentation Transcript


Information integration and assurance laboratory iee594 presentation

Information Integration and Assurance Laboratory IEE594 Presentation

Xiangyang Li

Dept. of Industrial Engineering

Arizona State University Box 875906, Tempe, AZ 85287-5906, USA


Current people

Current People

  • Director

    Dr. Nong Ye

  • Students

    Master:

    Syed Masum Emran

    Ph.D.:

    Qiang Chen

    Xiangyang Li

    Mingming Xu

    Dawei Zhang

    Yebin Zhang


Current researches

Current Researches

  • Information security

    Intrusion detection Technology Study

  • Supply chain - Business School

    Enterprise modeling and simulation


Intrusion detection technology

Intrusion Detection Technology

Application of Decision Tree Classifier


Intrusion detection defensive system

Intrusion Detection - Defensive System

  • Security Policy

    • What should we protect?

  • Prevention

    • How can we prevent an intrusion?

  • Detection

    • If there is an intrusion, how can we detect it?

  • Response/Recovery

    • If we detect an intrusion, how can we response? How can we recover the system from the damage?


Intrusion detection methods

Intrusion Detection - Methods

  • Norm-based Approach

    • Statistical-based Techniques (SPC)

      • Build up a norm profile with statistical methods

    • Specification-based Techniques (ANN, BN,...)

      • Build up a norm profile with rules and logical specification

  • Signature-based Approach (DT, Clustering,...)

    • Recognize the pre-defined intrusion signature from system activities.


Problem definition 1

Problem Definition(1)

  • Intrusion Detection

    Normality profile method

    Signature recognition method

    • Decision tree technique can be used to build the signatures of normal activities and attacks automatically. Each path of the tree corresponds to a signature.

    • Each leaf represents an IW value. Each leaf corresponds to a specific state of the system.


Problem definition 2

BSM audit event from Solaris

event 217

auid -2

euid 0

egid 0

ruid 0

rgid 0

pid 96

sid 0

RemoteIP 0.0.0.0

time 897047263

error_message 91

process_error0

retval0

attack 0

Target variable

Label : 0 - normal activity, 1 - attack

IW(Intrusion Warning) : 0 - 1

Predictor variables

Only use the information of event type. (284 event types - Solaris 2.7)

Data sets

Training data set

Testing data set

Problem Definition(2)


Problem definition 3

Problem Definition(3)

  • Decision tree algorithms

    • GINI and CHAID (Answer Tree - SPSS Inc.)

  • Analysis of testing results

    • Comparison of Mean, Max and Min of IW values between normal and attack events.

    • ROC (Receiver Operating Curve) with Hit rates and False alarm rates based on the predicted IW values and the true Label values.


Single event decision tree classifier

Single-event Decision Tree Classifier

  • Single-event classifier

    • Label -> target variable

    • Event type -> the only predictor variable


Result analysis 1

Result Analysis(1)


Result analysis 2

Result Analysis(2)


Ewma vectors

EWMA Vectors

We use one variable to represent one event type. Then there are 284 variables for the 284 event types. In our sample data set there are 49 variables. We use these variables as the predictor variables. Each variable is calculated for each event as:

if the audit event at time t belongs to the ith event type

if the audit event at time t is different from the ith event type


Result analysis 3

Result Analysis(3)


Result analysis 4

Result Analysis(4)


Moving window

Moving Window


Existence and count classifiers

“Existence” and “Count” Classifiers

  • “Existence”

    In the transferred data set, variable i records whether event type i exists in current moving window.

  • “Count”

    In the transferred data set, variable i records how many times event type i appears in current moving window. We use this one in moving window classifiers on event types.

  • Truncation

    Remove the part of transferred data which includes both normal and attack events.


Result analysis 5

Result Analysis(5)


Result analysis 6

Result Analysis(6)


Layered classifiers

Layered Classifiers


Result analysis 7

Result Analysis(7)


Result analysis 8

Result Analysis(8)


Result analysis 9

Result Analysis(9)


Conclusions and problem

Conclusions and Problem

Conclusions

  • DTCs show promising performance in intrusion detection application

  • The performance of a DTC is dependent on its design, i.e. the choice of predictor variables and target variable.

  • Different decision tree algorithms impact the results.

    Problem

  • Computational Feasibility

    • Incremental training ability(ITI)

    • Scalable/Parallel/Database(ScalParC)

    • Bagging and Boosting?


Information integration and assurance laboratory iee594 presentation

END

  • Other works - http://iia.eas.asu.edu/


  • Login