Embeddable hybrid intrusion detection system hybrids
This presentation is the property of its rightful owner.
Sponsored Links
1 / 1

Embeddable Hybrid Intrusion Detection System ( HybrIDS ) PowerPoint PPT Presentation


  • 57 Views
  • Uploaded on
  • Presentation posted in: General

Embeddable Hybrid Intrusion Detection System ( HybrIDS ). Adrian P. Lauf, William H. Robinson, Vanderbilt University Institute for Software Integrated Systems Richard A. Peters, Vanderbilt University Center for Intelligent Systems. Project Description. Cross-Correlative IDS (CCIDS).

Download Presentation

Embeddable Hybrid Intrusion Detection System ( HybrIDS )

An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -

Presentation Transcript


Embeddable hybrid intrusion detection system hybrids

Embeddable Hybrid Intrusion Detection System (HybrIDS)

Adrian P. Lauf, William H. Robinson, Vanderbilt University Institute for Software Integrated Systems

Richard A. Peters, Vanderbilt University Center for Intelligent Systems

Project Description

Cross-Correlative IDS (CCIDS)

  • Security Scenario:a network of aircraft shares position and mission information

    • A deviant node exists

    • The deviant node behaves differently

    • Connected aircraft record activities

    • Each node fitted with embedded IDS

  • Method: develop a hybridized system to provide high-level analysis of interactions in a homogenous device network

    • An activity profile is established

    • Machine learning techniques used to build node profiles

    • Profiles analyzed by the IDS engine

    • First phase provides fast, single-anomaly detection

    • Second phase requires tuning, detects multiple anomalies

Mean Score Line

Suspect Node

  • Phase 2

  • Cross-Correlation Analysis

    • Individual PDFs correlated against average PDF

    • Individual scores analyzed against average score

      • Average score computed from space of all cross-correlated scores

  • Threshold Requirements

    • A threshold is required to suspect a score as deviant

    • Threshold requirement changes according to deviant node pervasion (percentage of deviant nodes in collective)

  • Improper threshold yields false positives

    • Threshold is application-sensitive

    • Must be set prior to IDS run (if CCIDS used alone)

Score

Node Number

Threshold Bounds

Phase 1

Phase 2

Time Progression

HybrIDS Performance

Maxima Detection (MDS)

  • Phase 1

  • Interactions are represented by classifiers (abstracted integer labels)

  • Probability density function is computed

  • Maxima Analysis begins

    • Global max excluded

    • Local maxima identified

    • Highest maximum to cross threshold likely represents deviance

    • Deviant node isolated by reverse-mapping

  • Step 1: MDS runs, possibly detects single deviant node

  • Step 2:Transition phase starts CCIDS

  • Step 3:Thresholds tuned until CCIDS agrees with MDS

  • Step 4:CCIDS now tuned properly, detects multiple deviant nodes

  • System can reliably detect deviant nodes up to 22% deviant node pervasion

  • System performance is scalable according to deviant node pervasion

    • Size of node cluster has no effective impact on scalability, ensured by computational management methods

  • Operates on a 5-watt footprint (maximum)

  • Requires 700K of memory, not including JVM

Abstraction Levels

Implemented

March 20, 2007


  • Login