1 / 18

Reducing false positives in intrusion detection systems by means of frequent episodes

Reducing false positives in intrusion detection systems by means of frequent episodes. Lars Olav Gigstad. Intrusion Detection. Signatures poorly describe the attack making them trigger on benign traffic as a result. Processing time restrictions often leads to shortcuts.

makana
Download Presentation

Reducing false positives in intrusion detection systems by means of frequent episodes

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. Reducing false positives in intrusion detection systems by means of frequent episodes Lars Olav Gigstad

  2. Intrusion Detection • Signatures poorly describe the attack making them trigger on benign traffic as a result. • Processing time restrictions often leads to shortcuts. • Writing correct signatures is a difficult task. • Signatures triggers on rare or suspicious traffic. • Trigger on low-level phenomenas.

  3. Research Questions • Can alerts effectively be correlated with frequent episodes? • How effective is false positive reduction?

  4. Data Gathering • KDD Cup ’99 • 5 Weeks of traffic data. • 2 attack free weeks. • Honeynet • 3 computers • Apache • FTP • SQL Server • Automated attacks

  5. System Overview IDS Alert log Filter Output Accepted Rules Data mining Rules

  6. Data Mining • Data preperation: • Parse SNORT alert log • Parse BRO alert log • Data mining: • Phase 1: Frequent episodes. • Phase 2: Remove unwanted episodes. • Phase 3: Attribute rules • Analysis: • Present rules

  7. Data Preperation [**] [1:1200:10] ATTACK-RESPONSES Invalid URL [**] [Classification: Attempted Information Leak] [Priority: 2] 03/01-15:28:08.918757 207.200.75.201:80 -> 172.16.117.132:6243 TCP TTL:63 TOS:0x0 ID:7669 IpLen:20 DgmLen:473 DF ***AP*** Seq: 0xC832EB1A Ack: 0xA5904714 Win: 0x7FE0 TcpLen: 20 [Xref => http://www.microsoft.com/technet/security/bulletin/MS00-063.mspx]

  8. Data Preperation • Alert attributes • ID, the type of alert. • Source IP. • Destination IP. • Source port. • Destination port. • TTL, time to live. • IP, size of IP header in bytes. • Dgmlen, size of packet in bytes. • Time, time of occurrence.

  9. Data Mining • Data preperation: • Parse SNORT alert log • Parse BRO alert log • Data mining: • Phase 1: Frequent Episodes. • Phase 2: Remove unwanted episodes. • Phase 3: Attribute rules • Analysis: • Present rules

  10. Frequent Episodes • Events: • Single action • Alarm • System input • Sequence of events

  11. Frequent Episodes • Episode: a collection of event. • Episode Types: • Parallell • Serial • Complex A A A C C B B

  12. Frequent Episodes Episode: Subepisodes: A B C A B A C B C

  13. Attribute Rules • Intra-episode rules • A.SourceIP = B.SourceIP • A.DestinationIP = B.DestinationIP • Inter-episode rules • A.DestinationPort = 80 A B

  14. Data Mining • Data preperation: • Parse SNORT alert log • Parse BRO alert log • Data mining: • Phase 1: Frequent Episodes. • Phase 2: Remove unwanted episodes. • Phase 3: Attribute rules • Analysis: • Present rules

  15. Data Mining • Data preperation: • Parse SNORT alert log • Parse BRO alert log • Data mining: • Phase 1: Frequent Episodes. • Phase 2: Remove unwanted episodes. • Phase 3: Attribute rules • Analysis: • Present rules

  16. Rules Generated IF [1:1013:11] THEN [1:1012:12] conf(0.353) freq(0.006) [1:1288:10] IF [1:1013:11] [1:1012:12] THEN [1:1288:10] conf(1.0) freq(0.006) [1].src = [2].src = [3].src [1].dst = [2].dst = [3].dst [1].src_port = [2].src_port = [3].src_port [1].dst_port = [2].dst_port = [3].dst_port [1].ttl = [2].ttl = [3].ttl [1].dgmlen = [2].dgmlen = [3].dgmlen [1].dst_port = 80 [2].dst_port = 80 [3].dst_port = 80 [1].ttl = 64 [2].ttl = 64 [3].ttl = 64 [1].src = 172.16.115.87 [2].src = 172.16.115.87 [3].src = 172.16.115.87 [1].dst = 209.61.100.129 [2].dst = 209.61.100.129 [3].dst = 209.61.100.129 IF [1:1149:13] THEN [1:1149:13] conf(0.53) freq(0.007) [1].src = [2].src [1].dst = [2].dst [1].dst_port = E[2].dst_port [1].ttl = E[2].ttl [1].dst_port = 80 [2].dst_port = 80 [1].ttl = 64 [2].ttl = 64

  17. Results Week 1 Week 4

  18. Questions?

More Related