embeddable hybrid intrusion detection system n.
Download
Skip this Video
Loading SlideShow in 5 Seconds..
Embeddable Hybrid Intrusion Detection System PowerPoint Presentation
Download Presentation
Embeddable Hybrid Intrusion Detection System

Loading in 2 Seconds...

play fullscreen
1 / 28

Embeddable Hybrid Intrusion Detection System - PowerPoint PPT Presentation


  • 148 Views
  • Uploaded on

Embeddable Hybrid Intrusion Detection System. Adrian P. Lauf Department of Electrical Engineering and Computer Science Vanderbilt University. Embeddable Intrusion Detection System (IDS). Scenario:

loader
I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
capcha
Download Presentation

PowerPoint Slideshow about 'Embeddable Hybrid Intrusion Detection System' - blue


An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript
embeddable hybrid intrusion detection system

Embeddable Hybrid Intrusion Detection System

Adrian P. Lauf

Department of Electrical Engineering and Computer Science

Vanderbilt University

embeddable intrusion detection system ids
Embeddable Intrusion Detection System (IDS)
  • Scenario:
    • Identify a malicious agent in networked embedded systems while minimizing computational overhead
  • Research goals:
    • System-on-a-chip implementation
    • Minimal HW resource overhead
    • Consume low power
    • Provide flexibility for changes in the system
  • Method:
    • Develop a system to provide high-level analysis of interactions in a homogenous device network
embedded device outlook
Embedded Device Outlook
  • Provide a hybrid detection system while minimizing performance impacts
    • Reduces memory allocation requirements
  • HybrIDS performance underscores an efficient management of computational cycles
  • Balanced computational requirements and accuracy yield embedded application performance
  • Multiple interface compatibility
    • TCP/UPD network interface (UDP default)
    • Disk-based interface for simulation purposes
    • Serial I/O capability
  • Java 5 platform yields portable embedded device platform
  • Optimization for ARM9 development environment
outline
Outline
  • Concept Primitives
    • Example Scenario
    • System-level abstraction
    • Computational Effort Management and Terminology
  • Maxima Detection System (MDS)
    • System configuration
    • Algorithmic Detail
    • Performance Assessment
  • Cross-Correlative Intrusion Detection System (CCIDS)
    • System Configuration
    • Detection Method
      • Score Analysis
    • Threshold Determination
  • Hybrid Intrusion Detection System (HybrIDS)
    • Transitioning Methodology
    • HybrIDS performance
    • System-level Implementation
  • Summary
what is a traditional ids
What is a traditional IDS?
  • Classifies traffic patterns
  • Centralized point of analysis
    • Observation of data packets
    • Not context-sensitive
  • Packet analysis is compute intensive
  • Less effective for ad-hoc networks
a decentralized approach for embedded networks
A Decentralized Approach for Embedded Networks
  • Reduce dependence on a single system
  • Reduce power consumption
    • Reduce compute-intensive operations
  • Allows for group consensus decisions
    • Each unit maintains a model of the world
  • Reduces chance of tampering with a centralized system
scenario autonomous aircraft network
Scenario: Autonomous Aircraft Network
  • A collection of several aircraft (i.e., agents)
  • A general mission or goal established
    • (e.g. reconnaissance)
  • Bidirectional communication between all agents
  • Inter-node communications can include:
    • Attitude/position requests
    • Grouping pattern requests
    • Obstacle Avoidance
    • Mission Updates
simplifying by abstraction
Simplifying by Abstraction
  • Actions classified by labels
  • Action histories recorded
    • Each node maintains action histories from its point of view
  • Abstraction permits context independence
    • Applicable to any system using predetermined actions
computational cycle management
Computational Cycle Management
  • Scalability and Embedded Performance Aspects
    • Reduce computational intensity
    • Allow for node addition with minimal impact on performance
  • Terminology:
    • DPC – Data Processing Cycle
      • A computationally intensive cycle
      • Performs IDS analysis
    • DCC – Data Collection Cycle
      • Minimally computationally intensive
      • Executed for received transaction requests
number of dccs per dpc
Number of DCCs per DPC
  • Computed by
  • DPC executed upon reaching τDCCs per node (average)
  • More nodes yield more accurate representation of system
    • Requires fewer data points
    • Yields earlier transition
outline1
Outline
  • Concept Primitives
    • Example Scenario
    • System-level abstraction
    • Computational Effort Management and Terminology
  • Maxima Detection System (MDS)
    • System configuration
    • Algorithmic Detail
    • Performance Assessment
  • Cross-Correlative Intrusion Detection System (CCIDS)
    • System Configuration
    • Detection Method
      • Score Analysis
    • Threshold Determination
  • Hybrid Intrusion Detection System (HybrIDS)
    • Transitioning Methodology
    • HybrIDS performance
    • System-level Implementation
  • Summary
maxima detection theory
Maxima Detection: Theory

Labels

Nodes

  • Histograms formed for each connected node
    • Node A will track B, C, and D.
  • Average system behavior obtained by averaging across observed nodes
  • Bins correspond to action labels
  • Data must be normalized to a distribution
    • E.g. Gaussian, Chi2

.

.

.

.

.

Σ/(n-1)

Avg. behavioral PDF for system

maxima detection algorithm
Maxima Detection Algorithm
  • Resultant vector yields approximate PDF
  • Find global maximum, exclude it
  • Identify, mark local maxima
  • Local maximum yields likely intrusion-motivated behaviors
  • Reverse-map this label to node with most frequent occurrence
mds identification performance
MDS Identification Performance
  • Deviant Node Pervasion
    • Percentage of nodes in cluster that are issuing malicious requests
  • MDS typically detects a deviant node within first iteration
  • Detected node fluctuates within the space of deviant nodes
outline2
Outline
  • Concept Primitives
    • Example Scenario
    • System-level abstraction
    • Computational Effort Management and Terminology
  • Maxima Detection System (MDS)
    • System configuration
    • Algorithmic Detail
    • Performance Assessment
  • Cross-Correlative Intrusion Detection System (CCIDS)
    • System Configuration
    • Detection Method
      • Score Analysis
    • Threshold Determination
  • Hybrid Intrusion Detection System (HybrIDS)
    • Transitioning Methodology
    • HybrIDS performance
    • System-level Implementation
  • Summary
cross correlation
Cross Correlation
  • Cross correlation technique generates individual profile scores
  • Compared to average score for system PDF
  • Provides multiple detection capability
  • Induces false positives
    • False positives typically disappear after future iterations
    • Resolved by setting proper threshold
detection method cross correlation
Detection Method: Cross-correlation

Labels

Nodes

.

.

.

.

.

Σ/(n-1)

Average PDF

= Score

17

score analysis
Score Analysis

Suspected Deviant Node

Mean Score Line

  • Average score is computed
  • Each score is compared to the average
  • Deviance determined by a threshold

Threshold Setting

Score

Node Number

Threshold Bounds

threshold requirements
Threshold Requirements
  • Threshold varies for each scenario
    • Representative of a percentage deviation required for suspicion of a node
  • Variability of thresholds is a weakness of CCIDS
  • Can cause generation of false positives
    • Reduced by selecting proper threshold
    • Minimal baseline threshold is possible – system may never converge
required thresholds for proper detection ccids
Required Thresholds for Proper Detection (CCIDS)
  • Threshold drops linearly dependent on deviant node pervasion
  • Number of nodes has negligible impact on threshold requirements
  • 0.2 represents 100% deviation in this figure
    • Detects only nodes that vary significantly
  • 0.02 represents a 10% deviation
    • More sensitive to smaller node deviations
outline3
Outline
  • Concept Primitives
    • Example Scenario
    • System-level abstraction
    • Computational Effort Management and Terminology
  • Maxima Detection System (MDS)
    • System configuration
    • Algorithmic Detail
    • Performance Assessment
  • Cross-Correlative Intrusion Detection System (CCIDS)
    • System Configuration
    • Detection Method
      • Score Analysis
    • Threshold Determination
  • Hybrid Intrusion Detection System (HybrIDS)
    • Transitioning Methodology
    • HybrIDS performance
    • System-level Implementation
  • Summary
why a hybrid approach
Why a hybrid approach?
  • MDS requires no training data
  • Can isolate a single anomaly
  • CCIDS requires training data
  • Can detect multiple anomalies
  • More flexible to system changes

MDS

CCIDS

Time/DCC Progression

how does hybrids choose
How does HybrIDS Choose?

HybridState object

determines if transition

point has been reached

If one of the results from

CCIDS matches a suspected

node from MDS, a match

is considered found

transitioning
Transitioning
  • Increasing the deviant node pervasion requires more tuning cycles
  • Threshold adjusted once per tuning cycle
  • Figure represents an average for all node sizes
    • # transition cycles is independent of node cluster size
how does it perform hybrids performance analyzed
How does it perform? HybrIDS Performance Analyzed
  • HybrIDS can reliably detect deviant nodes upto 22% pervasion
  • 25% pervasion and up removes element of determinacy
  • Scalability by percentage pervasion
  • Number of nodes in cluster does not affect scalability concerns
  • Graph includes total time – MDS, transition and CCIDS cycles
hybrids implementation
HybrIDS Implementation
  • Implemented in Java 5 (1.5)
    • Introduces Code Portability
  • ARM9 development board target
  • 2.73 KB memory footprint for a 35-agent system with 10 behaviors
    • MDS and CCIDS use a shared data structure
  • Storage footprint less than 46 KB
  • Flexible interface implementation
    • TCP/UDP for network interface
    • Disk-based access for simulation
    • RS-232/Serial interface possible
outline4
Outline
  • Concept Primitives
    • Example Scenario
    • System-level abstraction
    • Computational Effort Management and Terminology
  • Maxima Detection System (MDS)
    • System configuration
    • Algorithmic Detail
    • Performance Assessment
  • Cross-Correlative Intrusion Detection System (CCIDS)
    • System Configuration
    • Detection Method
      • Score Analysis
    • Threshold Determination
  • Hybrid Intrusion Detection System (HybrIDS)
    • Transitioning Methodology
    • HybrIDS performance
    • System-level Implementation
  • Summary
summary
Summary
  • Two-phased approach gives HybrIDS a detection advantage in an abstracted homogeneous device network
    • MDS provides accurate, single-anomaly detection
      • Requires no training data
    • CCIDS provides multiple-anomaly detection
      • Requires training threshold
  • DPC/DCC computational cycle management reduces embedded device load
  • Decentralized approach increases reliability and allows for ad-hoc network arrangement
  • HybrIDS detection accuracy and determinacy viable through 22% deviant node pervasion
  • Java implementation and small footprint assures integration ease and platform cross-compatibility
  • HybrIDS is scalable based on the deviant node pervasion, not the number of nodes