hybrid intrusion detection with weighted signature generation over anomalous internet episodes
Download
Skip this Video
Download Presentation
Hybrid Intrusion Detection with Weighted Signature Generation over Anomalous Internet Episodes

Loading in 2 Seconds...

play fullscreen
1 / 10

Hybrid Intrusion Detection with Weighted Signature Generation over Anomalous Internet Episodes - PowerPoint PPT Presentation


  • 125 Views
  • Uploaded on

Hybrid Intrusion Detection with Weighted Signature Generation over Anomalous Internet Episodes. Kai Hwang, Fellow, IEEE, Min Cai, Member, IEEE, Ying Chen, Student Member, IEEE, and Min Qin IEEE TRANSACTIONS ON DEPENDABLE AND SECURE COMPUTING, VOL. 4, NO. 1, JANUARY-MARCH 2007

loader
I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
capcha
Download Presentation

PowerPoint Slideshow about 'Hybrid Intrusion Detection with Weighted Signature Generation over Anomalous Internet Episodes' - cosmo


An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript
hybrid intrusion detection with weighted signature generation over anomalous internet episodes

Hybrid Intrusion Detection with Weighted Signature Generation over Anomalous Internet Episodes

Kai Hwang, Fellow, IEEE, Min Cai, Member, IEEE, Ying Chen, Student Member, IEEE, and Min Qin

IEEE TRANSACTIONS ON DEPENDABLE AND SECURE COMPUTING, VOL. 4, NO. 1, JANUARY-MARCH 2007

Presented by Yong Sun Kim

summary
Summary
  • This hybrid system combines
    • advantage of low false-positive rate of signature-based IDS(intrusion detection system)
    • ability of detect novel unknown attacks of

ADS(anomaly detection system)

  • Experimental results show
    • 60 percent detection rate of the HIDS,compared with 30 percent and 22 percent in using the SNORT and Bro systems,respectively. And it was obtained with less than 3 percent false alarms.
    • The signatures generated by ADS upgrade the SNORT performance by 33 percent.
slide3
A hybrid intrusion detection system built with a SNORT and an

anomaly detection subsystem (ADS) through automated signature

generation from Internet episodes.

data mining scheme for network anomaly detection over internet connection records
Data mining scheme for network anomaly detection over Internet connection records.
  • The anomaly is detected

once the episode rule cannot find any match with normal connection rules in database.

  • Use the attack data set as a mixture of

locally captured trace file

and DARPA 1999 IDS evaluation data set(MIT/LL).

appreciative comment 1
Appreciative Comment 1
  • To maximize the effectiveness,various algorithms and schemes are introduced
    • Mining FERs( frequent episode rules) for anomaly detection
    • Episode Rule Training from Normal Traffic
    • Pruning techniques for episode rules
appreciative comment 2
Appreciative Comment 2
  • By using a weighted signature generation algorithm, improve accuracy and reduce false alarms
    • The ADS assigns ananomaly scoreand anormality scorefor each connection after processing a traffic data set
    • Define signatures whenpatterns have high anomaly scores but relatively low normality scores.
critical comments
Critical Comments
  • There exist a different description about False-Alarm Rate and Detection Rate
    • In Abstract :”results show a 60 percent…

less than 3 percent false alarm..”

    • In 8 Conclusions and Further Research 4. :

”Our HIDS results in a detection rate of 60 percent…

false alarms must be maintained below 3 percent.”

    • In 7.3 Effects of False Alarms on IDS Performance :

”The HIDS achieved a low 47 percent detection rate at 1

percent false alarms.However,the detection rate can be

raised to 60 percent if the false alarms can be tolerated

up to 30 percent”

slide8
Fig. 13. ROC curves showing the variation of the average intrusiondetection rate of three detection systems as the false alarm rateincreases.
question
Question
  • Is this passive way which generates signature in ADS still effective under the fast network attack such as “Code Red” ?
signature mapping
Signature mapping
  • Dataset-I, the < attribute; condition > pair is decoded as follows:

(ip proto = icmp), (icmp type = echo req),

(1,480 <= src bytes < 1,490),(dst count > 10)

  • The < attribute; condition > pairs form an abstract

signature of the Pod attack. Using the attribute mappings in Table 4, we translate the signature into a SNORT rule as follows:

alert icmp$EXTERNAL NET any <> $HOME NET any

(msg :”possible pod attack”; itype : 8;

dsize : 1,480 <> 1,490; threshold : type both,track

by_dst,count 10 seconds 1; sid : 900,001; rev : 0;).

ad