1 / 1

Embeddable Hybrid Intrusion Detection System ( HybrIDS )

Embeddable Hybrid Intrusion Detection System ( HybrIDS ). Adrian P. Lauf, William H. Robinson, Vanderbilt University Institute for Software Integrated Systems Richard A. Peters, Vanderbilt University Center for Intelligent Systems. Project Description. Cross-Correlative IDS (CCIDS).

Download Presentation

Embeddable Hybrid Intrusion Detection System ( HybrIDS )

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. Embeddable Hybrid Intrusion Detection System (HybrIDS) Adrian P. Lauf, William H. Robinson, Vanderbilt University Institute for Software Integrated Systems Richard A. Peters, Vanderbilt University Center for Intelligent Systems Project Description Cross-Correlative IDS (CCIDS) • Security Scenario: a network of aircraft shares position and mission information • A deviant node exists • The deviant node behaves differently • Connected aircraft record activities • Each node fitted with embedded IDS • Method: develop a hybridized system to provide high-level analysis of interactions in a homogenous device network • An activity profile is established • Machine learning techniques used to build node profiles • Profiles analyzed by the IDS engine • First phase provides fast, single-anomaly detection • Second phase requires tuning, detects multiple anomalies Mean Score Line Suspect Node • Phase 2 • Cross-Correlation Analysis • Individual PDFs correlated against average PDF • Individual scores analyzed against average score • Average score computed from space of all cross-correlated scores • Threshold Requirements • A threshold is required to suspect a score as deviant • Threshold requirement changes according to deviant node pervasion (percentage of deviant nodes in collective) • Improper threshold yields false positives • Threshold is application-sensitive • Must be set prior to IDS run (if CCIDS used alone) Score Node Number Threshold Bounds Phase 1 Phase 2 Time Progression HybrIDS Performance Maxima Detection (MDS) • Phase 1 • Interactions are represented by classifiers (abstracted integer labels) • Probability density function is computed • Maxima Analysis begins • Global max excluded • Local maxima identified • Highest maximum to cross threshold likely represents deviance • Deviant node isolated by reverse-mapping • Step 1: MDS runs, possibly detects single deviant node • Step 2:Transition phase starts CCIDS • Step 3:Thresholds tuned until CCIDS agrees with MDS • Step 4:CCIDS now tuned properly, detects multiple deviant nodes • System can reliably detect deviant nodes up to 22% deviant node pervasion • Higher pervasion removes determinism • CCIDS phase stops converging • System performance is scalable according to deviant node pervasion • Size of node cluster has no effective impact on scalability, ensured by computational management methods Abstraction Levels Implemented March 20, 2007

More Related