1 / 20

Integrating Artificial Intelligence into Snort IDS

Integrating Artificial Intelligence into Snort IDS. 報告人 : 葉瑞群 日期 :2012/05/31 出處 :IEEE Transactions on Knowledge and Data Engineering. Outline. I. INTRODUCTION II. THE INTEGRATION OF ARTIFICIAL INTELLIGENCE AND SNORT IDS III . THE IMPLEMENTATION OF THE INTEGRATED ANN

nolan-house
Download Presentation

Integrating Artificial Intelligence into Snort IDS

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Integrating Artificial Intelligence into Snort IDS 報告人:葉瑞群 日期:2012/05/31 出處:IEEE Transactions on Knowledge and Data Engineering

  2. Outline • I. INTRODUCTION • II. THE INTEGRATION OF ARTIFICIAL INTELLIGENCE AND SNORT IDS • III. THE IMPLEMENTATION OF THE INTEGRATED ANN PORTSCAN PREPROCESSOR • IV. CONCLUSIONS AND FUTURE WORKS

  3. I. INTRODUCTION(1/5) • Snort is an open source network intrusion detectionand prevention system (IDS/IPS) utilizing a rule-drivenlanguage, its shortcoming is unable to detect new attacks. • Thispaper explores how to integrate Artificial Intelligence into SnortIDS/IPS, which enables IDS/IPS adapt to networks and detectanomalies. As for preprocessors of Snort IDS, a learningalgorithm such as artificial neural network (ANN) is integratedinto it.

  4. I. INTRODUCTION(2/5) • At present, the theoretical researches onanomaly-detection-based IDS have not yet producedindustrial-strength network IDS [1]. Meanwhile, snort IDS isan open source network IDS/IPS developed by Sourcefire. • With millions of downloadsand approximately 300,000 registered users, Snort has becomethe de facto standard for IPS[2]. The figure 1 is the workflowdiagram of Snort.

  5. I. INTRODUCTION(3/5)

  6. I. INTRODUCTION(4/5) • Snort firstly uses libPcap/winPcap to capture network packets, the packets go to Packet Decoder Engine for Link Layer protocol’s packet structure, then it can help to decode the high-level protocol such TCP and UDP ports. Therefore this step contains two module: Packet Capture module and decoder module. The following is the Snort Preprocessor plug-ins which has three main function.

  7. I. INTRODUCTION(5/5) • 1. Packets reorganization • 2. Decoding protocol • 3. Anomaly detection, Take the “Portscan” for example, On a certain period time the preprocessor can analyze the ports and host situation

  8. II. THE INTEGRATION OF ARTIFICIAL INTELLIGENCE AND SNORT IDS( 1/2 )

  9. II. THE INTEGRATION OF ARTIFICIAL INTELLIGENCE AND SNORT IDS( 2/2 )

  10. III. THE IMPLEMENTATION OF THE INTEGRATED ANN PORTSCAN PREPROCESSOR(1/9) • Firstly analyze the features of port scan attack to extract the variations from packets using for ANN input data , the variations of port scan should be related to the connection times such as the connection times of source/destination IP address, average connection times and so on.. Secondly It use SNNS ( Stuttgart Neural Network Simulator to train Elman neural network for identified the attack behaviors.

  11. III. THE IMPLEMENTATION OF THE INTEGRATED ANN PORTSCAN PREPROCESSOR(2/9) • where there are 7 input neurons, 2 output neurons. and in the middlelayer there are 4 hidden neurons and 4 feedback neurons forrecording the lasting time 4 hidden neurons outputs.

  12. III. THE IMPLEMENTATION OF THE INTEGRATED ANN PORTSCAN PREPROCESSOR(3/9)

  13. III. THE IMPLEMENTATION OF THE INTEGRATED ANN PORTSCAN PREPROCESSOR(4/9) • Each neuron value of hidden layer and output layer is obtained by two steps: • First, obtain the sum, sum =Σinputs*weights (inputs is the inputs value, weights is the connection weight of corresponding neuron) • Secondly ,obtain the value of simulation function:

  14. III. THE IMPLEMENTATION OF THE INTEGRATED ANN PORTSCAN PREPROCESSOR(5/9)

  15. III. THE IMPLEMENTATION OF THE INTEGRATED ANN PORTSCAN PREPROCESSOR(6/9) • Elman NN need two input datasets: one group is normal traffic dataset, other is portscan dataset. This article finds 2092 data. The first input group generate from the normal traffic, and make a output figure(such as 1 0) to mean the normal traffic, the second input group generate from a controlled portscan sniffer and make a output figure(such as 0 1) to mean the abnormal traffic.

  16. III. THE IMPLEMENTATION OF THE INTEGRATED ANN PORTSCAN PREPROCESSOR(7/9) • Then SNNS used the two datasets to train ANN, let the weights of the ANN amending and learning in the processing until the ANN training succeeding. Finally translate the trained ANN to C language and integrated to Snort IDS preprocessor. Table II is each neuron bias of the successful trained ANN.

  17. III. THE IMPLEMENTATION OF THE INTEGRATED ANN PORTSCAN PREPROCESSOR(8/9)

  18. III. THE IMPLEMENTATION OF THE INTEGRATED ANN PORTSCAN PREPROCESSOR(9/9)

  19. IV. CONCLUSIONS AND FUTURE WORKS(1/1) • This article investigates the technology of integration AI into Snort preprocessor plug-in, which makes Snort IDS more intelligent to detect new or variant network attacks.Futureworks includes, as for detection engineer of Snort IDS, some evolutionary algorithms such as genetic algorithm (GAs)[4] or immune algorithms (IAs) approaches[5] can be combined with it.

  20. END

More Related