Intrusion Detection with Neural Networks

1,199 views

Published on

With the growth of computer networking, electronic commerce and web services, security networking systems have become very important to protect infomation and networks againts malicious usage or attacks. In this report, it is designed an Intrusion Detection System using two artificial neural networks: one for Intrusion Detection and the another for Attack Classification.

Published in: Technology
0 Comments
4 Likes
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total views
1,199
On SlideShare
0
From Embeds
0
Number of Embeds
5
Actions
Shares
0
Downloads
113
Comments
0
Likes
4
Embeds 0
No embeds

No notes for slide

Intrusion Detection with Neural Networks

  1. 1. Intrusion Detection and ClassificationUsing Neural NetworksAntonio Moran, Ph.D.amoran@ieee.orgStockholm University, SwedenMay 17, 2013
  2. 2. Information Security in Computer NetworksInformation assurance is an issue of serious globalconcern.Malicious usage, attacks and sabotage have been onthe rise.Connecting information systems to public networks(Internet, telephone) magnifies the potential forintrusion and attack.
  3. 3. Intrusion in Information Systems and NetworksAny set of actions that attempt to compromise theintegrity, confidentiality or availability of a resourceIntrusionIntrusion in Information SystemsAny anauthorized access, unauthorized attempt toaccess, damage, or malicious use of informationresources
  4. 4. Motives to Launch AttacksForce a network to stop a service(s)Steal some information stored in a networkTo show unhappiness or uneasinessTo obtain economical benefits
  5. 5. Network Attacksliability for compromised customer dataAttacks could result in:Liability for compromised customer dataLoss of intellectual propertyDegraded quality of network serviceGreat business loss………..
  6. 6. Need for and Intrusion Detection SystemIt is difficult (impossible) to ensure that aninformation system will be free of security flaws.Computer systems suffer from security vulnerabilitiesregardless of their purpose, manufacturer or origin.It is technically difficult as well as economically costly,to ensure that computer systems and networks are notsusceptible to attacks
  7. 7. Intrusion Detection in Information SystemsAttempting to detect computer attacksby examining data records observedby processes on the same network
  8. 8. Components of an Intrusion Detection SystemInformation source providing astream of event recordsAnalysis engine identifying signsof intrusion, attacks or otherpolicy violationsResponse component generatingreactions to assure system correctoperationDataAnalysisIdentificationAction
  9. 9. Types of Information SourcesData from network traffic and packetstreamsData from sources internal to acomputer. Operating system levelData from running applicationsApplicationbasedNetworkbasedHostbased
  10. 10. Categories of Analysis EngineSearching for something defined to be bad.Detect intrusions that follow a well-knownpatterns of attacks.Can not detect unknown future intrusions.MisuseDetectionSearching for something rare or unusual.Analyze system event streams to findpatterns of activity appearing to be abnormal.Computationally intensive.AnomalyDetection
  11. 11. Categories of Analysis EngineDetect known attacks using pre-definedattack patterns and signaturesMisuseDetectionDetect attacks by observing deviationsfrom the normal behavior of the systemAnomalyDetection
  12. 12. Hybrid Analysis EngineAnomalyDetectionPreProcessingMisuseDetectionNormalNormalAttackInternetAlert
  13. 13. Implementation of Analysis EngineRuns periodically detecting intrusions afterthe fact.Act in a reactive way.Off-LineDetect intrusions while they are happeningallowing a quick response.Computationally expensive (continuousmonitoring).On-LineReal-Time
  14. 14. Dynamic Intrusion Deteccion SystemHybrid system using misuse and anomalydetection strategiesNot allowing an intruder to train (update) thesystem incorrectlyRunning in real-timeUpdating itself continuously over periods oftime
  15. 15. Types of Network AttacksThe attacker makes the computing or memoryresources too busy or full to handle legitimaterequests or denies legitimate users accessRemote toUserUser toRootDenial ofServiceProbing(Scanning)The attacker, starting out with access to anormal user account, tries to gain root(superuser) access and privilegiesThe attacker gains access as a local user ofthe networkThe attacker scans the network to gatherinformation or detect vulnerabilities
  16. 16. Approaches for Anomaly DetectionDetecting abnormal activity on a server or network whosemagnitude overcome a given threshold.Ex: Abnormal consumption of CPU or memory of one server.Rule-basedMeasuresStatisticalMeasuresThresholdSoftComputingBased on sets of predefined rules that are provided by anetwork administrator or generated by expert systems.Neural Networks, Fuzzy Logic, Genetic Algorithms,Support Vector Machines.Statistical models based on historical values. Asumptionsabout the underlying statistical distribution of user behavior.Ex: Hidden Markov Models.
  17. 17. Rule Based Intrusion Detectionliability for compromised customer dataDetecting attacks by signature matching.A set of signatures, describing the characteristics ofpossible attacks, and the corresponding rules are stored.The rules are used to evaluate incoming packet streamand detect hostile traffic.Easy to implement and customize but requires human domainexperts to find signatures and their rules.It works for known patterns of attacksArtificial intelligence techniquescould be useful
  18. 18. Rule Based Instrusion DetectionIF CountConnection=50 THEN AttackType=’smurf’Human network administrators usually generatelow-complexity rules:IF Src_Byte=0 OR Src_Byte>500 THEN ‘Alert’same host within 2 sec.IF ip_flags = 0 AND ip_len <=256 AND tcp_csum =0 ANDip_length > 120 AND ip_src <= 1.451703E9 AND tcp_dport <= 82AND tcp_win <= 23 THEN Malicious.Complex rules can be generated using AI techniques:
  19. 19. Intrusion Deteccion SystemsIntrusion Detection Systems alone will notensure the security of a computer networkIntrusion detection systems must becomplemented by firewalls, vulnerabilityassessment, and a comprehensive securitypolicy
  20. 20. Intrusion Detection and ClasificationUsing Neural NetworksApplication of neural networks in IntrusionDeteccion Systems date back to 1992
  21. 21. When a Computer Network is Working inNormal / Abnormal StateIt is difficult to define all the attributes thatcharacterize a normal or abnormal state.Let a neural network discovers the patternscharacterizing a normal state and an abnormalstate.
  22. 22. Intrusion Detection and Clasification Using NeuralNetworksDiscover underlying patternsthat describe normal user orcomputer network behaviorUse the patternsto determine:The state ofthe networkThe type of userNormalAttackedAuthorizedIntruderNeural Network
  23. 23. Intrusion Detection and Classification UsingNeural NetworksHybrid SystemMisuse DetectionAnomaly DetectionRuns in real-timeNetwork Based Packet streams
  24. 24. Intrusion Detection and Classification UsingNeural NetworksTwo Neural NetworksNeural Network for detecting intrusion.State of the network: normal or with intrusionNeural Network for classifying intrusion.Four types of intrusion
  25. 25. Intrusion Detection and Classification UsingNeural NetworksTwo Neural NetworksNeural NetworkPacketStreamNormalIntrusionNeural NetworkIntrusionDetectionIntrusionClassificationDenial of ServiceUser to RootRemote to UserProbing
  26. 26. Neural Network Design ProcessData collectionDefinition of inputs and outputsInput and output data generationData normalizationSelection of neural network structureNeural network trainingNeural network validation
  27. 27. What Data To Be Used?Main features (attributes) ofnetwork packet streamTake a set of network packetsDetermine main features to be analyzedfrom packet header (and packet data)
  28. 28. ……....Pi+1 Pi+2 PrPk+1 Pk+2 Pk+NPzPi Pz-1Pz-2Pj…… ……Packet streamPWindowWindow PacketsFeatures VectorAttributesExtraction…Window size: 50 - 500Features vector size: 10 - 50Features Extraction of Window BasedPacket Stream
  29. 29. ……....Pi+1 Pi+2 PrPk+1 Pk+2 Pk+NPzPi Pz-1Pz-2Pj…… ……Packet streamPWindowWindow PacketsFeatures VectorAttributesExtraction…Window size: 50 - 500Features vector size: 10 - 50Features of Window Based Packet StreamFeatures are chosen suchthat their values changeperceivably in normal andintrusive conditions.
  30. 30. ……....Pi+1 Pi+2 PrPk+1 Pk+2 Pk+NPzPi Pz-1Pz-2Pj…… ……Packet streamPWindowAttributesExtractionNumber of IP addressesPacket Stream FeaturesNumber of protocols and typesNetwork service on destination. http, telnetNumber of packets with 0 data lengthAverage data lengthAverage window sizeNumber of packets with 0 window sizeNumber of packets with 0 data length Number of failed login attemptsNumber of wrong fragmentsNumber of urgent packetsNumber of data bytes from source to destinationNumber of data bytes from destination to sourceNumber of file creation operationsNumber of connections with SYN errorsNumber of coonections to the same service…….... ……....
  31. 31. Neural Network for Intrusion DetectionInputs OutputsWindow packetfeatures vector40 featuresCode for every stateof the networkIntrusion : 0 1Normal: 1 040 Inputs2 Outputs(Attack)
  32. 32. Neural Network Training Data40 Inputs 2 Outputs12 24 05 00 02 04 09 14 15 21 08 00……. 0 104 21 16 12 10 21 01 17 04 13 19 10……. 1 001 13 15 21 12 11 12 11 05 11 06 12……. 1 014 14 06 15 08 13 10 11 14 06 08 19……. 0 1…...…...…...:::40 Inputs 2 Outputs:16000 Pairsvijwjk10000 Normal6000 Attack
  33. 33. Neural Network Training and ValidationTraining: 16000 input-output pairsValidation: 5000 input (feature vectors)Determining coefficients vij wjkComputing network outputs forevery input and determining stateof network: normal or attack40 Inputs 2 Outputs::::vijwjk
  34. 34. Neural Network ValidationIn validation (testing), inputs are different to those used in trainingInput 1 Output : 0.85 0.151 0NormalInput 2 Output : 0.11 0.880 1Attack…...40 Inputs 2 Outputs::::vijwjk
  35. 35. Neural Network ValidationNormal 3000 94% 6%Attack 2000 90% 10%CorrectDetectionRateDetectedas AttackDetectedas NormalNumber ofTestsFalse positive (normal behavior is rejected) : 6%False negative (attack considered as normal) : 10%Intrusion Detection
  36. 36. Neural Network for Intrusion DetectionIt is expected that any significantly deviationfrom the normal behavior is considered an attackIt is expected to perform well detectingunknown intrusions and even zero-day attacks
  37. 37. Neural Network for Attack ClassificationFrom the previous neural networkan attack has been detected.Now, it is required to determine thetype of attackDenial of ServiceUser to RootRemote to UserProbing
  38. 38. Neural Network for Attack ClassificationInputs OutputsWindow packetfeatures vector40 featuresCode for every type of attackDenial of Service: 1 0 0 0User to root: 0 1 0 0Remote to user: 0 0 1 0Probing: 0 0 0 140 Inputs4 Outputs
  39. 39. Neural Network Training Data40 Inputs 4 Outputs12 24 05 00 02 04 09 14 15 21 08 00……. 0 1 0 004 21 16 12 10 21 01 17 04 13 19 10……. 1 0 0 001 13 15 21 12 11 12 11 05 11 06 12……. 0 0 0 114 14 06 15 08 13 10 11 14 06 08 19……. 0 1 0 0…...…...…...:::40 Inputs 4 Outputs:6000Pairsvij wjk
  40. 40. Neural Network Training and ValidationTraining: 6000 input-output pairsValidation: 2000 input (feature vectors)Determining coefficients vij wjkComputing network outputs forevery input and determiningtype of attack:::40 Inputs 4 Outputs:vij wjk
  41. 41. Neural Network ValidationIn validation (testing), inputs are different to those used in trainingInput 1 Output : 0.85 0.15 0.24 0.011 0 0 0Denial of serviceInput 2 Output : 0.11 0.08 0.18 0.910 0 0 1Probing…...:::40 Inputs 4 Outputs:vij wjk
  42. 42. Neural Network ValidationDenial of Service 600 91%User to Root 500 81%Remote to User 300 69%Probing 600 90%CorrectDetectionRateNumberof TestsType of AttackAttack Classification
  43. 43. Data to Design and Evaluate IDS SystemsOwn GenerationKnowledge Discovery and DataMining Tools Competition.DARPA KDD Data BaseStandard benchmark for intrusiondetection evaluations.
  44. 44. Thank you for yourattention!Antonio Moran, Ph.D.amoran@ieee.org

×