PPT
Upcoming SlideShare
Loading in...5
×
 

PPT

on

  • 942 views

 

Statistics

Views

Total Views
942
Views on SlideShare
942
Embed Views
0

Actions

Likes
0
Downloads
24
Comments
0

0 Embeds 0

No embeds

Accessibility

Categories

Upload Details

Uploaded via as Microsoft PowerPoint

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Processing…
Post Comment
Edit your comment
  • Reasons for decrease from 2004 to 2005: Anti-virus and anti-spyware companies improved their products. A lot of companies starting coming to the realization that they needed to have a strong IDS in place.
  • Reasons for decrease from 2004 to 2005: Anti-virus and anti-spyware companies improved their products. A lot of companies starting coming to the realization that they needed to have a strong IDS in place.
  • During training for OCSVMs, the data from the first class is transformed onto a feature space such that it is far away from the origin. Then during testing, the origin and data points that are close to it, and hence far away from points from the first class, are considered part of the second class.
  • General idea : the original feature space can always be mapped to some higher-dimensional feature space where the training set is separable:

PPT PPT Presentation Transcript

      • John Cavazos
      • Dept of Computer & Information Sciences
      • University of Delaware
      • www.cis.udel.edu/~cavazos/cisc879
    Applying Support Vector Machines for Intrusion Detection on Virtual Machines Lecture 6
  • Outline
    • Background and Motivation
    • Intrusion Detection Systems
    • Support Vector Machines (SVMs)
    • Dataset
    • Results
    • Conclusions
    Slides adapted from presentation by Fatemeh Azmandian (http://www.ece.neu.edu/~fazmandi)
  • Background
    • Virtual Machine:
      • A software implementation of a machine (computer) that executes programs like a real machine
    • Virtual Machine Monitor (VMM) or hypervisor:
      • The software layer providing the virtualization
      • Allows the multiplexing of the underlying physical machine between different virtual machines, each running its own operating system
  • Background (cont’d)
    • Intrusion Detection:
      • The process of monitoring the events occurring in a computer system or network and analyzing them for signs of intrusions
    • Intrusion:
      • An attempt to compromise:
          • Confidentiality
          • Integrity
          • Availability
      • An attempt to bypass the security mechanisms of a computer or network [1]
  • Background (cont’d)
    • Intrusion Detection System (IDS):
      • Software or hardware system that automates the process of monitoring the events occurring in a computer system or network, analyzing them for signs of security problems
    • Why is it important?
      • Every year, billions of dollars are lost due to
      • virus attacks
  • Financial Impact of Virus Attacks
  • Intrusion Detection Approaches
    • Misuse Detection
      • Identifies intrusions based on known patterns for the malicious activity
      • Known patterns are referred to as signatures
    • Anomaly Detection
      • Identifies intrusions based on deviations from established normal behavior
      • Capable of identifying new (previously unseen) attacks
      • New normal behavior may be misclassified as abnormal, producing false positives
  • Intrusion Detection Systems
    • Host IDS (HIDS):
      • Performs intrusion detection from within host it is monitoring
      • Advantages:
        • Good visibility of the internal state of the host machine
        • Difficult for malicious code ( malware ) to evade the HIDS
      • Disadvantage:
        • Susceptible to attacks by malware
  • Intrusion Detection Systems
    • Network IDS (NIDS)
      • Performs intrusion detection through network connections and outside the host machine
      • Advantage:
        • More resistant to attacks by malware
      • Disadvantages:
        • Poor visibility of the internal state of the host machine
        • Easier for malware to evade the NIDS
  • Intrusion Detection Systems
    • VMM-based IDS:
      • Performs intrusion detection for a virtual machine through the Virtual Machine Monitor (VMM)
      • Advantages:
        • Better visibility of the internal state of the host machine, compared to an NIDS
        • Harder for malware to evade the IDS
        • Less susceptible to attacks by malware
    • Our goal is to create a VMM-based IDS using machine learning techniques
      • Support Vector Machines (SVMs)
  • VMM-IDS Overview
  • Support Vector Machines (SVMs)
    • Machine learning to classify data points into one of two classes
      • Two-Class SVMs
        • Training is done on data from two classes
      • One-Class SVMs
        • Training is done on data from only one class
        • During the testing phase, the origin and data points close to it are considered part of the second class
  • Linear Classifiers Slide Source: Andrew W. Moore f x  y est denotes +1 denotes -1 f ( x , w ,b ) = sign( w . x - b ) How would you classify this data?
  • Linear Classifiers f x  y est denotes +1 denotes -1 f ( x , w ,b ) = sign( w . x - b ) How would you classify this data? Slide Source: Andrew W. Moore
  • Linear Classifiers f x  y est denotes +1 denotes -1 f ( x , w ,b ) = sign( w . x - b ) How would you classify this data? Slide Source: Andrew W. Moore
  • Linear Classifiers f x  y est denotes +1 denotes -1 f ( x , w ,b ) = sign( w . x - b ) How would you classify this data? Slide Source: Andrew W. Moore
  • Linear Classifiers f x  y est denotes +1 denotes -1 f ( x , w ,b ) = sign( w . x - b ) How would you classify this data? Slide Source: Andrew W. Moore
  • Classifier Margin f x  y est denotes +1 denotes -1 f ( x , w ,b ) = sign( w . x - b ) Slide Source: Andrew W. Moore Define the margin of a linear classifier as the width that the boundary could be increased by before hitting a datapoint
  • Maximum Margin x  y est denotes +1 denotes -1 f ( x , w ,b ) = sign( w . x - b ) Slide Source: Andrew W. Moore The maximum margin linear classifier is the linear classifier with the maximum margin. This is the simplest kind of SVM (Called an LSVM) Linear SVM f
  • Maximum Margin x  y est denotes +1 denotes -1 f ( x , w ,b ) = sign( w . x - b ) Slide Source: Andrew W. Moore The maximum margin linear classifier is the linear classifier with the maximum margin. This is the simplest kind of SVM (Called an LSVM) Linear SVM f Support Vectors are those datapoints that the margin pushes up against
  • Suppose 1-dimension What would SVMs do with this data? x=0
  • Suppose 1-dimension Not a big surprise Positive “plane” Negative “plane” x=0
  • Harder 1-dimensional dataset What can be done about this? x=0
  • Harder 1-dimensional dataset Use a kernel function to project the data onto higher dimensional space x=0
  • Harder 1-dimensional dataset x=0 Use a kernel function to project the data onto higher dimensional space
  • Non-linear SVMs: Feature spaces Φ : x -> φ ( x ) Input space Feature space
  • Non-linear SVMs: Feature spaces
    • Kernel functions are used to transform data into a different, linearly separable feature space
     (.)  ( )  ( )  ( )  ( )  ( )  ( )  ( )  ( )  ( )  ( )  ( )  ( )  ( )  ( )  ( )  ( )  ( )  ( ) Feature space Input space
  • Non-linear SVMs:Kernel Functions
    • Popular Kernel Functions:
      • Linear kernel
      • Polynomial Kernel
      • Gaussian Radial Basis Function (RBF) kernel
      • Sigmoid kernel
  • Dataset
    • Synthetic dataset based on SQL and AsteriskNow workload
      • Process-level features
        • Rate-based features
        • Correlation-based features
      • Time-based windows of execution
        • Current window size: 50 interrupt timers
    • Three normal datasets per workload
    • Two abnormal datasets per workload
      • Consists of both normal and abnormal data points
  • Constructing Features
  • Features
  • Two-Class SVM Results Experiment Workload Train on Abn1 Test on Abn2 Train on Abn2 Test on Abn1 Mixed Features SQL 0.90 0.96 Asterisk 0.81 0.81 Rate Features SQL 0.91 0.95 Asterisk 0.82 0.76 Correlation Features SQL 0.91 0.95 Asterisk 0.85 0.73
  • SQL Train on Abn1 and Test on Abn2: Time Series Plot
  • SQL Train : Train on Abn1 and Test on Abn2: (ROC Curve)
  • SQL Train on Abn2 and Test on Abn1: Time Series Plot
  • SQL Train on Abn2 and Test on Abn1: ROC Curve
  • Conclusions
    • Two-class SVM can perform well in detecting intrusions in virtual machine environments
    • Goal to develop accurate intrusion detection system for VMs based on machine learning techniques
  • References
    • [1] R. Bace and P. Mell. Intrusion Detection Systems. NIST Special Publications SP 800-31 , November, 2001.
    • [2] T. Garfinkel and M. Rosenblum. A Virtual Machine Introspection Based Architecture for Intrusion Detection. Proceedings of the Network and Distributed Systems Security Symposium , 2003.
    • [3] Andrew Moore’s slides on Support Vector Machines
    • http://www.cs.cmu.edu/~awm/tutorials
    • [4] Prasad’s slides on Support Vector Machines
    • www.cs.wright.edu/~tkprasad/courses/cs499/L18SVM.ppt
    • [5] 2005 Malware Report: Executive Summary http://www.computereconomics.com/article.cfm?id=1090
    • [6] Virtual Machine
    • http://en.wikipedia.org/wiki/Virtual_machine