3. What is the Intrusion Detection
Intrusions are the activities that violate the
security policy of system.
Intrusion Detection is the process used to
identify intrusions.
4. Types of Intrusion Detection System
Based on the sources of the audit information
used by each IDS, the IDSs may be classified
into
– Host-base IDSs
– Distributed IDSs
– Network-based IDSs
5. Host-based IDSs
– Get audit data from host audit trails.
– Detect attacks against a single host
Distributed IDSs
– Gather audit data from multiple host and possibly the
network that connects the hosts
– Detect attacks involving multiple hosts
Network-Based IDSs
– Use network traffic as the audit data source, relieving
the burden on the hosts that usually provide normal
computing services
– Detect attacks from network.
Types of Intrusion Detection System
6. Types Of Detection
Misuse detection
– Catch the intrusions in terms of the
characteristics of known attacks or system
vulnerabilities.
Anomaly detection
– Detect any action that significantly deviates
from the normal behavior.
7. Misuse Detection
Based on known attack actions.
Feature extract from known intrusions
Integrate the Human knowledge.
The rules are pre-defined
Disadvantage:
– Cannot detect novel or unknown attacks
8. Anomaly Detection
Based on the normal behavior of a subject.
Sometime assume the training audit data
does not include intrusion data.
Any action that significantly deviates from
the normal behavior is considered intrusion.
10. Intrusion Detection Approaches
1. Define and extract the features of behavior
in system
2. Define and extract the Rules of Intrusion
3. Apply the rules to detect the intrusion
Training
Audit Data
Features Rules
Audit Data
Pattern matching
or Classification
1
3
32
13. Association Rule Mining
(Apriori Algorithm)
Two steps:
– Find all itemsets that have minimum support
(frequent item-sets, also called large item-sets).
– Use frequent itemsets to generate rules.
Notations:
k-item set An item set having k items.
Lk
Set of large k-item sets (those with minimum support).
Each member of this set has two fields: i) item set and ii) support count.
Ck
Set of candidate k-itemsets (potentially large item sets).
Each member of this set has two fields: i) item set and ii) support count.
14. Apriori Algorithm
1) L1 = {large 1-itemsets};
2) for ( k = 2; Lk-1 Ø; k++ ) do begin
3) Ck = apriori-gen(Lk-1); // New candidates
4) forall transactions t D do begin
5) Ct = subset(Ck, t); Candidates contained in t
6) forall candidates c Ct do
7) c.count++;
8) end
9) Lk = {c Ck | c.count minsup}
10) end
11) Answer = k Lk;
16. Discovering Rules
For every large itemset l, we find all non-
empty subsets of l
For every such subset a, we output a rule of
the form a (l – a) if the ratio of support(l)
to support(a) is at least minconf
We consider all subsets of l to generate
rules with multiple consequents