Intrusion Detection System               with Artificial Intelligence                                      Mario Castro Pon...
Aim of the talk1.      Showing you a different approach to Intrussion        Detection based on Artificial Intelligence2.  ...
Sketch of the talk   What is an IDS?   Architecture of a Vulnerability Detector   Why using A.I.?   Neurons and other anim...
What is an IDS?  Any hardware, software, or combination of thereof thatmonitors a system or network of systems for malicio...
What is an IDS?  Any hardware, software, or combination of thereof thatmonitors a system or network of systems for malicio...
What is an IDS?  Any hardware, software, or combination of thereof thatmonitors a system or network of systems for malicio...
Architecture of a Vulnerability Detector     Example: OSSIM                                        n  IDS with AI marioc@d...
Why using AI?   The system manager nightmare: The false positives.IDS with AI marioc@dsi.icai.upco.es        FIST Conferen...
Why using AI?   The system manager nightmare: The false positives.   Then? A.I. for three main reasons      Flexibility (v...
Why using AI?   The system manager nightmare: The false positives.   Then? A.I. for three main reasons      Flexibility (v...
Neurons and other animals                                      AI TOOLSNeural Networks                       Fuzzy Logic  ...
Artificial Neural networks      Change of paradigm in computing science:Many dummy processors with a simple task to do agai...
Neurons and artificial neuronsIDS with AI marioc@dsi.icai.upco.es   FIST Conference - june 2004 edition– 9/28
Main types of ANN    Multilayer perceptrons                                                   OUTPUT                      ...
Neural IDS    Designed for DoS and port scan attacks    IDS based on a multilayer perceptronIDS with AI marioc@dsi.icai.up...
Neural IDS    Designed for DoS and port scan attacks    IDS based on a multilayer perceptron    Designing the tool        ...
First scenario: Port scan    Pouring rain analogy                                Packets from the same source @IP         ...
Second scenario: Denial of Service    Pouring rain analogy                                Packets from the same source @IP...
Measures    Visually the difference between them is clear. . . but    quantitatively?IDS with AI marioc@dsi.icai.upco.es  ...
Measures    Visually the difference between them is clear. . . but    quantitatively?        Measures borrowed from Physic...
Measures    Visually the difference between them is clear. . . but    quantitatively?        Measures borrowed from Physic...
Measures    Visually the difference between them is clear. . . but    quantitatively?        Measures borrowed from Physic...
Measures    Visually the difference between them is clear. . . but    quantitatively?        Measures borrowed from Physic...
Measures    Visually the difference between them is clear. . . but    quantitatively?        Measures borrowed from Physic...
Measures    Visually the difference between them is clear. . . but    quantitatively?        Measures borrowed from Physic...
Measures    Visually the difference between them is clear. . . but    quantitatively?        Measures borrowed from Physic...
Topology                   ENTROPY                                                              PORT SCAN                 ...
Learning and testingTYPE OF ATTACK                        LEARNING PATTERNS         RATE OF SUCCESSSEQUENCIAL SCAN        ...
Learning and testingTYPE OF ATTACK                        LEARNING PATTERNS         RATE OF SUCCESSSEQUENCIAL SCAN        ...
Fuzzy Logic    Imitates human perception: Approximate reasoningIDS with AI marioc@dsi.icai.upco.es             FIST Confer...
Fuzzy Logic    Imitates human perception: Approximate reasoning    Example: Air cooler       Classical rules:       IF Tem...
Fuzzy Logic    Imitates human perception: Approximate reasoning    Example: Air cooler       Classical rules:       IF Tem...
Fuzzy Logic    Imitates human perception: Approximate reasoning    Example: Air cooler       Classical rules:       IF Tem...
Term sets and grade of membership    Thresholds        More than 3000 packets/sec ⇒ Possible DoS        More than 5000 pac...
Term sets:                                                                                                                ...
Fuzzy correlator: Preliminary work    Aim of the research:    Use the flexibility and human language features of Fuzzy    L...
Fuzzy correlator: Preliminary work    Aim of the research:    Use the flexibility and human language features of Fuzzy    L...
More on term sets    Input variable: Volume of traffic         very low             low            normal        high      ...
More on term sets (II)    Input variable: Number of visited ports         very low            low          normal     high...
More on term sets (III)    Output variable: DoS Attack?                         improbable   maybe   almost sure          ...
OSSIM Correlation Engine    Characteristics       Depends strongly on timers       All the variants of an attack must be c...
Sample scenario:                         NETBIOS DCERPC ISystemActivator   IDS with AI marioc@dsi.icai.upco.es            ...
Sample scenario:                               NETBIOS DCERPC ISystemActivator                                            ...
Fuzzy Correlator revisited: Objectives     Going beyond the sequential arrival of packets     Integrating different sensor...
Fuzzy Correlator revisited: Objectives     Going beyond the sequential arrival of packets     Integrating different sensor...
Fuzzy Correlator revisited: Objectives     Going beyond the sequential arrival of packets     Integrating different sensor...
Conclusions and open questions    AI techniques are         Flexible         Suitable for pattern recognition         Powe...
Conclusions and open questions    AI techniques are         Flexible         Suitable for pattern recognition         Powe...
Conclusions and open questions    AI techniques are         Flexible         Suitable for pattern recognition         Powe...
Conclusions and open questions    AI techniques are         Flexible         Suitable for pattern recognition         Powe...
And that’s all folks. . .IDS with AI marioc@dsi.icai.upco.es     FIST Conference - june 2004 edition– 28/28
Upcoming SlideShare
Loading in...5
×

IDS with Artificial Intelligence

884

Published on

Published in: Technology
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total Views
884
On Slideshare
0
From Embeds
0
Number of Embeds
0
Actions
Shares
0
Downloads
37
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide

IDS with Artificial Intelligence

  1. 1. Intrusion Detection System with Artificial Intelligence Mario Castro Ponce Universidad Pontificia Comillas de Madrid FIST Conference - June 2004 edition Sponsored by: MLP Private FinanceIDS with AI marioc@dsi.icai.upco.es FIST Conference - june 2004 edition– 1/28
  2. 2. Aim of the talk1. Showing you a different approach to Intrussion Detection based on Artificial Intelligence2. Contact experts in the field to exchange ideas and maybe creating a (pioneer!!!!) working group IDS with AI marioc@dsi.icai.upco.es FIST Conference - june 2004 edition– 2/28
  3. 3. Sketch of the talk What is an IDS? Architecture of a Vulnerability Detector Why using A.I.? Neurons and other animals Neural-IDS Fuzzy-Correlator ConclusionsIDS with AI marioc@dsi.icai.upco.es FIST Conference - june 2004 edition– 3/28
  4. 4. What is an IDS? Any hardware, software, or combination of thereof thatmonitors a system or network of systems for malicious activity IDS with AI marioc@dsi.icai.upco.es FIST Conference - june 2004 edition– 4/28
  5. 5. What is an IDS? Any hardware, software, or combination of thereof thatmonitors a system or network of systems for malicious activity Main functions Dissuade Prevent Documentate IDS with AI marioc@dsi.icai.upco.es FIST Conference - june 2004 edition– 4/28
  6. 6. What is an IDS? Any hardware, software, or combination of thereof thatmonitors a system or network of systems for malicious activity Main functions Dissuade Prevent Documentate Two kinds of IDS Host based Network based IDS with AI marioc@dsi.icai.upco.es FIST Conference - june 2004 edition– 4/28
  7. 7. Architecture of a Vulnerability Detector Example: OSSIM n IDS with AI marioc@dsi.icai.upco.es FIST Conference - june 2004 edition– 5/28
  8. 8. Why using AI? The system manager nightmare: The false positives.IDS with AI marioc@dsi.icai.upco.es FIST Conference - june 2004 edition– 6/28
  9. 9. Why using AI? The system manager nightmare: The false positives. Then? A.I. for three main reasons Flexibility (vs threshold definition) Adaptability (vs specific rules) Pattern recognition (and detection of new patterns)IDS with AI marioc@dsi.icai.upco.es FIST Conference - june 2004 edition– 6/28
  10. 10. Why using AI? The system manager nightmare: The false positives. Then? A.I. for three main reasons Flexibility (vs threshold definition) Adaptability (vs specific rules) Pattern recognition (and detection of new patterns) Moreover Fast computing (faster than humans, actually) Learning abilities.IDS with AI marioc@dsi.icai.upco.es FIST Conference - june 2004 edition– 6/28
  11. 11. Neurons and other animals AI TOOLSNeural Networks Fuzzy Logic Other...IDS with AI marioc@dsi.icai.upco.es FIST Conference - june 2004 edition– 7/28
  12. 12. Artificial Neural networks Change of paradigm in computing science:Many dummy processors with a simple task to do against one (or few) powerful versatile processors IDS with AI marioc@dsi.icai.upco.es FIST Conference - june 2004 edition– 8/28
  13. 13. Neurons and artificial neuronsIDS with AI marioc@dsi.icai.upco.es FIST Conference - june 2004 edition– 9/28
  14. 14. Main types of ANN Multilayer perceptrons OUTPUT LAYER INPUT LAYER HIDDEN LAYER Self-organized maps Radial basis neural networks OtherIDS with AI marioc@dsi.icai.upco.es FIST Conference - june 2004 edition– 10/28
  15. 15. Neural IDS Designed for DoS and port scan attacks IDS based on a multilayer perceptronIDS with AI marioc@dsi.icai.upco.es FIST Conference - june 2004 edition– 11/28
  16. 16. Neural IDS Designed for DoS and port scan attacks IDS based on a multilayer perceptron Designing the tool Analysis Quantification Topology feed−back Learning & validationIDS with AI marioc@dsi.icai.upco.es FIST Conference - june 2004 edition– 11/28
  17. 17. First scenario: Port scan Pouring rain analogy Packets from the same source @IP 21 22 23 25 80 PORT NUMBERSIDS with AI marioc@dsi.icai.upco.es FIST Conference - june 2004 edition– 12/28
  18. 18. Second scenario: Denial of Service Pouring rain analogy Packets from the same source @IP 21 22 23 25 80 PORT NUMBERSIDS with AI marioc@dsi.icai.upco.es FIST Conference - june 2004 edition– 13/28
  19. 19. Measures Visually the difference between them is clear. . . but quantitatively?IDS with AI marioc@dsi.icai.upco.es FIST Conference - june 2004 edition– 14/28
  20. 20. Measures Visually the difference between them is clear. . . but quantitatively? Measures borrowed from PhysicsIDS with AI marioc@dsi.icai.upco.es FIST Conference - june 2004 edition– 14/28
  21. 21. Measures Visually the difference between them is clear. . . but quantitatively? Measures borrowed from Physics Statistical Mechanics Order = Low Entropy Disorder = High EntropyIDS with AI marioc@dsi.icai.upco.es FIST Conference - june 2004 edition– 14/28
  22. 22. Measures Visually the difference between them is clear. . . but quantitatively? Measures borrowed from Physics Solid State Physics (electronics)ATOMS INSULATORATOMS CONDUCTORIDS with AI marioc@dsi.icai.upco.es FIST Conference - june 2004 edition– 14/28
  23. 23. Measures Visually the difference between them is clear. . . but quantitatively? Measures borrowed from Physics Packets from the same source @IP Disorder = High Entropy 21 22 23 25 80 PORT NUMBERS CONDUCTORIDS with AI marioc@dsi.icai.upco.es FIST Conference - june 2004 edition– 14/28
  24. 24. Measures Visually the difference between them is clear. . . but quantitatively? Measures borrowed from Physics Packets from the same source @IP Order = Low Entropy 21 22 23 25 80 PORT NUMBERS INSULATORIDS with AI marioc@dsi.icai.upco.es FIST Conference - june 2004 edition– 14/28
  25. 25. Measures Visually the difference between them is clear. . . but quantitatively? Measures borrowed from Physics Traffic parameters Packets per second Fraction of total packets to a port Inverse of the total number of packetsIDS with AI marioc@dsi.icai.upco.es FIST Conference - june 2004 edition– 14/28
  26. 26. Measures Visually the difference between them is clear. . . but quantitatively? Measures borrowed from Physics Traffic parameters Packets per second Fraction of total packets to a port Inverse of the total number of packets All measures are evaluated within a time window. Parallel time windows: e.g., 15 sec, 30 sec, 5 minutes, 30 minutesIDS with AI marioc@dsi.icai.upco.es FIST Conference - june 2004 edition– 14/28
  27. 27. Topology ENTROPY PORT SCAN IPR DENIAL OF SERVICE PACKETS/SEC FRACTION OF PACKETS NONE 1/PACKETSIDS with AI marioc@dsi.icai.upco.es FIST Conference - june 2004 edition– 15/28
  28. 28. Learning and testingTYPE OF ATTACK LEARNING PATTERNS RATE OF SUCCESSSEQUENCIAL SCAN 20 100 %SEQUENCIAL SCAN 50 100 %RANDOM SCAN 20 100 %RANDOM SCAN 50 100 %DoS 20 70 %DoS 50 80 %ALL 20 60 %ALL 50 65 %IDS with AI marioc@dsi.icai.upco.es FIST Conference - june 2004 edition– 16/28
  29. 29. Learning and testingTYPE OF ATTACK LEARNING PATTERNS RATE OF SUCCESSSEQUENCIAL SCAN 20 100 %SEQUENCIAL SCAN 50 100 %RANDOM SCAN 20 100 %RANDOM SCAN 50 100 %DoS 20 70 %DoS 50 80 %ALL 20 60 %ALL 50 65 % Best choice: Specialized neural detectorsIDS with AI marioc@dsi.icai.upco.es FIST Conference - june 2004 edition– 16/28
  30. 30. Fuzzy Logic Imitates human perception: Approximate reasoningIDS with AI marioc@dsi.icai.upco.es FIST Conference - june 2004 edition– 17/28
  31. 31. Fuzzy Logic Imitates human perception: Approximate reasoning Example: Air cooler Classical rules: IF Temperature > 25 THEN Switch-on IF Temperature < 21 THEN Switch-off ...IDS with AI marioc@dsi.icai.upco.es FIST Conference - june 2004 edition– 17/28
  32. 32. Fuzzy Logic Imitates human perception: Approximate reasoning Example: Air cooler Classical rules: IF Temperature > 25 THEN Switch-on IF Temperature < 21 THEN Switch-off ... Fuzzy rules: IF Temperature is high THEN Switch-on IF Temperature is too low THEN Switch-off ...IDS with AI marioc@dsi.icai.upco.es FIST Conference - june 2004 edition– 17/28
  33. 33. Fuzzy Logic Imitates human perception: Approximate reasoning Example: Air cooler Classical rules: IF Temperature > 25 THEN Switch-on IF Temperature < 21 THEN Switch-off ... Fuzzy rules: IF Temperature is high THEN Switch-on IF Temperature is too low THEN Switch-off ... More sofisticated fuzzy rules: IF Temperature is moderate AND my wife is very pregnant THEN Switch-on ...IDS with AI marioc@dsi.icai.upco.es FIST Conference - june 2004 edition– 17/28
  34. 34. Term sets and grade of membership Thresholds More than 3000 packets/sec ⇒ Possible DoS More than 5000 packets/sec ⇒ DoS!IDS with AI marioc@dsi.icai.upco.es FIST Conference - june 2004 edition– 18/28
  35. 35. Term sets: Thresholds 0 1IDS with AI marioc@dsi.icai.upco.es 0 ¡ ¡ ¡ ¡ ¡ ¡ ¡ ¡ ¡ ¡ ¡ ¡ ¡ ¡ ¡ ¡ ¡                                   ¡ ¡ ¡ ¡ ¡ ¡ ¡ ¡ ¡ ¡ ¡ ¡ ¡ ¡ ¡ ¡ ¡                                   ¡ ¡ ¡ ¡ ¡ ¡ ¡ ¡ ¡ ¡ ¡ ¡ ¡ ¡ ¡ ¡ ¡                                   ¡ ¡ ¡ ¡ ¡ ¡ ¡ ¡ ¡ ¡ ¡ ¡ ¡ ¡ ¡ ¡ ¡                                   1000 ¡ ¡ ¡ ¡ ¡ ¡ ¡ ¡ ¡ ¡ ¡ ¡ ¡ ¡ ¡ ¡ ¡                                   ¡ ¡ ¡ ¡ ¡ ¡ ¡ ¡ ¡ ¡ ¡ ¡ ¡ ¡ ¡ ¡ ¡                                   low ¡ ¡ ¡ ¡ ¡ ¡ ¡ ¡ ¡ ¡ ¡ ¡ ¡ ¡ ¡ ¡ ¡                                   ¡ ¡ ¡ ¡ ¡ ¡ ¡ ¡ ¡ ¡ ¡ ¡ ¡ ¡ ¡ ¡ ¡                                   ¡ ¡ ¡ ¡ ¡ ¡ ¡ ¡ ¡ ¡ ¡ ¡ ¡ ¡ ¡ ¡ ¡                                   ¡ ¡ ¡ ¡ ¡ ¡ ¡ ¡ ¡ ¡ ¡ ¡ ¡ ¡ ¡ ¡ ¡                                   ¡ ¡ ¡ ¡ ¡ ¡ ¡ ¡ ¡ ¡ ¡ ¡ ¡ ¡ ¡ ¡ ¡                                   2000 ¡ ¡ ¡ ¡ ¡ ¡ ¡ ¡ ¡ ¡ ¡ ¡ ¡ ¡ ¡ ¡ ¡                                   VOLUME OF TRAFFIC ¡ ¡ ¡ ¡ ¡ ¡ ¡ ¡ ¡ ¡ ¡ ¡ ¡ ¡ ¡ ¡ ¡                                   ¡ ¡ ¡ ¡ ¡ ¡ ¡ ¡ ¡ ¡ ¡ ¡ ¡ ¡ ¡ ¡ ¡                                   More than 5000 packets/sec ⇒ DoS! More than 3000 packets/sec ⇒ Possible DoS Term sets and grade of membershipFIST Conference - june 2004 edition– 18/28
  36. 36. Fuzzy correlator: Preliminary work Aim of the research: Use the flexibility and human language features of Fuzzy Logic and include them in the OSSIM Correlation EngineIDS with AI marioc@dsi.icai.upco.es FIST Conference - june 2004 edition– 19/28
  37. 37. Fuzzy correlator: Preliminary work Aim of the research: Use the flexibility and human language features of Fuzzy Logic and include them in the OSSIM Correlation Engine Status: Preliminary definitions and precedures.IDS with AI marioc@dsi.icai.upco.es FIST Conference - june 2004 edition– 19/28
  38. 38. More on term sets Input variable: Volume of traffic very low low normal high very high 1 0 0 1000 2000 3000 4000 5000IDS with AI marioc@dsi.icai.upco.es FIST Conference - june 2004 edition– 20/28
  39. 39. More on term sets (II) Input variable: Number of visited ports very low low normal high very high 1 0 0 2 4 6 8 10IDS with AI marioc@dsi.icai.upco.es FIST Conference - june 2004 edition– 21/28
  40. 40. More on term sets (III) Output variable: DoS Attack? improbable maybe almost sure 1 0 0 0.5 1 Rules (example): IF traffic is high AND number of destination ports is low THEN DoS Evaluating rules gives the required answer ’DoS Attack?’: almost sureIDS with AI marioc@dsi.icai.upco.es FIST Conference - june 2004 edition– 22/28
  41. 41. OSSIM Correlation Engine Characteristics Depends strongly on timers All the variants of an attack must be coded Cannot detect new attacks Complex sintaxIDS with AI marioc@dsi.icai.upco.es FIST Conference - june 2004 edition– 23/28
  42. 42. Sample scenario: NETBIOS DCERPC ISystemActivator IDS with AI marioc@dsi.icai.upco.es FIST Conference - june 2004 edition– 24/28
  43. 43. Sample scenario: NETBIOS DCERPC ISystemActivator TIME_OUT IF destination_ports = 135,445 THEN Generate Alarm with Reliability 1 and wait 60 seconds for next rule TIME_OUT AND IF DEST_IP and SRC_IP talk again THEN Alarm, Reliability 3 and wait 60 seconds for next rule AND IF DEST_PORT and SRC_PORT talk again AND plugin_sid=2123 (CMD.EXE) THEN Alarm TIME_OUT Reliability 6 and wait 60 seconds for next rule TIME_OUT AND FINALLY IF plugin_id=2002 and conection lasts more than 10 THEN Alarm with Reliability 10 IDS with AI marioc@dsi.icai.upco.es FIST Conference - june 2004 edition– 25/28
  44. 44. Fuzzy Correlator revisited: Objectives Going beyond the sequential arrival of packets Integrating different sensors: IDS with AI marioc@dsi.icai.upco.es FIST Conference - june 2004 edition– 26/28
  45. 45. Fuzzy Correlator revisited: Objectives Going beyond the sequential arrival of packets Integrating different sensors: SNORT Anomaly detection: Abnormal connection to an open port (firewall) Thresholds High traffic at nights or weekends, . . . Neural-IDS Other IDS with AI marioc@dsi.icai.upco.es FIST Conference - june 2004 edition– 26/28
  46. 46. Fuzzy Correlator revisited: Objectives Going beyond the sequential arrival of packets Integrating different sensors: SNORT Anomaly detection: Abnormal connection to an open port (firewall) Thresholds High traffic at nights or weekends, . . . Neural-IDS Other Defining rules according to Security Manager’s experience IDS with AI marioc@dsi.icai.upco.es FIST Conference - june 2004 edition– 26/28
  47. 47. Conclusions and open questions AI techniques are Flexible Suitable for pattern recognition Powerful (Neural-IDS) Easy to design (human language)IDS with AI marioc@dsi.icai.upco.es FIST Conference - june 2004 edition– 27/28
  48. 48. Conclusions and open questions AI techniques are Flexible Suitable for pattern recognition Powerful (Neural-IDS) Easy to design (human language) But there is still a lot of work to do. . .IDS with AI marioc@dsi.icai.upco.es FIST Conference - june 2004 edition– 27/28
  49. 49. Conclusions and open questions AI techniques are Flexible Suitable for pattern recognition Powerful (Neural-IDS) Easy to design (human language) But there is still a lot of work to do. . . We need more time. We need more people Students Security experts (working group?) And of course. . .IDS with AI marioc@dsi.icai.upco.es FIST Conference - june 2004 edition– 27/28
  50. 50. Conclusions and open questions AI techniques are Flexible Suitable for pattern recognition Powerful (Neural-IDS) Easy to design (human language) But there is still a lot of work to do. . . We need more time We need more people Students Security experts (working group?) And of course. . . some money to pay itIDS with AI marioc@dsi.icai.upco.es FIST Conference - june 2004 edition– 27/28
  51. 51. And that’s all folks. . .IDS with AI marioc@dsi.icai.upco.es FIST Conference - june 2004 edition– 28/28
  1. A particular slide catching your eye?

    Clipping is a handy way to collect important slides you want to go back to later.

×