Your SlideShare is downloading. ×
IDS with Artificial Intelligence
Upcoming SlideShare
Loading in...5
×

Thanks for flagging this SlideShare!

Oops! An error has occurred.

×
Saving this for later? Get the SlideShare app to save on your phone or tablet. Read anywhere, anytime – even offline.
Text the download link to your phone
Standard text messaging rates apply

IDS with Artificial Intelligence

718

Published on

Published in: Technology
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total Views
718
On Slideshare
0
From Embeds
0
Number of Embeds
0
Actions
Shares
0
Downloads
34
Comments
0
Likes
0
Embeds 0
No embeds

Report content
Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
No notes for slide

Transcript

  • 1. Intrusion Detection System with Artificial Intelligence Mario Castro Ponce Universidad Pontificia Comillas de Madrid FIST Conference - June 2004 edition Sponsored by: MLP Private FinanceIDS with AI marioc@dsi.icai.upco.es FIST Conference - june 2004 edition– 1/28
  • 2. Aim of the talk1. Showing you a different approach to Intrussion Detection based on Artificial Intelligence2. Contact experts in the field to exchange ideas and maybe creating a (pioneer!!!!) working group IDS with AI marioc@dsi.icai.upco.es FIST Conference - june 2004 edition– 2/28
  • 3. Sketch of the talk What is an IDS? Architecture of a Vulnerability Detector Why using A.I.? Neurons and other animals Neural-IDS Fuzzy-Correlator ConclusionsIDS with AI marioc@dsi.icai.upco.es FIST Conference - june 2004 edition– 3/28
  • 4. What is an IDS? Any hardware, software, or combination of thereof thatmonitors a system or network of systems for malicious activity IDS with AI marioc@dsi.icai.upco.es FIST Conference - june 2004 edition– 4/28
  • 5. What is an IDS? Any hardware, software, or combination of thereof thatmonitors a system or network of systems for malicious activity Main functions Dissuade Prevent Documentate IDS with AI marioc@dsi.icai.upco.es FIST Conference - june 2004 edition– 4/28
  • 6. What is an IDS? Any hardware, software, or combination of thereof thatmonitors a system or network of systems for malicious activity Main functions Dissuade Prevent Documentate Two kinds of IDS Host based Network based IDS with AI marioc@dsi.icai.upco.es FIST Conference - june 2004 edition– 4/28
  • 7. Architecture of a Vulnerability Detector Example: OSSIM n IDS with AI marioc@dsi.icai.upco.es FIST Conference - june 2004 edition– 5/28
  • 8. Why using AI? The system manager nightmare: The false positives.IDS with AI marioc@dsi.icai.upco.es FIST Conference - june 2004 edition– 6/28
  • 9. Why using AI? The system manager nightmare: The false positives. Then? A.I. for three main reasons Flexibility (vs threshold definition) Adaptability (vs specific rules) Pattern recognition (and detection of new patterns)IDS with AI marioc@dsi.icai.upco.es FIST Conference - june 2004 edition– 6/28
  • 10. Why using AI? The system manager nightmare: The false positives. Then? A.I. for three main reasons Flexibility (vs threshold definition) Adaptability (vs specific rules) Pattern recognition (and detection of new patterns) Moreover Fast computing (faster than humans, actually) Learning abilities.IDS with AI marioc@dsi.icai.upco.es FIST Conference - june 2004 edition– 6/28
  • 11. Neurons and other animals AI TOOLSNeural Networks Fuzzy Logic Other...IDS with AI marioc@dsi.icai.upco.es FIST Conference - june 2004 edition– 7/28
  • 12. Artificial Neural networks Change of paradigm in computing science:Many dummy processors with a simple task to do against one (or few) powerful versatile processors IDS with AI marioc@dsi.icai.upco.es FIST Conference - june 2004 edition– 8/28
  • 13. Neurons and artificial neuronsIDS with AI marioc@dsi.icai.upco.es FIST Conference - june 2004 edition– 9/28
  • 14. Main types of ANN Multilayer perceptrons OUTPUT LAYER INPUT LAYER HIDDEN LAYER Self-organized maps Radial basis neural networks OtherIDS with AI marioc@dsi.icai.upco.es FIST Conference - june 2004 edition– 10/28
  • 15. Neural IDS Designed for DoS and port scan attacks IDS based on a multilayer perceptronIDS with AI marioc@dsi.icai.upco.es FIST Conference - june 2004 edition– 11/28
  • 16. Neural IDS Designed for DoS and port scan attacks IDS based on a multilayer perceptron Designing the tool Analysis Quantification Topology feed−back Learning & validationIDS with AI marioc@dsi.icai.upco.es FIST Conference - june 2004 edition– 11/28
  • 17. First scenario: Port scan Pouring rain analogy Packets from the same source @IP 21 22 23 25 80 PORT NUMBERSIDS with AI marioc@dsi.icai.upco.es FIST Conference - june 2004 edition– 12/28
  • 18. Second scenario: Denial of Service Pouring rain analogy Packets from the same source @IP 21 22 23 25 80 PORT NUMBERSIDS with AI marioc@dsi.icai.upco.es FIST Conference - june 2004 edition– 13/28
  • 19. Measures Visually the difference between them is clear. . . but quantitatively?IDS with AI marioc@dsi.icai.upco.es FIST Conference - june 2004 edition– 14/28
  • 20. Measures Visually the difference between them is clear. . . but quantitatively? Measures borrowed from PhysicsIDS with AI marioc@dsi.icai.upco.es FIST Conference - june 2004 edition– 14/28
  • 21. Measures Visually the difference between them is clear. . . but quantitatively? Measures borrowed from Physics Statistical Mechanics Order = Low Entropy Disorder = High EntropyIDS with AI marioc@dsi.icai.upco.es FIST Conference - june 2004 edition– 14/28
  • 22. Measures Visually the difference between them is clear. . . but quantitatively? Measures borrowed from Physics Solid State Physics (electronics)ATOMS INSULATORATOMS CONDUCTORIDS with AI marioc@dsi.icai.upco.es FIST Conference - june 2004 edition– 14/28
  • 23. Measures Visually the difference between them is clear. . . but quantitatively? Measures borrowed from Physics Packets from the same source @IP Disorder = High Entropy 21 22 23 25 80 PORT NUMBERS CONDUCTORIDS with AI marioc@dsi.icai.upco.es FIST Conference - june 2004 edition– 14/28
  • 24. Measures Visually the difference between them is clear. . . but quantitatively? Measures borrowed from Physics Packets from the same source @IP Order = Low Entropy 21 22 23 25 80 PORT NUMBERS INSULATORIDS with AI marioc@dsi.icai.upco.es FIST Conference - june 2004 edition– 14/28
  • 25. Measures Visually the difference between them is clear. . . but quantitatively? Measures borrowed from Physics Traffic parameters Packets per second Fraction of total packets to a port Inverse of the total number of packetsIDS with AI marioc@dsi.icai.upco.es FIST Conference - june 2004 edition– 14/28
  • 26. Measures Visually the difference between them is clear. . . but quantitatively? Measures borrowed from Physics Traffic parameters Packets per second Fraction of total packets to a port Inverse of the total number of packets All measures are evaluated within a time window. Parallel time windows: e.g., 15 sec, 30 sec, 5 minutes, 30 minutesIDS with AI marioc@dsi.icai.upco.es FIST Conference - june 2004 edition– 14/28
  • 27. Topology ENTROPY PORT SCAN IPR DENIAL OF SERVICE PACKETS/SEC FRACTION OF PACKETS NONE 1/PACKETSIDS with AI marioc@dsi.icai.upco.es FIST Conference - june 2004 edition– 15/28
  • 28. Learning and testingTYPE OF ATTACK LEARNING PATTERNS RATE OF SUCCESSSEQUENCIAL SCAN 20 100 %SEQUENCIAL SCAN 50 100 %RANDOM SCAN 20 100 %RANDOM SCAN 50 100 %DoS 20 70 %DoS 50 80 %ALL 20 60 %ALL 50 65 %IDS with AI marioc@dsi.icai.upco.es FIST Conference - june 2004 edition– 16/28
  • 29. Learning and testingTYPE OF ATTACK LEARNING PATTERNS RATE OF SUCCESSSEQUENCIAL SCAN 20 100 %SEQUENCIAL SCAN 50 100 %RANDOM SCAN 20 100 %RANDOM SCAN 50 100 %DoS 20 70 %DoS 50 80 %ALL 20 60 %ALL 50 65 % Best choice: Specialized neural detectorsIDS with AI marioc@dsi.icai.upco.es FIST Conference - june 2004 edition– 16/28
  • 30. Fuzzy Logic Imitates human perception: Approximate reasoningIDS with AI marioc@dsi.icai.upco.es FIST Conference - june 2004 edition– 17/28
  • 31. Fuzzy Logic Imitates human perception: Approximate reasoning Example: Air cooler Classical rules: IF Temperature > 25 THEN Switch-on IF Temperature < 21 THEN Switch-off ...IDS with AI marioc@dsi.icai.upco.es FIST Conference - june 2004 edition– 17/28
  • 32. Fuzzy Logic Imitates human perception: Approximate reasoning Example: Air cooler Classical rules: IF Temperature > 25 THEN Switch-on IF Temperature < 21 THEN Switch-off ... Fuzzy rules: IF Temperature is high THEN Switch-on IF Temperature is too low THEN Switch-off ...IDS with AI marioc@dsi.icai.upco.es FIST Conference - june 2004 edition– 17/28
  • 33. Fuzzy Logic Imitates human perception: Approximate reasoning Example: Air cooler Classical rules: IF Temperature > 25 THEN Switch-on IF Temperature < 21 THEN Switch-off ... Fuzzy rules: IF Temperature is high THEN Switch-on IF Temperature is too low THEN Switch-off ... More sofisticated fuzzy rules: IF Temperature is moderate AND my wife is very pregnant THEN Switch-on ...IDS with AI marioc@dsi.icai.upco.es FIST Conference - june 2004 edition– 17/28
  • 34. Term sets and grade of membership Thresholds More than 3000 packets/sec ⇒ Possible DoS More than 5000 packets/sec ⇒ DoS!IDS with AI marioc@dsi.icai.upco.es FIST Conference - june 2004 edition– 18/28
  • 35. Term sets: Thresholds 0 1IDS with AI marioc@dsi.icai.upco.es 0 ¡ ¡ ¡ ¡ ¡ ¡ ¡ ¡ ¡ ¡ ¡ ¡ ¡ ¡ ¡ ¡ ¡                                   ¡ ¡ ¡ ¡ ¡ ¡ ¡ ¡ ¡ ¡ ¡ ¡ ¡ ¡ ¡ ¡ ¡                                   ¡ ¡ ¡ ¡ ¡ ¡ ¡ ¡ ¡ ¡ ¡ ¡ ¡ ¡ ¡ ¡ ¡                                   ¡ ¡ ¡ ¡ ¡ ¡ ¡ ¡ ¡ ¡ ¡ ¡ ¡ ¡ ¡ ¡ ¡                                   1000 ¡ ¡ ¡ ¡ ¡ ¡ ¡ ¡ ¡ ¡ ¡ ¡ ¡ ¡ ¡ ¡ ¡                                   ¡ ¡ ¡ ¡ ¡ ¡ ¡ ¡ ¡ ¡ ¡ ¡ ¡ ¡ ¡ ¡ ¡                                   low ¡ ¡ ¡ ¡ ¡ ¡ ¡ ¡ ¡ ¡ ¡ ¡ ¡ ¡ ¡ ¡ ¡                                   ¡ ¡ ¡ ¡ ¡ ¡ ¡ ¡ ¡ ¡ ¡ ¡ ¡ ¡ ¡ ¡ ¡                                   ¡ ¡ ¡ ¡ ¡ ¡ ¡ ¡ ¡ ¡ ¡ ¡ ¡ ¡ ¡ ¡ ¡                                   ¡ ¡ ¡ ¡ ¡ ¡ ¡ ¡ ¡ ¡ ¡ ¡ ¡ ¡ ¡ ¡ ¡                                   ¡ ¡ ¡ ¡ ¡ ¡ ¡ ¡ ¡ ¡ ¡ ¡ ¡ ¡ ¡ ¡ ¡                                   2000 ¡ ¡ ¡ ¡ ¡ ¡ ¡ ¡ ¡ ¡ ¡ ¡ ¡ ¡ ¡ ¡ ¡                                   VOLUME OF TRAFFIC ¡ ¡ ¡ ¡ ¡ ¡ ¡ ¡ ¡ ¡ ¡ ¡ ¡ ¡ ¡ ¡ ¡                                   ¡ ¡ ¡ ¡ ¡ ¡ ¡ ¡ ¡ ¡ ¡ ¡ ¡ ¡ ¡ ¡ ¡                                   More than 5000 packets/sec ⇒ DoS! More than 3000 packets/sec ⇒ Possible DoS Term sets and grade of membershipFIST Conference - june 2004 edition– 18/28
  • 36. Fuzzy correlator: Preliminary work Aim of the research: Use the flexibility and human language features of Fuzzy Logic and include them in the OSSIM Correlation EngineIDS with AI marioc@dsi.icai.upco.es FIST Conference - june 2004 edition– 19/28
  • 37. Fuzzy correlator: Preliminary work Aim of the research: Use the flexibility and human language features of Fuzzy Logic and include them in the OSSIM Correlation Engine Status: Preliminary definitions and precedures.IDS with AI marioc@dsi.icai.upco.es FIST Conference - june 2004 edition– 19/28
  • 38. More on term sets Input variable: Volume of traffic very low low normal high very high 1 0 0 1000 2000 3000 4000 5000IDS with AI marioc@dsi.icai.upco.es FIST Conference - june 2004 edition– 20/28
  • 39. More on term sets (II) Input variable: Number of visited ports very low low normal high very high 1 0 0 2 4 6 8 10IDS with AI marioc@dsi.icai.upco.es FIST Conference - june 2004 edition– 21/28
  • 40. More on term sets (III) Output variable: DoS Attack? improbable maybe almost sure 1 0 0 0.5 1 Rules (example): IF traffic is high AND number of destination ports is low THEN DoS Evaluating rules gives the required answer ’DoS Attack?’: almost sureIDS with AI marioc@dsi.icai.upco.es FIST Conference - june 2004 edition– 22/28
  • 41. OSSIM Correlation Engine Characteristics Depends strongly on timers All the variants of an attack must be coded Cannot detect new attacks Complex sintaxIDS with AI marioc@dsi.icai.upco.es FIST Conference - june 2004 edition– 23/28
  • 42. Sample scenario: NETBIOS DCERPC ISystemActivator IDS with AI marioc@dsi.icai.upco.es FIST Conference - june 2004 edition– 24/28
  • 43. Sample scenario: NETBIOS DCERPC ISystemActivator TIME_OUT IF destination_ports = 135,445 THEN Generate Alarm with Reliability 1 and wait 60 seconds for next rule TIME_OUT AND IF DEST_IP and SRC_IP talk again THEN Alarm, Reliability 3 and wait 60 seconds for next rule AND IF DEST_PORT and SRC_PORT talk again AND plugin_sid=2123 (CMD.EXE) THEN Alarm TIME_OUT Reliability 6 and wait 60 seconds for next rule TIME_OUT AND FINALLY IF plugin_id=2002 and conection lasts more than 10 THEN Alarm with Reliability 10 IDS with AI marioc@dsi.icai.upco.es FIST Conference - june 2004 edition– 25/28
  • 44. Fuzzy Correlator revisited: Objectives Going beyond the sequential arrival of packets Integrating different sensors: IDS with AI marioc@dsi.icai.upco.es FIST Conference - june 2004 edition– 26/28
  • 45. Fuzzy Correlator revisited: Objectives Going beyond the sequential arrival of packets Integrating different sensors: SNORT Anomaly detection: Abnormal connection to an open port (firewall) Thresholds High traffic at nights or weekends, . . . Neural-IDS Other IDS with AI marioc@dsi.icai.upco.es FIST Conference - june 2004 edition– 26/28
  • 46. Fuzzy Correlator revisited: Objectives Going beyond the sequential arrival of packets Integrating different sensors: SNORT Anomaly detection: Abnormal connection to an open port (firewall) Thresholds High traffic at nights or weekends, . . . Neural-IDS Other Defining rules according to Security Manager’s experience IDS with AI marioc@dsi.icai.upco.es FIST Conference - june 2004 edition– 26/28
  • 47. Conclusions and open questions AI techniques are Flexible Suitable for pattern recognition Powerful (Neural-IDS) Easy to design (human language)IDS with AI marioc@dsi.icai.upco.es FIST Conference - june 2004 edition– 27/28
  • 48. Conclusions and open questions AI techniques are Flexible Suitable for pattern recognition Powerful (Neural-IDS) Easy to design (human language) But there is still a lot of work to do. . .IDS with AI marioc@dsi.icai.upco.es FIST Conference - june 2004 edition– 27/28
  • 49. Conclusions and open questions AI techniques are Flexible Suitable for pattern recognition Powerful (Neural-IDS) Easy to design (human language) But there is still a lot of work to do. . . We need more time. We need more people Students Security experts (working group?) And of course. . .IDS with AI marioc@dsi.icai.upco.es FIST Conference - june 2004 edition– 27/28
  • 50. Conclusions and open questions AI techniques are Flexible Suitable for pattern recognition Powerful (Neural-IDS) Easy to design (human language) But there is still a lot of work to do. . . We need more time We need more people Students Security experts (working group?) And of course. . . some money to pay itIDS with AI marioc@dsi.icai.upco.es FIST Conference - june 2004 edition– 27/28
  • 51. And that’s all folks. . .IDS with AI marioc@dsi.icai.upco.es FIST Conference - june 2004 edition– 28/28

×