1. Artificial Intelligence in
Intrusion Detection /
Prevension Systems -
Reduction of False
Positives
Guide - Prof Bernard L Menezes, IIT
Bombay
Course - Network Security and
Cryptography-II (CS 724)
By - Sriharsa Mohapatra (10405004)
2. Outline
Why do Firewalls have False Positives?
How can Artificial Intelligence help?
What is Genetic Algorithm?
Genetic Algorithm to Evaluate Goodness
Observation on the Evaluation
False Positive by Client Side Firewall
Configure Firewall as per goodness value
3. Why do Firewalls have
False Positives?
● All firewall implementations are
maintained by direct human effort
● They are changed as per the threat
● Network Security personnel have to put
more restrictive rules than actually
needed
● This leads to false positives (benign
packets are dropped)
4. How can Artificial
Intelligence help?
● False Positives hinder business
● Filter rules should no more outright drop
non-conformant packets
● If a non-conformant packet has high
goodness, they will allow it, else drop it
● A very lightweight Genetic Algorithm
continuously lists packets' goodness
5. What is Genetic
Algorithm?
● Each solution (packet) is an individual
● An individual is coded as a chromosome
● A chromosome is a binary string
● For our a chromosome is
concatenation(source_IP,goodness)
● A population is a set of chromosome
● Cross-over and Mutation operate on
selected chromosomes to generate new
ones
9. Observation on the
Evaluation
● The goodness value is relative
● Goodness imples sustained traffic
● Higher traffic rate implies a marginal
increase in goodness
● Very High traffic rate / No traffic imply
graceful decrement: - to deter flooding /
to remove inactive connection
● Responds to the traffic quickly
10. False Positive by
Client Side Firewall
● iptables -N LOGDROP
● iptables -A LOGDROP -p tcp -m limit
--limit 3/second --limit-burst 7 -j LOG
--log-prefix '** HACKERS **' --log-level 4
● iptables -A LOGDROP -p tcp -j DROP
● iptables -A INPUT -p tcp -j LOGDROP
● Beyond 7 pkts apply limit 3pkts/sec
● Slows down / Stops browsing different
pages
11. Configure Firewall as
per goodness value
● Login as root using ”su<space>-”
● list_of_good_IP=`mysql -u traffic_monitor -h localhost
--password=nopassword connection_analysis -e "select
source_IP from goodness_statistics order by goodness limit 10;"`
● IP_array=`echo $list_of_good_IP | cut -d ' ' -f 2-`
● for IP in $IP_array; do echo "iptables -I INPUT -p tcp -s $IP -j
ACCEPT" | /bin/bash; done
● To do the above automatically, put the above three lines in a
script and schedule the script to run every 5 minutes in the
/etc/crontab file
● echo ”*/5 * * * * root /path-of-script/script.sh” >> /etc/crontab OR
echo ”*/5 * * * * /path-of-script/script.sh” >> /etc/crontab
● Some systems do not have the user field