SlideShare a Scribd company logo

Ids 014 anomaly detection

J
jyoti_lakhani

Intrusion Detection System

Technology
1 of 18
Download to read offline
Anomaly Detection  Anomaly detection is based on the assumption that all intrusive activities are necessarily anomalous.  Anomaly detection studies start by forming an opinion on what the normal attributes for the observed objects are, and then decide what kinds of activities should be flagged as intrusions and how to make such particular decisions.  A typical anomaly detection model consists of four components, namely-  Data collection: Normal user activities or traffic data are obtained and saved by the data collection component  Normal system profile: Specific modeling techniques are used to create normal system profiles.  Anomaly detection: The anomaly detection component decides how far the current activities deviate from the normal system profiles and what percentage of these activities should be flagged as abnormal.  Response: the response component reports the intrusion and possibly corresponding timing information.
Advantage 1. It addresses the biggest limitation of misuse detection as it has capability to find novel attacks Limitations 1. The user’s normal behavior model is based on data collected over a period of normal operations; intrusive activities missed during this period are likely to be considered as normal behaviors. 2. Anomaly detection techniques can hardly detect stealthy attacks because this kind of attacks are usually hidden in large number of instances of normal behaviors. 3. The types of parameters used as inputs of normal models are usually decided by security experts. Any mistake occurring during the process of defining these parameters will increase the false alarm rate and decrease the effectiveness of the anomaly detection system. Advanced Statistical Models Rule based Techniques Biological Models Learning Models
Advanced Statistical Models 1. Proposed by Denning 2. It is a theoretical characterization of anomaly detection based on basic statistical analysis. 3. It has a detection framework that consists of eight components: a. Subjects b. Objects c. Audit records d. Statistical metrics e. Statistical models f. Profiles and profile templates g. Anomaly records h. Activity rules 4. A subject could be a user, a process, or system itself. 5. The object is the receptor of actions and could be entities such as files, programs and messages. 6. Audit records are m-tuples that represent a set of actions performed by subjects on objects. 7. Once an event generator creates the audit records, the statistical model matches it with the appropriate profile and then makes decisions regarding- a. The profile update b. The abnormal behavior checking c. The report of detected anomalies 8. The activity profile includes various of variables measuring the behavior of the system based on predefined statistical metrics. 9. The basic idea in Denning’s model appear with little modification in many intrusion detection systems, such as Haystack, NIDES and EMERALD.
Haystack 1. Designed and implemented for the detection of intrusions in a multi-user Air Force computer system 2. Statistical techniques are used to detect anomalous activities 3. A set of features such as the amount of I/O, CPU utilization, number of file accesses are observed and then the normal range of values for these features are defined. 4. Activities falling outside these ranges are reported as intrusions. 5. It uses a very simple statistical model in which each feature is assigned a weight by the SSO 6. The main weakness of Haystack is that no test is conducted to verify if the weight value is sensitive to intrusion patterns and furthermore no explanation is given as to how the weight value is assigned Advanced Statistical Models Haystack NIDES EMERALD
NIDES 1. NIDES includes a statistical anomaly detector 2. The audit information collected consist of – a. User names b. Names of files accessed c. Elapsed user CPU time d. Total number of files opened e. Number of pages read from secondary storage f. Identities of machines onto which user has logged, etc. 3. Statistics are computed from the collected audit information. 4. NIDES stores only statistics related to frequencies, means, variances or covariance of measures instead of the total audit data. 5. Given measures in NIDES, if the point in the m-space of measures is far away from the expected value, the corresponding event represented by the point is considered anomalous
EMERALD (Event Monitoring Enabling Responses to Anomalous Live Disturbances) 1. An environment for anomaly and misuse detection 2. It consists of a signature analysis component and a statistical profile-based anomaly detection component 3. The anomaly detector is based on the statistical approach where the events are labeled as intrusive if they are largely deviant from the expected behavior 4. In EMERALD more than 30 different criteria including CPU and I/O usage, commands used, local network activity, and system errors are used to build these expected user profiles 5. An EMERALD monitor is either passive through reading activity logs or network packets or active via probing for gathering a normal event. 6. The analytical results can be exchanged asynchronously between different client monitors operated on different layers (e.g. domain layer, enterprise layer, etc.) 7. Moreover, each monitor has an instance of the EMERALD resolver, a countermeasure decision engine fusing the alerts from its associated analysis engines and invoking response handlers to counter malicious activities
Statistical profile-based Anomaly Detection Signature Analysis EMERALD MONITOR EMERALD RESOLVER RULE BASE SYSTEM
Rule based Techniques W&S NSM TIM NADIR
Wisdom & Sense (W&S)  Two components: wisdom and sense  The wisdom component consists of a set of rules describing normal behaviors of the system based on historical audit data  About 10,000 records per user are read from the file in order to create the rules  The sense component is an expert system based on the previous rules, which verifies whether the subsequent audit data violates the rule base or not  The system security officer is then alerted when the sense detects some anomalous behavior  the Figure of Merit (FOM) metric is used to compute an anomalousness score for each thread  The FOMs values for several events are summed and compared against a threshold  When the sum value is above the threshold, corresponding events are flagged as anomalies by the system Network Security Monitor (NSM)  Rule-based intrusion detection system targeting anomalous network activities  First intrusion detection system using network traffic directly as the primary source of data
 Network traffic profiles are created by generating connection vectors derived from the network data  Host vectors and connection vectors are the main input to the expert system in NSM  The expert system illustrates the data-path with which systems are expected to communicate  Intrusions are decided according to analysis results of the expert system.  The final result reported to the SSO consists of a connection vector and corresponding suspicion level.  The suspicion level measures the likelihood that a particular connection represents some intrusive behaviors. Time-based Inductive Machine (TIM)  Models user’s normal behavior patterns by dynamically generating activity rules  TIM discovers normal behavior patterns in a sequence of events instead of a single event.  Each rule represents a model that can predict the next event from a given sequence of events.  If user’s behavior matches with previous event sequences and the actual next event is not included in the predicted event sets, the user’s behavior is considered as intrusive.  The major limitation of TIM is that the rules only model adjacent events.  When many applications are executed at the same time, events occurring in one application may be interleaved with events occurring in other applications, in which case the rules generated by TIM may not accurately identify user’s normal behaviors.
NADIR (Network Anomaly Detection and Intrusion Reporter)  Collects audit information from three different kinds of service nodes, namely network security controller, common file system and security assurance machine  Network security controller provides user authentication and access control;  Common file system stores the data, and security assurance machine records attempts to degrade the security level of the data  The audit information collected for each event include- o A unique user ID associated with the subject o The date and time of the event o An accounting parameter, the error code o A flag indicating whether the corresponding action is successful or not o The description of the event.  Individual user profile is computed on a weekly basis from the audit database.  The user profiles are compared with a set of expert system rules in order to detect possible deviations in users’ behaviors.  The expert rules are mainly derived from the security policies and the statistical analysis of previous audit logs.  Each rule is assigned a level-of-interest. If the corresponding sum of level-of-interest for a user is too big the intrusion alarm is raised. BiologicalModels  Inspired from biological principles  Initially proposed by Forrest et al.  They studied the analogy between human immune system’s capability of distinguishing self from nonself and intrusion detection system  When applying the self-nonself technique to intrusion detection, behaviors of the system are viewed as a string.  This string is divided into sub-strings of equal length k.
 Self contains some of the possible 2k strings  The rest of the sub-strings 2k −sel f or the complement of self is called nonself.  Nonself contains some detector strings, which are of length and does not exist in the collection of self. Learning models  Learning models incorporate learning capabilities in intrusion detection process, using artificial leaning techniques  we divide the anomaly detection schemes into two categories: unsupervised and supervised.  Supervised anomaly detection establishes the normal profiles of systems or networks through training based on labeled data sets.  Unsupervised anomaly detection attempts to detect intrusions without using any prior knowledge of attacks or normal instances.  The main drawback of supervised anomaly detection is the need of labeling the training data, which makes the process error-prone, costly and time consuming, and difficult to find new attacks.
 Unsupervised anomaly detection addresses these issues by allowing training based on unlabeled data sets and thus facilitating online learning and improving detection accuracy. Supervised Anomaly Detection Learning Models Supervised Anomaly Detection Using Neural Network Using Genetic Algorithm Unsupervised Anomaly Detection
 Using Neural Network o Hyperview : an early r intrusion detection using neural network consists of two components o The first component is an expert system, which monitors audit trails for known intrusion signatures o The second component uses neural network to learn user behaviors; it then fires an alarm when there is a deviation between current behaviors and learnt behaviors o The use of neural network in Hyperview assumes that the audit data consist of multivariate time series, since user behavior exhibits a dynamic process executing an ordered series of events o back-propagation network is used by Ghosh o Lei and Ghorbani use competitive learning neural network using SOM  Using Genetic Algorithm o The genetic algorithm is an iterative search technique based on the theory of Darwinian evolution applied to mathematical models. o It operates on a population of individuals in which each individual is a potential solution to a given problem. After the initial population is randomly generated the algorithm circularly evolves the population through three basic operators: selection operator, crossover operator and mutation operator until the best individual is obtained. o Genetic Algorithm as an Alternative Tool for Security Audit Trails Analysis (GASSATA) is one of the earliest attempts for using genetic algorithm (GA) for intrusion detection Unsupervised Anomaly Detection
 Several unsupervised learning techniques for anomaly detection have been proposed in recent years. Clustering and outlier detection based techniques are among the most popular approaches  Lankewicz propose a model applying pattern recognition to the characterization of individual users. f k-nearest-neighbor clustering algorithm d facilitate real-time detection  Staniford et al. propose a portscan detector, which is particularly effective against stealthy scans  Firstly, the anomaly sensor computes an anomaly score for packets. Secondly, based on the anomaly scores the correlator uses simulated annealing to cluster packets into activities that are similar
Specification-based Detection  Specification-based detection approaches are neither misuse based, nor anomaly based  they use system behavioral specifications to detect attacks  nstead of learning system behaviors, in specification-based systems the experts’ knowledge determines the operating limits (threshold) of a sys tem  Once the correct (or allowed) system behavior is specified. The events deviating from the specification would generate an alert  Specification-based detection approaches focus on building specified behaviors based on the least privileged principle  An execution sequence performed by the subject that violates the specification of programs will be considered as an attack.  This approach, , can detect unseen attacks that may be exploited in the future  However, specifying the behavior of a large number of privileged programs running in real operating environments is a daunting and difficult task.  Hybrid Detection
 The intrusion detection capabilities can be improved through a hybrid approach  A hybrid approach consisting of both signature (misuse) detection as well as anomaly detection  In such a hybrid system, the signature detection technique detects known attacks and the anomaly detection technique detects novel or unknown attacks.  Tombini et al. applied an anomaly detection approach to create a list of suspicious items. Then a signature detection approach is used to classify these suspicious items into three categories, namely false alarms, attacks, and unknown attacks.  The approach is based on an assumption that a high detection rate can be achieved by the anomaly detection component because missed intrusions in the first step will not be found by the follow-up signature detection component.  Zhang et al. proposed a hybrid IDS combining both misuse detection and anomaly detection components, in which a random forests algorithm was applied  Based on an idea of combining the advantages of low false positive rate of signature based IDS and the ability of anomaly detection system (ADS) for detecting new or unknown attacks,  The well known examples are: signature based SNORT or Bro systems
Ids 014 anomaly detection

Recommended

Ids 013 detection approaches
Ids 013 detection approachesIds 013 detection approaches
Ids 013 detection approachesjyoti_lakhani
 
A Survey On Genetic Algorithm For Intrusion Detection System
A Survey On Genetic Algorithm For Intrusion Detection SystemA Survey On Genetic Algorithm For Intrusion Detection System
A Survey On Genetic Algorithm For Intrusion Detection SystemIJARIIE JOURNAL
 
Critical analysis of genetic algorithm based IDS and an approach for detecti...
Critical analysis of genetic algorithm based IDS and an approach for detecti...Critical analysis of genetic algorithm based IDS and an approach for detecti...
Critical analysis of genetic algorithm based IDS and an approach for detecti...IOSR Journals
 
Review of Intrusion and Anomaly Detection Techniques
Review of Intrusion and Anomaly Detection Techniques Review of Intrusion and Anomaly Detection Techniques
Review of Intrusion and Anomaly Detection Techniques IJMER
 
A web application detecting dos attack using mca and tam
A web application detecting dos attack using mca and tamA web application detecting dos attack using mca and tam
A web application detecting dos attack using mca and tameSAT Journals
 
Computer Worms Based on Monitoring Replication and Damage: Experiment and Eva...
Computer Worms Based on Monitoring Replication and Damage: Experiment and Eva...Computer Worms Based on Monitoring Replication and Damage: Experiment and Eva...
Computer Worms Based on Monitoring Replication and Damage: Experiment and Eva...IOSRjournaljce
 
Volume 2-issue-6-2190-2194
Volume 2-issue-6-2190-2194Volume 2-issue-6-2190-2194
Volume 2-issue-6-2190-2194Editor IJARCET
 
IRJET- An Intrusion Detection Framework based on Binary Classifiers Optimized...
IRJET- An Intrusion Detection Framework based on Binary Classifiers Optimized...IRJET- An Intrusion Detection Framework based on Binary Classifiers Optimized...
IRJET- An Intrusion Detection Framework based on Binary Classifiers Optimized...IRJET Journal
 

More Related Content

What's hot

Zero day malware detection
Zero day malware detectionZero day malware detection
Zero day malware detectionsujeeshkumarj
 
INTRUSION DETECTION SYSTEM CLASSIFICATION USING DIFFERENT MACHINE LEARNING AL...
INTRUSION DETECTION SYSTEM CLASSIFICATION USING DIFFERENT MACHINE LEARNING AL...INTRUSION DETECTION SYSTEM CLASSIFICATION USING DIFFERENT MACHINE LEARNING AL...
INTRUSION DETECTION SYSTEM CLASSIFICATION USING DIFFERENT MACHINE LEARNING AL...ijcsit
 
Data Mining Techniques for Providing Network Security through Intrusion Detec...
Data Mining Techniques for Providing Network Security through Intrusion Detec...Data Mining Techniques for Providing Network Security through Intrusion Detec...
Data Mining Techniques for Providing Network Security through Intrusion Detec...IJAAS Team
 
Intrusion detection system based on web usage mining
Intrusion detection system based on web usage miningIntrusion detection system based on web usage mining
Intrusion detection system based on web usage miningIJCSEA Journal
 
Application of Data Mining Technique in Invasion Recognition
Application of Data Mining Technique in Invasion RecognitionApplication of Data Mining Technique in Invasion Recognition
Application of Data Mining Technique in Invasion RecognitionIOSR Journals
 
A Study of Intrusion Detection System Methods in Computer Networks
A Study of Intrusion Detection System Methods in Computer NetworksA Study of Intrusion Detection System Methods in Computer Networks
A Study of Intrusion Detection System Methods in Computer NetworksEditor IJCATR
 
A PROPOSED MODEL FOR DIMENSIONALITY REDUCTION TO IMPROVE THE CLASSIFICATION C...
A PROPOSED MODEL FOR DIMENSIONALITY REDUCTION TO IMPROVE THE CLASSIFICATION C...A PROPOSED MODEL FOR DIMENSIONALITY REDUCTION TO IMPROVE THE CLASSIFICATION C...
A PROPOSED MODEL FOR DIMENSIONALITY REDUCTION TO IMPROVE THE CLASSIFICATION C...IJNSA Journal
 
Self Evolving Antivirus Based on Neuro-Fuzzy Inference System
Self Evolving Antivirus Based on Neuro-Fuzzy Inference SystemSelf Evolving Antivirus Based on Neuro-Fuzzy Inference System
Self Evolving Antivirus Based on Neuro-Fuzzy Inference SystemIJRES Journal
 
Artificial immune system against viral attack
Artificial immune system against viral attackArtificial immune system against viral attack
Artificial immune system against viral attackUltraUploader
 
DB-OLS: An Approach for IDS1
DB-OLS: An Approach for IDS1DB-OLS: An Approach for IDS1
DB-OLS: An Approach for IDS1IJITE
 
IRJET- Android Malware Detection using Deep Learning
IRJET- Android Malware Detection using Deep LearningIRJET- Android Malware Detection using Deep Learning
IRJET- Android Malware Detection using Deep LearningIRJET Journal
 
An Approach of Automatic Data Mining Algorithm for Intrusion Detection and P...
An Approach of Automatic Data Mining Algorithm for Intrusion Detection and P...An Approach of Automatic Data Mining Algorithm for Intrusion Detection and P...
An Approach of Automatic Data Mining Algorithm for Intrusion Detection and P...IOSR Journals
 
IRJET - Research on Data Mining of Permission-Induced Risk for Android Devices
IRJET - Research on Data Mining of Permission-Induced Risk for Android DevicesIRJET - Research on Data Mining of Permission-Induced Risk for Android Devices
IRJET - Research on Data Mining of Permission-Induced Risk for Android DevicesIRJET Journal
 
IRJET- Two Factor Authentication using User Behavioural Analytics
IRJET- Two Factor Authentication using User Behavioural AnalyticsIRJET- Two Factor Authentication using User Behavioural Analytics
IRJET- Two Factor Authentication using User Behavioural AnalyticsIRJET Journal
 
NSL KDD Cup 99 dataset Anomaly Detection using Machine Learning Technique
NSL KDD Cup 99 dataset Anomaly Detection using Machine Learning Technique NSL KDD Cup 99 dataset Anomaly Detection using Machine Learning Technique
NSL KDD Cup 99 dataset Anomaly Detection using Machine Learning Technique Sujeet Suryawanshi
 
Design and Implementation of Artificial Immune System for Detecting Flooding ...
Design and Implementation of Artificial Immune System for Detecting Flooding ...Design and Implementation of Artificial Immune System for Detecting Flooding ...
Design and Implementation of Artificial Immune System for Detecting Flooding ...Kent State University
 
IRJET - Survey on Malware Detection using Deep Learning Methods
IRJET - Survey on Malware Detection using Deep Learning MethodsIRJET - Survey on Malware Detection using Deep Learning Methods
IRJET - Survey on Malware Detection using Deep Learning MethodsIRJET Journal
 
Optimization of network traffic anomaly detection using machine learning
Optimization of network traffic anomaly detection using machine learning Optimization of network traffic anomaly detection using machine learning
Optimization of network traffic anomaly detection using machine learning IJECEIAES
 
Application of genetic algorithm in intrusion detection system
Application of genetic algorithm in intrusion detection systemApplication of genetic algorithm in intrusion detection system
Application of genetic algorithm in intrusion detection systemAlexander Decker
 
Integrated Feature Extraction Approach Towards Detection of Polymorphic Malwa...
Integrated Feature Extraction Approach Towards Detection of Polymorphic Malwa...Integrated Feature Extraction Approach Towards Detection of Polymorphic Malwa...
Integrated Feature Extraction Approach Towards Detection of Polymorphic Malwa...CSCJournals
 

What's hot (20)

Zero day malware detection
Zero day malware detectionZero day malware detection
Zero day malware detection
 
INTRUSION DETECTION SYSTEM CLASSIFICATION USING DIFFERENT MACHINE LEARNING AL...
INTRUSION DETECTION SYSTEM CLASSIFICATION USING DIFFERENT MACHINE LEARNING AL...INTRUSION DETECTION SYSTEM CLASSIFICATION USING DIFFERENT MACHINE LEARNING AL...
INTRUSION DETECTION SYSTEM CLASSIFICATION USING DIFFERENT MACHINE LEARNING AL...
 
Data Mining Techniques for Providing Network Security through Intrusion Detec...
Data Mining Techniques for Providing Network Security through Intrusion Detec...Data Mining Techniques for Providing Network Security through Intrusion Detec...
Data Mining Techniques for Providing Network Security through Intrusion Detec...
 
Intrusion detection system based on web usage mining
Intrusion detection system based on web usage miningIntrusion detection system based on web usage mining
Intrusion detection system based on web usage mining
 
Application of Data Mining Technique in Invasion Recognition
Application of Data Mining Technique in Invasion RecognitionApplication of Data Mining Technique in Invasion Recognition
Application of Data Mining Technique in Invasion Recognition
 
A Study of Intrusion Detection System Methods in Computer Networks
A Study of Intrusion Detection System Methods in Computer NetworksA Study of Intrusion Detection System Methods in Computer Networks
A Study of Intrusion Detection System Methods in Computer Networks
 
A PROPOSED MODEL FOR DIMENSIONALITY REDUCTION TO IMPROVE THE CLASSIFICATION C...
A PROPOSED MODEL FOR DIMENSIONALITY REDUCTION TO IMPROVE THE CLASSIFICATION C...A PROPOSED MODEL FOR DIMENSIONALITY REDUCTION TO IMPROVE THE CLASSIFICATION C...
A PROPOSED MODEL FOR DIMENSIONALITY REDUCTION TO IMPROVE THE CLASSIFICATION C...
 
Self Evolving Antivirus Based on Neuro-Fuzzy Inference System
Self Evolving Antivirus Based on Neuro-Fuzzy Inference SystemSelf Evolving Antivirus Based on Neuro-Fuzzy Inference System
Self Evolving Antivirus Based on Neuro-Fuzzy Inference System
 
Artificial immune system against viral attack
Artificial immune system against viral attackArtificial immune system against viral attack
Artificial immune system against viral attack
 
DB-OLS: An Approach for IDS1
DB-OLS: An Approach for IDS1DB-OLS: An Approach for IDS1
DB-OLS: An Approach for IDS1
 
IRJET- Android Malware Detection using Deep Learning
IRJET- Android Malware Detection using Deep LearningIRJET- Android Malware Detection using Deep Learning
IRJET- Android Malware Detection using Deep Learning
 
An Approach of Automatic Data Mining Algorithm for Intrusion Detection and P...
An Approach of Automatic Data Mining Algorithm for Intrusion Detection and P...An Approach of Automatic Data Mining Algorithm for Intrusion Detection and P...
An Approach of Automatic Data Mining Algorithm for Intrusion Detection and P...
 
IRJET - Research on Data Mining of Permission-Induced Risk for Android Devices
IRJET - Research on Data Mining of Permission-Induced Risk for Android DevicesIRJET - Research on Data Mining of Permission-Induced Risk for Android Devices
IRJET - Research on Data Mining of Permission-Induced Risk for Android Devices
 
IRJET- Two Factor Authentication using User Behavioural Analytics
IRJET- Two Factor Authentication using User Behavioural AnalyticsIRJET- Two Factor Authentication using User Behavioural Analytics
IRJET- Two Factor Authentication using User Behavioural Analytics
 
NSL KDD Cup 99 dataset Anomaly Detection using Machine Learning Technique
NSL KDD Cup 99 dataset Anomaly Detection using Machine Learning Technique NSL KDD Cup 99 dataset Anomaly Detection using Machine Learning Technique
NSL KDD Cup 99 dataset Anomaly Detection using Machine Learning Technique
 
Design and Implementation of Artificial Immune System for Detecting Flooding ...
Design and Implementation of Artificial Immune System for Detecting Flooding ...Design and Implementation of Artificial Immune System for Detecting Flooding ...
Design and Implementation of Artificial Immune System for Detecting Flooding ...
 
IRJET - Survey on Malware Detection using Deep Learning Methods
IRJET - Survey on Malware Detection using Deep Learning MethodsIRJET - Survey on Malware Detection using Deep Learning Methods
IRJET - Survey on Malware Detection using Deep Learning Methods
 
Optimization of network traffic anomaly detection using machine learning
Optimization of network traffic anomaly detection using machine learning Optimization of network traffic anomaly detection using machine learning
Optimization of network traffic anomaly detection using machine learning
 
Application of genetic algorithm in intrusion detection system
Application of genetic algorithm in intrusion detection systemApplication of genetic algorithm in intrusion detection system
Application of genetic algorithm in intrusion detection system
 
Integrated Feature Extraction Approach Towards Detection of Polymorphic Malwa...
Integrated Feature Extraction Approach Towards Detection of Polymorphic Malwa...Integrated Feature Extraction Approach Towards Detection of Polymorphic Malwa...
Integrated Feature Extraction Approach Towards Detection of Polymorphic Malwa...
 

Similar to Ids 014 anomaly detection

Synthesis of Polyurethane Solution (Castor oil based polyol for polyurethane)
Synthesis of Polyurethane Solution (Castor oil based polyol for polyurethane)Synthesis of Polyurethane Solution (Castor oil based polyol for polyurethane)
Synthesis of Polyurethane Solution (Castor oil based polyol for polyurethane)IJARIIE JOURNAL
 
A Survey On Intrusion Detection Systems
A Survey On Intrusion Detection SystemsA Survey On Intrusion Detection Systems
A Survey On Intrusion Detection SystemsMary Calkins
 
Volume 2-issue-6-2190-2194
Volume 2-issue-6-2190-2194Volume 2-issue-6-2190-2194
Volume 2-issue-6-2190-2194Editor IJARCET
 
Intrusion detection and anomaly detection system using sequential pattern mining
Intrusion detection and anomaly detection system using sequential pattern miningIntrusion detection and anomaly detection system using sequential pattern mining
Intrusion detection and anomaly detection system using sequential pattern miningeSAT Journals
 
Intrusion detection and anomaly detection system using sequential pattern mining
Intrusion detection and anomaly detection system using sequential pattern miningIntrusion detection and anomaly detection system using sequential pattern mining
Intrusion detection and anomaly detection system using sequential pattern miningeSAT Journals
 
Log management siem 5651 sayılı yasa
Log management siem 5651 sayılı yasaLog management siem 5651 sayılı yasa
Log management siem 5651 sayılı yasaErtugrul Akbas
 
Enhancing SIEM Correlation Rules Through Baselining
Enhancing SIEM Correlation Rules Through BaseliningEnhancing SIEM Correlation Rules Through Baselining
Enhancing SIEM Correlation Rules Through BaseliningErtugrul Akbas
 
A BAYESIAN CLASSIFICATION ON ASSET VULNERABILITY FOR REAL TIME REDUCTION OF F...
A BAYESIAN CLASSIFICATION ON ASSET VULNERABILITY FOR REAL TIME REDUCTION OF F...A BAYESIAN CLASSIFICATION ON ASSET VULNERABILITY FOR REAL TIME REDUCTION OF F...
A BAYESIAN CLASSIFICATION ON ASSET VULNERABILITY FOR REAL TIME REDUCTION OF F...IJNSA Journal
 
Security auditing architecture
Security auditing architectureSecurity auditing architecture
Security auditing architectureVishnupriya T H
 
(Group 2) intrusion detection system.pptx
(Group 2) intrusion detection system.pptx(Group 2) intrusion detection system.pptx
(Group 2) intrusion detection system.pptxAceAtigaVallo
 
Supervised Machine Learning Algorithms for Intrusion Detection.pptx
Supervised Machine Learning Algorithms for Intrusion Detection.pptxSupervised Machine Learning Algorithms for Intrusion Detection.pptx
Supervised Machine Learning Algorithms for Intrusion Detection.pptxssuserf3a100
 
A review of machine learning based anomaly detection
A review of machine learning based anomaly detectionA review of machine learning based anomaly detection
A review of machine learning based anomaly detectionMohamed Elfadly
 
A review of machine learning based anomaly detection
A review of machine learning based anomaly detectionA review of machine learning based anomaly detection
A review of machine learning based anomaly detectionMohamed Elfadly
 
Detecting Unknown Attacks Using Big Data Analysis
Detecting Unknown Attacks Using Big Data AnalysisDetecting Unknown Attacks Using Big Data Analysis
Detecting Unknown Attacks Using Big Data AnalysisEditor IJMTER
 
Intrusion Detection and Forensics based on decision tree and Association rule...
Intrusion Detection and Forensics based on decision tree and Association rule...Intrusion Detection and Forensics based on decision tree and Association rule...
Intrusion Detection and Forensics based on decision tree and Association rule...IJMER
 
A sense of self for unix processes
A sense of self for unix processesA sense of self for unix processes
A sense of self for unix processesUltraUploader
 
System Event Monitoring for Active Authentication
System Event Monitoring for Active AuthenticationSystem Event Monitoring for Active Authentication
System Event Monitoring for Active AuthenticationCoveros, Inc.
 

Similar to Ids 014 anomaly detection (20)

Synthesis of Polyurethane Solution (Castor oil based polyol for polyurethane)
Synthesis of Polyurethane Solution (Castor oil based polyol for polyurethane)Synthesis of Polyurethane Solution (Castor oil based polyol for polyurethane)
Synthesis of Polyurethane Solution (Castor oil based polyol for polyurethane)
 
A Survey On Intrusion Detection Systems
A Survey On Intrusion Detection SystemsA Survey On Intrusion Detection Systems
A Survey On Intrusion Detection Systems
 
Volume 2-issue-6-2190-2194
Volume 2-issue-6-2190-2194Volume 2-issue-6-2190-2194
Volume 2-issue-6-2190-2194
 
5
55
5
 
Intrusion detection and anomaly detection system using sequential pattern mining
Intrusion detection and anomaly detection system using sequential pattern miningIntrusion detection and anomaly detection system using sequential pattern mining
Intrusion detection and anomaly detection system using sequential pattern mining
 
Intrusion detection and anomaly detection system using sequential pattern mining
Intrusion detection and anomaly detection system using sequential pattern miningIntrusion detection and anomaly detection system using sequential pattern mining
Intrusion detection and anomaly detection system using sequential pattern mining
 
Kb2417221726
Kb2417221726Kb2417221726
Kb2417221726
 
Log management siem 5651 sayılı yasa
Log management siem 5651 sayılı yasaLog management siem 5651 sayılı yasa
Log management siem 5651 sayılı yasa
 
Enhancing SIEM Correlation Rules Through Baselining
Enhancing SIEM Correlation Rules Through BaseliningEnhancing SIEM Correlation Rules Through Baselining
Enhancing SIEM Correlation Rules Through Baselining
 
A BAYESIAN CLASSIFICATION ON ASSET VULNERABILITY FOR REAL TIME REDUCTION OF F...
A BAYESIAN CLASSIFICATION ON ASSET VULNERABILITY FOR REAL TIME REDUCTION OF F...A BAYESIAN CLASSIFICATION ON ASSET VULNERABILITY FOR REAL TIME REDUCTION OF F...
A BAYESIAN CLASSIFICATION ON ASSET VULNERABILITY FOR REAL TIME REDUCTION OF F...
 
Security auditing architecture
Security auditing architectureSecurity auditing architecture
Security auditing architecture
 
I Dunderstn
I DunderstnI Dunderstn
I Dunderstn
 
(Group 2) intrusion detection system.pptx
(Group 2) intrusion detection system.pptx(Group 2) intrusion detection system.pptx
(Group 2) intrusion detection system.pptx
 
Supervised Machine Learning Algorithms for Intrusion Detection.pptx
Supervised Machine Learning Algorithms for Intrusion Detection.pptxSupervised Machine Learning Algorithms for Intrusion Detection.pptx
Supervised Machine Learning Algorithms for Intrusion Detection.pptx
 
A review of machine learning based anomaly detection
A review of machine learning based anomaly detectionA review of machine learning based anomaly detection
A review of machine learning based anomaly detection
 
A review of machine learning based anomaly detection
A review of machine learning based anomaly detectionA review of machine learning based anomaly detection
A review of machine learning based anomaly detection
 
Detecting Unknown Attacks Using Big Data Analysis
Detecting Unknown Attacks Using Big Data AnalysisDetecting Unknown Attacks Using Big Data Analysis
Detecting Unknown Attacks Using Big Data Analysis
 
Intrusion Detection and Forensics based on decision tree and Association rule...
Intrusion Detection and Forensics based on decision tree and Association rule...Intrusion Detection and Forensics based on decision tree and Association rule...
Intrusion Detection and Forensics based on decision tree and Association rule...
 
A sense of self for unix processes
A sense of self for unix processesA sense of self for unix processes
A sense of self for unix processes
 
System Event Monitoring for Active Authentication
System Event Monitoring for Active AuthenticationSystem Event Monitoring for Active Authentication
System Event Monitoring for Active Authentication
 

More from jyoti_lakhani

CG02 Computer Graphic Systems.ppsx
CG02 Computer Graphic Systems.ppsxCG02 Computer Graphic Systems.ppsx
CG02 Computer Graphic Systems.ppsxjyoti_lakhani
 
CG04 Color Models.ppsx
CG04 Color Models.ppsxCG04 Color Models.ppsx
CG04 Color Models.ppsxjyoti_lakhani
 
CG03 Random Raster Scan displays and Color CRTs.ppsx
CG03 Random Raster Scan displays and Color CRTs.ppsxCG03 Random Raster Scan displays and Color CRTs.ppsx
CG03 Random Raster Scan displays and Color CRTs.ppsxjyoti_lakhani
 
CG02 Computer Graphic Systems.pptx
CG02 Computer Graphic Systems.pptxCG02 Computer Graphic Systems.pptx
CG02 Computer Graphic Systems.pptxjyoti_lakhani
 
CG01 introduction.ppsx
CG01 introduction.ppsxCG01 introduction.ppsx
CG01 introduction.ppsxjyoti_lakhani
 
Tree terminology and introduction to binary tree
Tree terminology and introduction to binary treeTree terminology and introduction to binary tree
Tree terminology and introduction to binary treejyoti_lakhani
 
Ds006 linked list- delete from front
Ds006 linked list- delete from frontDs006 linked list- delete from front
Ds006 linked list- delete from frontjyoti_lakhani
 
Ds06 linked list- insert a node after a given node
Ds06 linked list- insert a node after a given nodeDs06 linked list- insert a node after a given node
Ds06 linked list- insert a node after a given nodejyoti_lakhani
 
Ds06 linked list- insert a node at end
Ds06 linked list- insert a node at endDs06 linked list- insert a node at end
Ds06 linked list- insert a node at endjyoti_lakhani
 
Ds06 linked list- insert a node at beginning
Ds06 linked list- insert a node at beginningDs06 linked list- insert a node at beginning
Ds06 linked list- insert a node at beginningjyoti_lakhani
 
Ds06 linked list- intro and create a node
Ds06 linked list- intro and create a nodeDs06 linked list- intro and create a node
Ds06 linked list- intro and create a nodejyoti_lakhani
 
Ds04 abstract data types (adt) jyoti lakhani
Ds04 abstract data types (adt) jyoti lakhaniDs04 abstract data types (adt) jyoti lakhani
Ds04 abstract data types (adt) jyoti lakhanijyoti_lakhani
 
Ds03 part i algorithms by jyoti lakhani
Ds03 part i algorithms by jyoti lakhaniDs03 part i algorithms by jyoti lakhani
Ds03 part i algorithms by jyoti lakhanijyoti_lakhani
 
Ds03 algorithms jyoti lakhani
Ds03 algorithms jyoti lakhaniDs03 algorithms jyoti lakhani
Ds03 algorithms jyoti lakhanijyoti_lakhani
 
Ds02 flow chart and pseudo code
Ds02 flow chart and pseudo codeDs02 flow chart and pseudo code
Ds02 flow chart and pseudo codejyoti_lakhani
 
Ds01 data structure introduction - by jyoti lakhani
Ds01 data structure introduction - by jyoti lakhaniDs01 data structure introduction - by jyoti lakhani
Ds01 data structure introduction - by jyoti lakhanijyoti_lakhani
 

More from jyoti_lakhani (20)

CG02 Computer Graphic Systems.ppsx
CG02 Computer Graphic Systems.ppsxCG02 Computer Graphic Systems.ppsx
CG02 Computer Graphic Systems.ppsx
 
Projections.pptx
Projections.pptxProjections.pptx
Projections.pptx
 
CG04 Color Models.ppsx
CG04 Color Models.ppsxCG04 Color Models.ppsx
CG04 Color Models.ppsx
 
CG03 Random Raster Scan displays and Color CRTs.ppsx
CG03 Random Raster Scan displays and Color CRTs.ppsxCG03 Random Raster Scan displays and Color CRTs.ppsx
CG03 Random Raster Scan displays and Color CRTs.ppsx
 
CG02 Computer Graphic Systems.pptx
CG02 Computer Graphic Systems.pptxCG02 Computer Graphic Systems.pptx
CG02 Computer Graphic Systems.pptx
 
CG01 introduction.ppsx
CG01 introduction.ppsxCG01 introduction.ppsx
CG01 introduction.ppsx
 
Doubly linked list
Doubly linked listDoubly linked list
Doubly linked list
 
Double ended queue
Double ended queueDouble ended queue
Double ended queue
 
Tree terminology and introduction to binary tree
Tree terminology and introduction to binary treeTree terminology and introduction to binary tree
Tree terminology and introduction to binary tree
 
Priority queue
Priority queuePriority queue
Priority queue
 
Ds006 linked list- delete from front
Ds006 linked list- delete from frontDs006 linked list- delete from front
Ds006 linked list- delete from front
 
Ds06 linked list- insert a node after a given node
Ds06 linked list- insert a node after a given nodeDs06 linked list- insert a node after a given node
Ds06 linked list- insert a node after a given node
 
Ds06 linked list- insert a node at end
Ds06 linked list- insert a node at endDs06 linked list- insert a node at end
Ds06 linked list- insert a node at end
 
Ds06 linked list- insert a node at beginning
Ds06 linked list- insert a node at beginningDs06 linked list- insert a node at beginning
Ds06 linked list- insert a node at beginning
 
Ds06 linked list- intro and create a node
Ds06 linked list- intro and create a nodeDs06 linked list- intro and create a node
Ds06 linked list- intro and create a node
 
Ds04 abstract data types (adt) jyoti lakhani
Ds04 abstract data types (adt) jyoti lakhaniDs04 abstract data types (adt) jyoti lakhani
Ds04 abstract data types (adt) jyoti lakhani
 
Ds03 part i algorithms by jyoti lakhani
Ds03 part i algorithms by jyoti lakhaniDs03 part i algorithms by jyoti lakhani
Ds03 part i algorithms by jyoti lakhani
 
Ds03 algorithms jyoti lakhani
Ds03 algorithms jyoti lakhaniDs03 algorithms jyoti lakhani
Ds03 algorithms jyoti lakhani
 
Ds02 flow chart and pseudo code
Ds02 flow chart and pseudo codeDs02 flow chart and pseudo code
Ds02 flow chart and pseudo code
 
Ds01 data structure introduction - by jyoti lakhani
Ds01 data structure introduction - by jyoti lakhaniDs01 data structure introduction - by jyoti lakhani
Ds01 data structure introduction - by jyoti lakhani
 

Recently uploaded

Varsha Sewlal- Cyber Attacks on Critical Critical Infrastructure
Varsha Sewlal- Cyber Attacks on Critical Critical InfrastructureVarsha Sewlal- Cyber Attacks on Critical Critical Infrastructure
Varsha Sewlal- Cyber Attacks on Critical Critical Infrastructureitnewsafrica
 
Microsoft 365 Copilot: How to boost your productivity with AI – Part one: Ado...
Microsoft 365 Copilot: How to boost your productivity with AI – Part one: Ado...Microsoft 365 Copilot: How to boost your productivity with AI – Part one: Ado...
Microsoft 365 Copilot: How to boost your productivity with AI – Part one: Ado...Nikki Chapple
 
QCon London: Mastering long-running processes in modern architectures
QCon London: Mastering long-running processes in modern architecturesQCon London: Mastering long-running processes in modern architectures
QCon London: Mastering long-running processes in modern architecturesBernd Ruecker
 
Emixa Mendix Meetup 11 April 2024 about Mendix Native development
Emixa Mendix Meetup 11 April 2024 about Mendix Native developmentEmixa Mendix Meetup 11 April 2024 about Mendix Native development
Emixa Mendix Meetup 11 April 2024 about Mendix Native developmentPim van der Noll
 
Kuma Meshes Part I - The basics - A tutorial
Kuma Meshes Part I - The basics - A tutorialKuma Meshes Part I - The basics - A tutorial
Kuma Meshes Part I - The basics - A tutorialJoão Esperancinha
 
Top 10 Hubspot Development Companies in 2024
Top 10 Hubspot Development Companies in 2024Top 10 Hubspot Development Companies in 2024
Top 10 Hubspot Development Companies in 2024TopCSSGallery
 
Transcript: New from BookNet Canada for 2024: BNC SalesData and LibraryData -...
Transcript: New from BookNet Canada for 2024: BNC SalesData and LibraryData -...Transcript: New from BookNet Canada for 2024: BNC SalesData and LibraryData -...
Transcript: New from BookNet Canada for 2024: BNC SalesData and LibraryData -...BookNet Canada
 
Decarbonising Buildings: Making a net-zero built environment a reality
Decarbonising Buildings: Making a net-zero built environment a realityDecarbonising Buildings: Making a net-zero built environment a reality
Decarbonising Buildings: Making a net-zero built environment a realityIES VE
 
Why device, WIFI, and ISP insights are crucial to supporting remote Microsoft...
Why device, WIFI, and ISP insights are crucial to supporting remote Microsoft...Why device, WIFI, and ISP insights are crucial to supporting remote Microsoft...
Why device, WIFI, and ISP insights are crucial to supporting remote Microsoft...panagenda
 
JET Technology Labs White Paper for Virtualized Security and Encryption Techn...
JET Technology Labs White Paper for Virtualized Security and Encryption Techn...JET Technology Labs White Paper for Virtualized Security and Encryption Techn...
JET Technology Labs White Paper for Virtualized Security and Encryption Techn...amber724300
 
Potential of AI (Generative AI) in Business: Learnings and Insights
Potential of AI (Generative AI) in Business: Learnings and InsightsPotential of AI (Generative AI) in Business: Learnings and Insights
Potential of AI (Generative AI) in Business: Learnings and InsightsRavi Sanghani
 
Bridging Between CAD & GIS: 6 Ways to Automate Your Data Integration
Bridging Between CAD & GIS: 6 Ways to Automate Your Data IntegrationBridging Between CAD & GIS: 6 Ways to Automate Your Data Integration
Bridging Between CAD & GIS: 6 Ways to Automate Your Data Integrationmarketing932765
 
A Framework for Development in the AI Age
A Framework for Development in the AI AgeA Framework for Development in the AI Age
A Framework for Development in the AI AgeCprime
 
Landscape Catalogue 2024 Australia-1.pdf
Landscape Catalogue 2024 Australia-1.pdfLandscape Catalogue 2024 Australia-1.pdf
Landscape Catalogue 2024 Australia-1.pdfAarwolf Industries LLC
 
[Webinar] SpiraTest - Setting New Standards in Quality Assurance
[Webinar] SpiraTest - Setting New Standards in Quality Assurance[Webinar] SpiraTest - Setting New Standards in Quality Assurance
[Webinar] SpiraTest - Setting New Standards in Quality AssuranceInflectra
 
MuleSoft Online Meetup Group - B2B Crash Course: Release SparkNotes
MuleSoft Online Meetup Group - B2B Crash Course: Release SparkNotesMuleSoft Online Meetup Group - B2B Crash Course: Release SparkNotes
MuleSoft Online Meetup Group - B2B Crash Course: Release SparkNotesManik S Magar
 
Generative AI - Gitex v1Generative AI - Gitex v1.pptx
Generative AI - Gitex v1Generative AI - Gitex v1.pptxGenerative AI - Gitex v1Generative AI - Gitex v1.pptx
Generative AI - Gitex v1Generative AI - Gitex v1.pptxfnnc6jmgwh
 
Testing tools and AI - ideas what to try with some tool examples
Testing tools and AI - ideas what to try with some tool examplesTesting tools and AI - ideas what to try with some tool examples
Testing tools and AI - ideas what to try with some tool examplesKari Kakkonen
 
A Glance At The Java Performance Toolbox
A Glance At The Java Performance ToolboxA Glance At The Java Performance Toolbox
A Glance At The Java Performance ToolboxAna-Maria Mihalceanu
 

Recently uploaded (20)

Varsha Sewlal- Cyber Attacks on Critical Critical Infrastructure
Varsha Sewlal- Cyber Attacks on Critical Critical InfrastructureVarsha Sewlal- Cyber Attacks on Critical Critical Infrastructure
Varsha Sewlal- Cyber Attacks on Critical Critical Infrastructure
 
Microsoft 365 Copilot: How to boost your productivity with AI – Part one: Ado...
Microsoft 365 Copilot: How to boost your productivity with AI – Part one: Ado...Microsoft 365 Copilot: How to boost your productivity with AI – Part one: Ado...
Microsoft 365 Copilot: How to boost your productivity with AI – Part one: Ado...
 
QCon London: Mastering long-running processes in modern architectures
QCon London: Mastering long-running processes in modern architecturesQCon London: Mastering long-running processes in modern architectures
QCon London: Mastering long-running processes in modern architectures
 
Emixa Mendix Meetup 11 April 2024 about Mendix Native development
Emixa Mendix Meetup 11 April 2024 about Mendix Native developmentEmixa Mendix Meetup 11 April 2024 about Mendix Native development
Emixa Mendix Meetup 11 April 2024 about Mendix Native development
 
Kuma Meshes Part I - The basics - A tutorial
Kuma Meshes Part I - The basics - A tutorialKuma Meshes Part I - The basics - A tutorial
Kuma Meshes Part I - The basics - A tutorial
 
Top 10 Hubspot Development Companies in 2024
Top 10 Hubspot Development Companies in 2024Top 10 Hubspot Development Companies in 2024
Top 10 Hubspot Development Companies in 2024
 
Transcript: New from BookNet Canada for 2024: BNC SalesData and LibraryData -...
Transcript: New from BookNet Canada for 2024: BNC SalesData and LibraryData -...Transcript: New from BookNet Canada for 2024: BNC SalesData and LibraryData -...
Transcript: New from BookNet Canada for 2024: BNC SalesData and LibraryData -...
 
Decarbonising Buildings: Making a net-zero built environment a reality
Decarbonising Buildings: Making a net-zero built environment a realityDecarbonising Buildings: Making a net-zero built environment a reality
Decarbonising Buildings: Making a net-zero built environment a reality
 
Why device, WIFI, and ISP insights are crucial to supporting remote Microsoft...
Why device, WIFI, and ISP insights are crucial to supporting remote Microsoft...Why device, WIFI, and ISP insights are crucial to supporting remote Microsoft...
Why device, WIFI, and ISP insights are crucial to supporting remote Microsoft...
 
How Tech Giants Cut Corners to Harvest Data for A.I.
How Tech Giants Cut Corners to Harvest Data for A.I.How Tech Giants Cut Corners to Harvest Data for A.I.
How Tech Giants Cut Corners to Harvest Data for A.I.
 
JET Technology Labs White Paper for Virtualized Security and Encryption Techn...
JET Technology Labs White Paper for Virtualized Security and Encryption Techn...JET Technology Labs White Paper for Virtualized Security and Encryption Techn...
JET Technology Labs White Paper for Virtualized Security and Encryption Techn...
 
Potential of AI (Generative AI) in Business: Learnings and Insights
Potential of AI (Generative AI) in Business: Learnings and InsightsPotential of AI (Generative AI) in Business: Learnings and Insights
Potential of AI (Generative AI) in Business: Learnings and Insights
 
Bridging Between CAD & GIS: 6 Ways to Automate Your Data Integration
Bridging Between CAD & GIS: 6 Ways to Automate Your Data IntegrationBridging Between CAD & GIS: 6 Ways to Automate Your Data Integration
Bridging Between CAD & GIS: 6 Ways to Automate Your Data Integration
 
A Framework for Development in the AI Age
A Framework for Development in the AI AgeA Framework for Development in the AI Age
A Framework for Development in the AI Age
 
Landscape Catalogue 2024 Australia-1.pdf
Landscape Catalogue 2024 Australia-1.pdfLandscape Catalogue 2024 Australia-1.pdf
Landscape Catalogue 2024 Australia-1.pdf
 
[Webinar] SpiraTest - Setting New Standards in Quality Assurance
[Webinar] SpiraTest - Setting New Standards in Quality Assurance[Webinar] SpiraTest - Setting New Standards in Quality Assurance
[Webinar] SpiraTest - Setting New Standards in Quality Assurance
 
MuleSoft Online Meetup Group - B2B Crash Course: Release SparkNotes
MuleSoft Online Meetup Group - B2B Crash Course: Release SparkNotesMuleSoft Online Meetup Group - B2B Crash Course: Release SparkNotes
MuleSoft Online Meetup Group - B2B Crash Course: Release SparkNotes
 
Generative AI - Gitex v1Generative AI - Gitex v1.pptx
Generative AI - Gitex v1Generative AI - Gitex v1.pptxGenerative AI - Gitex v1Generative AI - Gitex v1.pptx
Generative AI - Gitex v1Generative AI - Gitex v1.pptx
 
Testing tools and AI - ideas what to try with some tool examples
Testing tools and AI - ideas what to try with some tool examplesTesting tools and AI - ideas what to try with some tool examples
Testing tools and AI - ideas what to try with some tool examples
 
A Glance At The Java Performance Toolbox
A Glance At The Java Performance ToolboxA Glance At The Java Performance Toolbox
A Glance At The Java Performance Toolbox
 

Ids 014 anomaly detection

  • 1. Anomaly Detection  Anomaly detection is based on the assumption that all intrusive activities are necessarily anomalous.  Anomaly detection studies start by forming an opinion on what the normal attributes for the observed objects are, and then decide what kinds of activities should be flagged as intrusions and how to make such particular decisions.  A typical anomaly detection model consists of four components, namely-  Data collection: Normal user activities or traffic data are obtained and saved by the data collection component  Normal system profile: Specific modeling techniques are used to create normal system profiles.  Anomaly detection: The anomaly detection component decides how far the current activities deviate from the normal system profiles and what percentage of these activities should be flagged as abnormal.  Response: the response component reports the intrusion and possibly corresponding timing information.
  • 2. Advantage 1. It addresses the biggest limitation of misuse detection as it has capability to find novel attacks Limitations 1. The user’s normal behavior model is based on data collected over a period of normal operations; intrusive activities missed during this period are likely to be considered as normal behaviors. 2. Anomaly detection techniques can hardly detect stealthy attacks because this kind of attacks are usually hidden in large number of instances of normal behaviors. 3. The types of parameters used as inputs of normal models are usually decided by security experts. Any mistake occurring during the process of defining these parameters will increase the false alarm rate and decrease the effectiveness of the anomaly detection system. Advanced Statistical Models Rule based Techniques Biological Models Learning Models
  • 3. Advanced Statistical Models 1. Proposed by Denning 2. It is a theoretical characterization of anomaly detection based on basic statistical analysis. 3. It has a detection framework that consists of eight components: a. Subjects b. Objects c. Audit records d. Statistical metrics e. Statistical models f. Profiles and profile templates g. Anomaly records h. Activity rules 4. A subject could be a user, a process, or system itself. 5. The object is the receptor of actions and could be entities such as files, programs and messages. 6. Audit records are m-tuples that represent a set of actions performed by subjects on objects. 7. Once an event generator creates the audit records, the statistical model matches it with the appropriate profile and then makes decisions regarding- a. The profile update b. The abnormal behavior checking c. The report of detected anomalies 8. The activity profile includes various of variables measuring the behavior of the system based on predefined statistical metrics. 9. The basic idea in Denning’s model appear with little modification in many intrusion detection systems, such as Haystack, NIDES and EMERALD.
  • 4. Haystack 1. Designed and implemented for the detection of intrusions in a multi-user Air Force computer system 2. Statistical techniques are used to detect anomalous activities 3. A set of features such as the amount of I/O, CPU utilization, number of file accesses are observed and then the normal range of values for these features are defined. 4. Activities falling outside these ranges are reported as intrusions. 5. It uses a very simple statistical model in which each feature is assigned a weight by the SSO 6. The main weakness of Haystack is that no test is conducted to verify if the weight value is sensitive to intrusion patterns and furthermore no explanation is given as to how the weight value is assigned Advanced Statistical Models Haystack NIDES EMERALD
  • 5. NIDES 1. NIDES includes a statistical anomaly detector 2. The audit information collected consist of – a. User names b. Names of files accessed c. Elapsed user CPU time d. Total number of files opened e. Number of pages read from secondary storage f. Identities of machines onto which user has logged, etc. 3. Statistics are computed from the collected audit information. 4. NIDES stores only statistics related to frequencies, means, variances or covariance of measures instead of the total audit data. 5. Given measures in NIDES, if the point in the m-space of measures is far away from the expected value, the corresponding event represented by the point is considered anomalous
  • 6. EMERALD (Event Monitoring Enabling Responses to Anomalous Live Disturbances) 1. An environment for anomaly and misuse detection 2. It consists of a signature analysis component and a statistical profile-based anomaly detection component 3. The anomaly detector is based on the statistical approach where the events are labeled as intrusive if they are largely deviant from the expected behavior 4. In EMERALD more than 30 different criteria including CPU and I/O usage, commands used, local network activity, and system errors are used to build these expected user profiles 5. An EMERALD monitor is either passive through reading activity logs or network packets or active via probing for gathering a normal event. 6. The analytical results can be exchanged asynchronously between different client monitors operated on different layers (e.g. domain layer, enterprise layer, etc.) 7. Moreover, each monitor has an instance of the EMERALD resolver, a countermeasure decision engine fusing the alerts from its associated analysis engines and invoking response handlers to counter malicious activities
  • 7. Statistical profile-based Anomaly Detection Signature Analysis EMERALD MONITOR EMERALD RESOLVER RULE BASE SYSTEM
  • 9. Wisdom & Sense (W&S)  Two components: wisdom and sense  The wisdom component consists of a set of rules describing normal behaviors of the system based on historical audit data  About 10,000 records per user are read from the file in order to create the rules  The sense component is an expert system based on the previous rules, which verifies whether the subsequent audit data violates the rule base or not  The system security officer is then alerted when the sense detects some anomalous behavior  the Figure of Merit (FOM) metric is used to compute an anomalousness score for each thread  The FOMs values for several events are summed and compared against a threshold  When the sum value is above the threshold, corresponding events are flagged as anomalies by the system Network Security Monitor (NSM)  Rule-based intrusion detection system targeting anomalous network activities  First intrusion detection system using network traffic directly as the primary source of data
  • 10.  Network traffic profiles are created by generating connection vectors derived from the network data  Host vectors and connection vectors are the main input to the expert system in NSM  The expert system illustrates the data-path with which systems are expected to communicate  Intrusions are decided according to analysis results of the expert system.  The final result reported to the SSO consists of a connection vector and corresponding suspicion level.  The suspicion level measures the likelihood that a particular connection represents some intrusive behaviors. Time-based Inductive Machine (TIM)  Models user’s normal behavior patterns by dynamically generating activity rules  TIM discovers normal behavior patterns in a sequence of events instead of a single event.  Each rule represents a model that can predict the next event from a given sequence of events.  If user’s behavior matches with previous event sequences and the actual next event is not included in the predicted event sets, the user’s behavior is considered as intrusive.  The major limitation of TIM is that the rules only model adjacent events.  When many applications are executed at the same time, events occurring in one application may be interleaved with events occurring in other applications, in which case the rules generated by TIM may not accurately identify user’s normal behaviors.
  • 11. NADIR (Network Anomaly Detection and Intrusion Reporter)  Collects audit information from three different kinds of service nodes, namely network security controller, common file system and security assurance machine  Network security controller provides user authentication and access control;  Common file system stores the data, and security assurance machine records attempts to degrade the security level of the data  The audit information collected for each event include- o A unique user ID associated with the subject o The date and time of the event o An accounting parameter, the error code o A flag indicating whether the corresponding action is successful or not o The description of the event.  Individual user profile is computed on a weekly basis from the audit database.  The user profiles are compared with a set of expert system rules in order to detect possible deviations in users’ behaviors.  The expert rules are mainly derived from the security policies and the statistical analysis of previous audit logs.  Each rule is assigned a level-of-interest. If the corresponding sum of level-of-interest for a user is too big the intrusion alarm is raised. BiologicalModels  Inspired from biological principles  Initially proposed by Forrest et al.  They studied the analogy between human immune system’s capability of distinguishing self from nonself and intrusion detection system  When applying the self-nonself technique to intrusion detection, behaviors of the system are viewed as a string.  This string is divided into sub-strings of equal length k.
  • 12.  Self contains some of the possible 2k strings  The rest of the sub-strings 2k −sel f or the complement of self is called nonself.  Nonself contains some detector strings, which are of length and does not exist in the collection of self. Learning models  Learning models incorporate learning capabilities in intrusion detection process, using artificial leaning techniques  we divide the anomaly detection schemes into two categories: unsupervised and supervised.  Supervised anomaly detection establishes the normal profiles of systems or networks through training based on labeled data sets.  Unsupervised anomaly detection attempts to detect intrusions without using any prior knowledge of attacks or normal instances.  The main drawback of supervised anomaly detection is the need of labeling the training data, which makes the process error-prone, costly and time consuming, and difficult to find new attacks.
  • 13.  Unsupervised anomaly detection addresses these issues by allowing training based on unlabeled data sets and thus facilitating online learning and improving detection accuracy. Supervised Anomaly Detection Learning Models Supervised Anomaly Detection Using Neural Network Using Genetic Algorithm Unsupervised Anomaly Detection
  • 14.  Using Neural Network o Hyperview : an early r intrusion detection using neural network consists of two components o The first component is an expert system, which monitors audit trails for known intrusion signatures o The second component uses neural network to learn user behaviors; it then fires an alarm when there is a deviation between current behaviors and learnt behaviors o The use of neural network in Hyperview assumes that the audit data consist of multivariate time series, since user behavior exhibits a dynamic process executing an ordered series of events o back-propagation network is used by Ghosh o Lei and Ghorbani use competitive learning neural network using SOM  Using Genetic Algorithm o The genetic algorithm is an iterative search technique based on the theory of Darwinian evolution applied to mathematical models. o It operates on a population of individuals in which each individual is a potential solution to a given problem. After the initial population is randomly generated the algorithm circularly evolves the population through three basic operators: selection operator, crossover operator and mutation operator until the best individual is obtained. o Genetic Algorithm as an Alternative Tool for Security Audit Trails Analysis (GASSATA) is one of the earliest attempts for using genetic algorithm (GA) for intrusion detection Unsupervised Anomaly Detection
  • 15.  Several unsupervised learning techniques for anomaly detection have been proposed in recent years. Clustering and outlier detection based techniques are among the most popular approaches  Lankewicz propose a model applying pattern recognition to the characterization of individual users. f k-nearest-neighbor clustering algorithm d facilitate real-time detection  Staniford et al. propose a portscan detector, which is particularly effective against stealthy scans  Firstly, the anomaly sensor computes an anomaly score for packets. Secondly, based on the anomaly scores the correlator uses simulated annealing to cluster packets into activities that are similar
  • 16. Specification-based Detection  Specification-based detection approaches are neither misuse based, nor anomaly based  they use system behavioral specifications to detect attacks  nstead of learning system behaviors, in specification-based systems the experts’ knowledge determines the operating limits (threshold) of a sys tem  Once the correct (or allowed) system behavior is specified. The events deviating from the specification would generate an alert  Specification-based detection approaches focus on building specified behaviors based on the least privileged principle  An execution sequence performed by the subject that violates the specification of programs will be considered as an attack.  This approach, , can detect unseen attacks that may be exploited in the future  However, specifying the behavior of a large number of privileged programs running in real operating environments is a daunting and difficult task.  Hybrid Detection
  • 17.  The intrusion detection capabilities can be improved through a hybrid approach  A hybrid approach consisting of both signature (misuse) detection as well as anomaly detection  In such a hybrid system, the signature detection technique detects known attacks and the anomaly detection technique detects novel or unknown attacks.  Tombini et al. applied an anomaly detection approach to create a list of suspicious items. Then a signature detection approach is used to classify these suspicious items into three categories, namely false alarms, attacks, and unknown attacks.  The approach is based on an assumption that a high detection rate can be achieved by the anomaly detection component because missed intrusions in the first step will not be found by the follow-up signature detection component.  Zhang et al. proposed a hybrid IDS combining both misuse detection and anomaly detection components, in which a random forests algorithm was applied  Based on an idea of combining the advantages of low false positive rate of signature based IDS and the ability of anomaly detection system (ADS) for detecting new or unknown attacks,  The well known examples are: signature based SNORT or Bro systems