SlideShare a Scribd company logo

IDS with Artificial Intelligence

Conferencias FIST
Conferencias FIST

The document discusses using artificial intelligence techniques like neural networks and fuzzy logic for intrusion detection systems. It proposes a neural network-based IDS to detect denial of service and port scan attacks. Measures from physics are used to quantify network traffic patterns. Fuzzy logic is also discussed as a way to implement intrusion detection using approximate human-like reasoning. The goal is to create flexible and adaptive IDS that can recognize new attack patterns.

Technology
1 of 51
Download to read offline
Intrusion Detection System with Artificial Intelligence Mario Castro Ponce Universidad Pontificia Comillas de Madrid FIST Conference - June 2004 edition Sponsored by: MLP Private Finance IDS with AI marioc@dsi.icai.upco.es FIST Conference - june 2004 edition– 1/28
Aim of the talk 1. Showing you a different approach to Intrussion Detection based on Artificial Intelligence 2. Contact experts in the field to exchange ideas and maybe creating a (pioneer!!!!) working group IDS with AI marioc@dsi.icai.upco.es FIST Conference - june 2004 edition– 2/28
Sketch of the talk What is an IDS? Architecture of a Vulnerability Detector Why using A.I.? Neurons and other animals Neural-IDS Fuzzy-Correlator Conclusions IDS with AI marioc@dsi.icai.upco.es FIST Conference - june 2004 edition– 3/28
What is an IDS? Any hardware, software, or combination of thereof that monitors a system or network of systems for malicious activity IDS with AI marioc@dsi.icai.upco.es FIST Conference - june 2004 edition– 4/28
What is an IDS? Any hardware, software, or combination of thereof that monitors a system or network of systems for malicious activity Main functions Dissuade Prevent Documentate IDS with AI marioc@dsi.icai.upco.es FIST Conference - june 2004 edition– 4/28
What is an IDS? Any hardware, software, or combination of thereof that monitors a system or network of systems for malicious activity Main functions Dissuade Prevent Documentate Two kinds of IDS Host based Network based IDS with AI marioc@dsi.icai.upco.es FIST Conference - june 2004 edition– 4/28
Architecture of a Vulnerability Detector Example: OSSIM n IDS with AI marioc@dsi.icai.upco.es FIST Conference - june 2004 edition– 5/28
Why using AI? The system manager nightmare: The false positives. IDS with AI marioc@dsi.icai.upco.es FIST Conference - june 2004 edition– 6/28
Why using AI? The system manager nightmare: The false positives. Then? A.I. for three main reasons Flexibility (vs threshold definition) Adaptability (vs specific rules) Pattern recognition (and detection of new patterns) IDS with AI marioc@dsi.icai.upco.es FIST Conference - june 2004 edition– 6/28
Why using AI? The system manager nightmare: The false positives. Then? A.I. for three main reasons Flexibility (vs threshold definition) Adaptability (vs specific rules) Pattern recognition (and detection of new patterns) Moreover Fast computing (faster than humans, actually) Learning abilities. IDS with AI marioc@dsi.icai.upco.es FIST Conference - june 2004 edition– 6/28
Neurons and other animals AI TOOLS Neural Networks Fuzzy Logic Other... IDS with AI marioc@dsi.icai.upco.es FIST Conference - june 2004 edition– 7/28
Artificial Neural networks Change of paradigm in computing science: Many dummy processors with a simple task to do against one (or few) powerful versatile processors IDS with AI marioc@dsi.icai.upco.es FIST Conference - june 2004 edition– 8/28
Neurons and artificial neurons IDS with AI marioc@dsi.icai.upco.es FIST Conference - june 2004 edition– 9/28
Main types of ANN Multilayer perceptrons OUTPUT LAYER INPUT LAYER HIDDEN LAYER Self-organized maps Radial basis neural networks Other IDS with AI marioc@dsi.icai.upco.es FIST Conference - june 2004 edition– 10/28
Neural IDS Designed for DoS and port scan attacks IDS based on a multilayer perceptron IDS with AI marioc@dsi.icai.upco.es FIST Conference - june 2004 edition– 11/28
Neural IDS Designed for DoS and port scan attacks IDS based on a multilayer perceptron Designing the tool Analysis Quantification Topology feed−back Learning & validation IDS with AI marioc@dsi.icai.upco.es FIST Conference - june 2004 edition– 11/28
First scenario: Port scan Pouring rain analogy Packets from the same source @IP 21 22 23 25 80 PORT NUMBERS IDS with AI marioc@dsi.icai.upco.es FIST Conference - june 2004 edition– 12/28
Second scenario: Denial of Service Pouring rain analogy Packets from the same source @IP 21 22 23 25 80 PORT NUMBERS IDS with AI marioc@dsi.icai.upco.es FIST Conference - june 2004 edition– 13/28
Measures Visually the difference between them is clear. . . but quantitatively? IDS with AI marioc@dsi.icai.upco.es FIST Conference - june 2004 edition– 14/28
Measures Visually the difference between them is clear. . . but quantitatively? Measures borrowed from Physics IDS with AI marioc@dsi.icai.upco.es FIST Conference - june 2004 edition– 14/28
Measures Visually the difference between them is clear. . . but quantitatively? Measures borrowed from Physics Statistical Mechanics Order = Low Entropy Disorder = High Entropy IDS with AI marioc@dsi.icai.upco.es FIST Conference - june 2004 edition– 14/28
Measures Visually the difference between them is clear. . . but quantitatively? Measures borrowed from Physics Solid State Physics (electronics) ATOMS INSULATOR ATOMS CONDUCTOR IDS with AI marioc@dsi.icai.upco.es FIST Conference - june 2004 edition– 14/28
Measures Visually the difference between them is clear. . . but quantitatively? Measures borrowed from Physics Packets from the same source @IP Disorder = High Entropy 21 22 23 25 80 PORT NUMBERS CONDUCTOR IDS with AI marioc@dsi.icai.upco.es FIST Conference - june 2004 edition– 14/28
Measures Visually the difference between them is clear. . . but quantitatively? Measures borrowed from Physics Packets from the same source @IP Order = Low Entropy 21 22 23 25 80 PORT NUMBERS INSULATOR IDS with AI marioc@dsi.icai.upco.es FIST Conference - june 2004 edition– 14/28
Measures Visually the difference between them is clear. . . but quantitatively? Measures borrowed from Physics Traffic parameters Packets per second Fraction of total packets to a port Inverse of the total number of packets IDS with AI marioc@dsi.icai.upco.es FIST Conference - june 2004 edition– 14/28
Measures Visually the difference between them is clear. . . but quantitatively? Measures borrowed from Physics Traffic parameters Packets per second Fraction of total packets to a port Inverse of the total number of packets All measures are evaluated within a time window. Parallel time windows: e.g., 15 sec, 30 sec, 5 minutes, 30 minutes IDS with AI marioc@dsi.icai.upco.es FIST Conference - june 2004 edition– 14/28
Topology ENTROPY PORT SCAN IPR DENIAL OF SERVICE PACKETS/SEC FRACTION OF PACKETS NONE 1/PACKETS IDS with AI marioc@dsi.icai.upco.es FIST Conference - june 2004 edition– 15/28
Learning and testing TYPE OF ATTACK LEARNING PATTERNS RATE OF SUCCESS SEQUENCIAL SCAN 20 100 % SEQUENCIAL SCAN 50 100 % RANDOM SCAN 20 100 % RANDOM SCAN 50 100 % DoS 20 70 % DoS 50 80 % ALL 20 60 % ALL 50 65 % IDS with AI marioc@dsi.icai.upco.es FIST Conference - june 2004 edition– 16/28
Learning and testing TYPE OF ATTACK LEARNING PATTERNS RATE OF SUCCESS SEQUENCIAL SCAN 20 100 % SEQUENCIAL SCAN 50 100 % RANDOM SCAN 20 100 % RANDOM SCAN 50 100 % DoS 20 70 % DoS 50 80 % ALL 20 60 % ALL 50 65 % Best choice: Specialized neural detectors IDS with AI marioc@dsi.icai.upco.es FIST Conference - june 2004 edition– 16/28
Fuzzy Logic Imitates human perception: Approximate reasoning IDS with AI marioc@dsi.icai.upco.es FIST Conference - june 2004 edition– 17/28
Fuzzy Logic Imitates human perception: Approximate reasoning Example: Air cooler Classical rules: IF Temperature > 25 THEN Switch-on IF Temperature < 21 THEN Switch-off ... IDS with AI marioc@dsi.icai.upco.es FIST Conference - june 2004 edition– 17/28
Fuzzy Logic Imitates human perception: Approximate reasoning Example: Air cooler Classical rules: IF Temperature > 25 THEN Switch-on IF Temperature < 21 THEN Switch-off ... Fuzzy rules: IF Temperature is high THEN Switch-on IF Temperature is too low THEN Switch-off ... IDS with AI marioc@dsi.icai.upco.es FIST Conference - june 2004 edition– 17/28
Fuzzy Logic Imitates human perception: Approximate reasoning Example: Air cooler Classical rules: IF Temperature > 25 THEN Switch-on IF Temperature < 21 THEN Switch-off ... Fuzzy rules: IF Temperature is high THEN Switch-on IF Temperature is too low THEN Switch-off ... More sofisticated fuzzy rules: IF Temperature is moderate AND my wife is very pregnant THEN Switch-on ... IDS with AI marioc@dsi.icai.upco.es FIST Conference - june 2004 edition– 17/28
Term sets and grade of membership Thresholds More than 3000 packets/sec ⇒ Possible DoS More than 5000 packets/sec ⇒ DoS! IDS with AI marioc@dsi.icai.upco.es FIST Conference - june 2004 edition– 18/28
Term sets: Thresholds 0 1 IDS with AI marioc@dsi.icai.upco.es 0 ¡ ¡ ¡ ¡ ¡ ¡ ¡ ¡ ¡ ¡ ¡ ¡ ¡ ¡ ¡ ¡ ¡                                   ¡ ¡ ¡ ¡ ¡ ¡ ¡ ¡ ¡ ¡ ¡ ¡ ¡ ¡ ¡ ¡ ¡                                   ¡ ¡ ¡ ¡ ¡ ¡ ¡ ¡ ¡ ¡ ¡ ¡ ¡ ¡ ¡ ¡ ¡                                   ¡ ¡ ¡ ¡ ¡ ¡ ¡ ¡ ¡ ¡ ¡ ¡ ¡ ¡ ¡ ¡ ¡                                   1000 ¡ ¡ ¡ ¡ ¡ ¡ ¡ ¡ ¡ ¡ ¡ ¡ ¡ ¡ ¡ ¡ ¡                                   ¡ ¡ ¡ ¡ ¡ ¡ ¡ ¡ ¡ ¡ ¡ ¡ ¡ ¡ ¡ ¡ ¡                                   low ¡ ¡ ¡ ¡ ¡ ¡ ¡ ¡ ¡ ¡ ¡ ¡ ¡ ¡ ¡ ¡ ¡                                   ¡ ¡ ¡ ¡ ¡ ¡ ¡ ¡ ¡ ¡ ¡ ¡ ¡ ¡ ¡ ¡ ¡                                   ¡ ¡ ¡ ¡ ¡ ¡ ¡ ¡ ¡ ¡ ¡ ¡ ¡ ¡ ¡ ¡ ¡                                   ¡ ¡ ¡ ¡ ¡ ¡ ¡ ¡ ¡ ¡ ¡ ¡ ¡ ¡ ¡ ¡ ¡                                   ¡ ¡ ¡ ¡ ¡ ¡ ¡ ¡ ¡ ¡ ¡ ¡ ¡ ¡ ¡ ¡ ¡                                   2000 ¡ ¡ ¡ ¡ ¡ ¡ ¡ ¡ ¡ ¡ ¡ ¡ ¡ ¡ ¡ ¡ ¡                                   VOLUME OF TRAFFIC ¡ ¡ ¡ ¡ ¡ ¡ ¡ ¡ ¡ ¡ ¡ ¡ ¡ ¡ ¡ ¡ ¡                                   ¡ ¡ ¡ ¡ ¡ ¡ ¡ ¡ ¡ ¡ ¡ ¡ ¡ ¡ ¡ ¡ ¡                                   More than 5000 packets/sec ⇒ DoS! More than 3000 packets/sec ⇒ Possible DoS Term sets and grade of membership FIST Conference - june 2004 edition– 18/28
Fuzzy correlator: Preliminary work Aim of the research: Use the flexibility and human language features of Fuzzy Logic and include them in the OSSIM Correlation Engine IDS with AI marioc@dsi.icai.upco.es FIST Conference - june 2004 edition– 19/28
Fuzzy correlator: Preliminary work Aim of the research: Use the flexibility and human language features of Fuzzy Logic and include them in the OSSIM Correlation Engine Status: Preliminary definitions and precedures. IDS with AI marioc@dsi.icai.upco.es FIST Conference - june 2004 edition– 19/28
More on term sets Input variable: Volume of traffic very low low normal high very high 1 0 0 1000 2000 3000 4000 5000 IDS with AI marioc@dsi.icai.upco.es FIST Conference - june 2004 edition– 20/28
More on term sets (II) Input variable: Number of visited ports very low low normal high very high 1 0 0 2 4 6 8 10 IDS with AI marioc@dsi.icai.upco.es FIST Conference - june 2004 edition– 21/28
More on term sets (III) Output variable: DoS Attack? improbable maybe almost sure 1 0 0 0.5 1 Rules (example): IF traffic is high AND number of destination ports is low THEN DoS Evaluating rules gives the required answer ’DoS Attack?’: almost sure IDS with AI marioc@dsi.icai.upco.es FIST Conference - june 2004 edition– 22/28
OSSIM Correlation Engine Characteristics Depends strongly on timers All the variants of an attack must be coded Cannot detect new attacks Complex sintax IDS with AI marioc@dsi.icai.upco.es FIST Conference - june 2004 edition– 23/28
Sample scenario: NETBIOS DCERPC ISystemActivator IDS with AI marioc@dsi.icai.upco.es FIST Conference - june 2004 edition– 24/28
Sample scenario: NETBIOS DCERPC ISystemActivator TIME_OUT IF destination_ports = 135,445 THEN Generate Alarm with Reliability 1 and wait 60 seconds for next rule TIME_OUT AND IF DEST_IP and SRC_IP talk again THEN Alarm, Reliability 3 and wait 60 seconds for next rule AND IF DEST_PORT and SRC_PORT talk again AND plugin_sid=2123 (CMD.EXE) THEN Alarm TIME_OUT Reliability 6 and wait 60 seconds for next rule TIME_OUT AND FINALLY IF plugin_id=2002 and conection lasts more than 10 THEN Alarm with Reliability 10 IDS with AI marioc@dsi.icai.upco.es FIST Conference - june 2004 edition– 25/28
Fuzzy Correlator revisited: Objectives Going beyond the sequential arrival of packets Integrating different sensors: IDS with AI marioc@dsi.icai.upco.es FIST Conference - june 2004 edition– 26/28
Fuzzy Correlator revisited: Objectives Going beyond the sequential arrival of packets Integrating different sensors: SNORT Anomaly detection: Abnormal connection to an open port (firewall) Thresholds High traffic at nights or weekends, . . . Neural-IDS Other IDS with AI marioc@dsi.icai.upco.es FIST Conference - june 2004 edition– 26/28
Fuzzy Correlator revisited: Objectives Going beyond the sequential arrival of packets Integrating different sensors: SNORT Anomaly detection: Abnormal connection to an open port (firewall) Thresholds High traffic at nights or weekends, . . . Neural-IDS Other Defining rules according to Security Manager’s experience IDS with AI marioc@dsi.icai.upco.es FIST Conference - june 2004 edition– 26/28
Conclusions and open questions AI techniques are Flexible Suitable for pattern recognition Powerful (Neural-IDS) Easy to design (human language) IDS with AI marioc@dsi.icai.upco.es FIST Conference - june 2004 edition– 27/28
Conclusions and open questions AI techniques are Flexible Suitable for pattern recognition Powerful (Neural-IDS) Easy to design (human language) But there is still a lot of work to do. . . IDS with AI marioc@dsi.icai.upco.es FIST Conference - june 2004 edition– 27/28
Conclusions and open questions AI techniques are Flexible Suitable for pattern recognition Powerful (Neural-IDS) Easy to design (human language) But there is still a lot of work to do. . . We need more time. We need more people Students Security experts (working group?) And of course. . . IDS with AI marioc@dsi.icai.upco.es FIST Conference - june 2004 edition– 27/28
Conclusions and open questions AI techniques are Flexible Suitable for pattern recognition Powerful (Neural-IDS) Easy to design (human language) But there is still a lot of work to do. . . We need more time We need more people Students Security experts (working group?) And of course. . . some money to pay it IDS with AI marioc@dsi.icai.upco.es FIST Conference - june 2004 edition– 27/28
And that’s all folks. . . IDS with AI marioc@dsi.icai.upco.es FIST Conference - june 2004 edition– 28/28

Recommended

Biometrics based key generation
Biometrics based key generationBiometrics based key generation
Biometrics based key generation
Piyush Rochwani
 
Nessusの仕組み / How Nessus works
Nessusの仕組み / How Nessus worksNessusの仕組み / How Nessus works
Nessusの仕組み / How Nessus works
boxin -
 
BLE GATT Database
BLE GATT DatabaseBLE GATT Database
BLE GATT Database
winfred lu
 
Introduction to biometric systems security
Introduction to biometric systems securityIntroduction to biometric systems security
Introduction to biometric systems security
Self
 
Raspberry Pi - Lecture 2 Linux OS
Raspberry Pi - Lecture 2 Linux OSRaspberry Pi - Lecture 2 Linux OS
Raspberry Pi - Lecture 2 Linux OS
Mohamed Abdallah
 
Making of an Application Specific Integrated Circuit
Making of an Application Specific Integrated CircuitMaking of an Application Specific Integrated Circuit
Making of an Application Specific Integrated Circuit
SWINDONSilicon
 
REMOWZ - Realtime Water Quality Monitoring using ZigBee based WSN (Part II)
REMOWZ - Realtime Water Quality Monitoring using ZigBee based WSN (Part II)REMOWZ - Realtime Water Quality Monitoring using ZigBee based WSN (Part II)
REMOWZ - Realtime Water Quality Monitoring using ZigBee based WSN (Part II)
Nitin Balakrishnan
 
Biometrics Technology Seminar Report.
Biometrics Technology Seminar Report.Biometrics Technology Seminar Report.
Biometrics Technology Seminar Report.
Pavan Kumar MT
 

Recommended

Biometrics based key generation
Biometrics based key generationBiometrics based key generation
Biometrics based key generation
Piyush Rochwani
 
Nessusの仕組み / How Nessus works
Nessusの仕組み / How Nessus worksNessusの仕組み / How Nessus works
Nessusの仕組み / How Nessus works
boxin -
 
BLE GATT Database
BLE GATT DatabaseBLE GATT Database
BLE GATT Database
winfred lu
 
Introduction to biometric systems security
Introduction to biometric systems securityIntroduction to biometric systems security
Introduction to biometric systems security
Self
 
Raspberry Pi - Lecture 2 Linux OS
Raspberry Pi - Lecture 2 Linux OSRaspberry Pi - Lecture 2 Linux OS
Raspberry Pi - Lecture 2 Linux OS
Mohamed Abdallah
 
Making of an Application Specific Integrated Circuit
Making of an Application Specific Integrated CircuitMaking of an Application Specific Integrated Circuit
Making of an Application Specific Integrated Circuit
SWINDONSilicon
 
REMOWZ - Realtime Water Quality Monitoring using ZigBee based WSN (Part II)
REMOWZ - Realtime Water Quality Monitoring using ZigBee based WSN (Part II)REMOWZ - Realtime Water Quality Monitoring using ZigBee based WSN (Part II)
REMOWZ - Realtime Water Quality Monitoring using ZigBee based WSN (Part II)
Nitin Balakrishnan
 
Biometrics Technology Seminar Report.
Biometrics Technology Seminar Report.Biometrics Technology Seminar Report.
Biometrics Technology Seminar Report.
Pavan Kumar MT
 
Tutorial on IEEE 802.15.4e standard
Tutorial on IEEE 802.15.4e standardTutorial on IEEE 802.15.4e standard
Tutorial on IEEE 802.15.4e standard
Giuseppe Anastasi
 
Introduction to Arduino Webinar
Introduction to Arduino WebinarIntroduction to Arduino Webinar
Introduction to Arduino Webinar
Fragiskos Fourlas
 
Full Custom IC Design Implementation of Priority Encoder
Full Custom IC Design Implementation of Priority EncoderFull Custom IC Design Implementation of Priority Encoder
Full Custom IC Design Implementation of Priority Encoder
BhargavKatkam
 
Vlsi
VlsiVlsi
Vlsi
Kunal Pandhram
 
Introduction to AllJoyn
Introduction to AllJoynIntroduction to AllJoyn
Introduction to AllJoyn
Alex Gonzalez
 
Synopsys Fusion Compiler-Comprehensive RTL-to-GDSII Implementation System
Synopsys Fusion Compiler-Comprehensive RTL-to-GDSII Implementation SystemSynopsys Fusion Compiler-Comprehensive RTL-to-GDSII Implementation System
Synopsys Fusion Compiler-Comprehensive RTL-to-GDSII Implementation System
Mostafa Khamis
 
Study of vlsi design methodologies and limitations using cad tools for cmos t...
Study of vlsi design methodologies and limitations using cad tools for cmos t...Study of vlsi design methodologies and limitations using cad tools for cmos t...
Study of vlsi design methodologies and limitations using cad tools for cmos t...
Lakshmi Narain College of Technology & Science Bhopal
 
System on Chip (SoC)
System on Chip (SoC)System on Chip (SoC)
System on Chip (SoC)
Dimas Ruliandi
 
Introduction to Bus Pirate - Presentation
Introduction to Bus Pirate - PresentationIntroduction to Bus Pirate - Presentation
Introduction to Bus Pirate - Presentation
Fernando Muñoz
 
Biometric Presentation
Biometric PresentationBiometric Presentation
Biometric Presentation
rs2003
 
Biometrics Technology PPT
Biometrics Technology PPTBiometrics Technology PPT
Biometrics Technology PPT
Pavan Kumar MT
 
Single Board Computers & Raspberry Pi Basics
Single Board Computers & Raspberry Pi BasicsSingle Board Computers & Raspberry Pi Basics
Single Board Computers & Raspberry Pi Basics
Eueung Mulyana
 
Internet of things using Raspberry Pi
Internet of things using Raspberry PiInternet of things using Raspberry Pi
Internet of things using Raspberry Pi
Yash Gajera
 
Introduction To Biometrics
Introduction To BiometricsIntroduction To Biometrics
Introduction To Biometrics
Abdul Rehman
 
Biometric Technology
Biometric TechnologyBiometric Technology
Biometric Technology
twuniversity
 
Classroom Attendance using Face Detection and Raspberry-Pi
Classroom Attendance using Face Detection and Raspberry-PiClassroom Attendance using Face Detection and Raspberry-Pi
Classroom Attendance using Face Detection and Raspberry-Pi
IRJET Journal
 
Soc architecture and design
Soc architecture and designSoc architecture and design
Soc architecture and design
Satya Harish
 
Iris ppt
Iris pptIris ppt
Iris ppt
Sri Harati K
 
ATPG Methods and Algorithms
ATPG Methods and AlgorithmsATPG Methods and Algorithms
ATPG Methods and Algorithms
Deiptii Das
 
Cloud of things (IoT + Cloud Computing)
Cloud of things (IoT + Cloud Computing)Cloud of things (IoT + Cloud Computing)
Cloud of things (IoT + Cloud Computing)
Zakaria Hossain
 
IDS - Fact, Challenges and Future
IDS - Fact, Challenges and FutureIDS - Fact, Challenges and Future
IDS - Fact, Challenges and Future
amiable_indian
 
Cyber Security - IDS/IPS is not enough
Cyber Security - IDS/IPS is not enoughCyber Security - IDS/IPS is not enough
Cyber Security - IDS/IPS is not enough
Savvius, Inc
 

More Related Content

What's hot

Vlsi
VlsiVlsi
Vlsi
Kunal Pandhram
 
Biometric Presentation
Biometric PresentationBiometric Presentation
Biometric Presentation
rs2003
 
ATPG Methods and Algorithms
ATPG Methods and AlgorithmsATPG Methods and Algorithms
ATPG Methods and Algorithms
Deiptii Das
 

What's hot (20)

Tutorial on IEEE 802.15.4e standard
Tutorial on IEEE 802.15.4e standardTutorial on IEEE 802.15.4e standard
Tutorial on IEEE 802.15.4e standard
 
Introduction to Arduino Webinar
Introduction to Arduino WebinarIntroduction to Arduino Webinar
Introduction to Arduino Webinar
 
Full Custom IC Design Implementation of Priority Encoder
Full Custom IC Design Implementation of Priority EncoderFull Custom IC Design Implementation of Priority Encoder
Full Custom IC Design Implementation of Priority Encoder
 
Vlsi
VlsiVlsi
Vlsi
 
Introduction to AllJoyn
Introduction to AllJoynIntroduction to AllJoyn
Introduction to AllJoyn
 
Synopsys Fusion Compiler-Comprehensive RTL-to-GDSII Implementation System
Synopsys Fusion Compiler-Comprehensive RTL-to-GDSII Implementation SystemSynopsys Fusion Compiler-Comprehensive RTL-to-GDSII Implementation System
Synopsys Fusion Compiler-Comprehensive RTL-to-GDSII Implementation System
 
Study of vlsi design methodologies and limitations using cad tools for cmos t...
Study of vlsi design methodologies and limitations using cad tools for cmos t...Study of vlsi design methodologies and limitations using cad tools for cmos t...
Study of vlsi design methodologies and limitations using cad tools for cmos t...
 
System on Chip (SoC)
System on Chip (SoC)System on Chip (SoC)
System on Chip (SoC)
 
Introduction to Bus Pirate - Presentation
Introduction to Bus Pirate - PresentationIntroduction to Bus Pirate - Presentation
Introduction to Bus Pirate - Presentation
 
Biometric Presentation
Biometric PresentationBiometric Presentation
Biometric Presentation
 
Biometrics Technology PPT
Biometrics Technology PPTBiometrics Technology PPT
Biometrics Technology PPT
 
Single Board Computers & Raspberry Pi Basics
Single Board Computers & Raspberry Pi BasicsSingle Board Computers & Raspberry Pi Basics
Single Board Computers & Raspberry Pi Basics
 
Internet of things using Raspberry Pi
Internet of things using Raspberry PiInternet of things using Raspberry Pi
Internet of things using Raspberry Pi
 
Introduction To Biometrics
Introduction To BiometricsIntroduction To Biometrics
Introduction To Biometrics
 
Biometric Technology
Biometric TechnologyBiometric Technology
Biometric Technology
 
Classroom Attendance using Face Detection and Raspberry-Pi
Classroom Attendance using Face Detection and Raspberry-PiClassroom Attendance using Face Detection and Raspberry-Pi
Classroom Attendance using Face Detection and Raspberry-Pi
 
Soc architecture and design
Soc architecture and designSoc architecture and design
Soc architecture and design
 
Iris ppt
Iris pptIris ppt
Iris ppt
 
ATPG Methods and Algorithms
ATPG Methods and AlgorithmsATPG Methods and Algorithms
ATPG Methods and Algorithms
 
Cloud of things (IoT + Cloud Computing)
Cloud of things (IoT + Cloud Computing)Cloud of things (IoT + Cloud Computing)
Cloud of things (IoT + Cloud Computing)
 

Viewers also liked

Cyber Security - IDS/IPS is not enough
Cyber Security - IDS/IPS is not enoughCyber Security - IDS/IPS is not enough
Cyber Security - IDS/IPS is not enough
Savvius, Inc
 
Cyber crime and security ppt
Cyber crime and security pptCyber crime and security ppt
Cyber crime and security ppt
Lipsita Behera
 

Viewers also liked (8)

IDS - Fact, Challenges and Future
IDS - Fact, Challenges and FutureIDS - Fact, Challenges and Future
IDS - Fact, Challenges and Future
 
Cyber Security - IDS/IPS is not enough
Cyber Security - IDS/IPS is not enoughCyber Security - IDS/IPS is not enough
Cyber Security - IDS/IPS is not enough
 
Snort IDS/IPS Basics
Snort IDS/IPS BasicsSnort IDS/IPS Basics
Snort IDS/IPS Basics
 
Snort IPS
Snort IPSSnort IPS
Snort IPS
 
Nfv
NfvNfv
Nfv
 
Lecture artificial neural networks and pattern recognition
Lecture artificial neural networks and pattern recognitionLecture artificial neural networks and pattern recognition
Lecture artificial neural networks and pattern recognition
 
Cyber security presentation
Cyber security presentationCyber security presentation
Cyber security presentation
 
Cyber crime and security ppt
Cyber crime and security pptCyber crime and security ppt
Cyber crime and security ppt
 

Similar to IDS with Artificial Intelligence

6th International Conference on Image Processing and Pattern Recognition (IPP...
6th International Conference on Image Processing and Pattern Recognition (IPP...6th International Conference on Image Processing and Pattern Recognition (IPP...
6th International Conference on Image Processing and Pattern Recognition (IPP...
VLSICS Design
 
Call for papers - 9th International Conference on Signal, Image Processing an...
Call for papers - 9th International Conference on Signal, Image Processing an...Call for papers - 9th International Conference on Signal, Image Processing an...
Call for papers - 9th International Conference on Signal, Image Processing an...
sipij
 
Rights Enforcement and Licensing Understanding for RDF Stores Aggregating Ope...
Rights Enforcement and Licensing Understanding for RDF Stores Aggregating Ope...Rights Enforcement and Licensing Understanding for RDF Stores Aggregating Ope...
Rights Enforcement and Licensing Understanding for RDF Stores Aggregating Ope...
Paolo Nesi
 
CFP: 8th International Conference on Signal and Image Processing (SIPRO 2022)
CFP: 8th International Conference on Signal and Image Processing (SIPRO 2022)CFP: 8th International Conference on Signal and Image Processing (SIPRO 2022)
CFP: 8th International Conference on Signal and Image Processing (SIPRO 2022)
VLSICS Design
 
8 th International Conference on Cybernetics & Informatics (CYBI 2021)
8 th International Conference on Cybernetics & Informatics (CYBI 2021)8 th International Conference on Cybernetics & Informatics (CYBI 2021)
8 th International Conference on Cybernetics & Informatics (CYBI 2021)
ijistjournal
 
8 th International Conference on Cybernetics & Informatics (CYBI 2021)
8 th International Conference on Cybernetics & Informatics (CYBI 2021)8 th International Conference on Cybernetics & Informatics (CYBI 2021)
8 th International Conference on Cybernetics & Informatics (CYBI 2021)
ijcsity
 
Call for Papers - 8th International Conference on Signal and Image Processing...
Call for Papers - 8th International Conference on Signal and Image Processing...Call for Papers - 8th International Conference on Signal and Image Processing...
Call for Papers - 8th International Conference on Signal and Image Processing...
sipij
 

Similar to IDS with Artificial Intelligence (20)

6th International Conference on Image Processing and Pattern Recognition (IPP...
6th International Conference on Image Processing and Pattern Recognition (IPP...6th International Conference on Image Processing and Pattern Recognition (IPP...
6th International Conference on Image Processing and Pattern Recognition (IPP...
 
Call for papers - 9th International Conference on Signal, Image Processing an...
Call for papers - 9th International Conference on Signal, Image Processing an...Call for papers - 9th International Conference on Signal, Image Processing an...
Call for papers - 9th International Conference on Signal, Image Processing an...
 
Call for papers - 9th International Conference on Signal, Image Processing an...
Call for papers - 9th International Conference on Signal, Image Processing an...Call for papers - 9th International Conference on Signal, Image Processing an...
Call for papers - 9th International Conference on Signal, Image Processing an...
 
Rights Enforcement and Licensing Understanding for RDF Stores Aggregating Ope...
Rights Enforcement and Licensing Understanding for RDF Stores Aggregating Ope...Rights Enforcement and Licensing Understanding for RDF Stores Aggregating Ope...
Rights Enforcement and Licensing Understanding for RDF Stores Aggregating Ope...
 
6 th International Conference on Image Processing and Pattern Recognition (IP...
6 th International Conference on Image Processing and Pattern Recognition (IP...6 th International Conference on Image Processing and Pattern Recognition (IP...
6 th International Conference on Image Processing and Pattern Recognition (IP...
 
Micro-intelligence for the IoT: Teaching the Old Logic Dog New Programming Tr...
Micro-intelligence for the IoT: Teaching the Old Logic Dog New Programming Tr...Micro-intelligence for the IoT: Teaching the Old Logic Dog New Programming Tr...
Micro-intelligence for the IoT: Teaching the Old Logic Dog New Programming Tr...
 
8th International Conference on Cybernetics & Informatics (CYBI 2021)
8th International Conference on Cybernetics & Informatics (CYBI 2021)8th International Conference on Cybernetics & Informatics (CYBI 2021)
8th International Conference on Cybernetics & Informatics (CYBI 2021)
 
CFP: 8th International Conference on Signal and Image Processing (SIPRO 2022)
CFP: 8th International Conference on Signal and Image Processing (SIPRO 2022)CFP: 8th International Conference on Signal and Image Processing (SIPRO 2022)
CFP: 8th International Conference on Signal and Image Processing (SIPRO 2022)
 
8th International Conference on Cybernetics & Informatics (CYBI 2021)
8th International Conference on Cybernetics & Informatics (CYBI 2021)8th International Conference on Cybernetics & Informatics (CYBI 2021)
8th International Conference on Cybernetics & Informatics (CYBI 2021)
 
3rd International Conference on Advances in Artificial Intelligence Techniqu...
3rd International Conference on Advances in Artificial Intelligence Techniqu... 3rd International Conference on Advances in Artificial Intelligence Techniqu...
3rd International Conference on Advances in Artificial Intelligence Techniqu...
 
8 th International Conference on Cybernetics & Informatics (CYBI 2021)
8 th International Conference on Cybernetics & Informatics (CYBI 2021)8 th International Conference on Cybernetics & Informatics (CYBI 2021)
8 th International Conference on Cybernetics & Informatics (CYBI 2021)
 
8 th International Conference on Cybernetics & Informatics (CYBI 2021)
8 th International Conference on Cybernetics & Informatics (CYBI 2021)8 th International Conference on Cybernetics & Informatics (CYBI 2021)
8 th International Conference on Cybernetics & Informatics (CYBI 2021)
 
11th International Conference on Soft Computing, Artificial Intelligence and...
11th International Conference on Soft Computing, Artificial Intelligence and... 11th International Conference on Soft Computing, Artificial Intelligence and...
11th International Conference on Soft Computing, Artificial Intelligence and...
 
8 th International Conference on Signal and Image Processing (SIPRO 2022)
8 th International Conference on Signal and Image Processing (SIPRO 2022)8 th International Conference on Signal and Image Processing (SIPRO 2022)
8 th International Conference on Signal and Image Processing (SIPRO 2022)
 
Call for Papers - 8th International Conference on Signal and Image Processing...
Call for Papers - 8th International Conference on Signal and Image Processing...Call for Papers - 8th International Conference on Signal and Image Processing...
Call for Papers - 8th International Conference on Signal and Image Processing...
 
Call For Papers - 10th International Conference on Soft Computing, Artificial...
Call For Papers - 10th International Conference on Soft Computing, Artificial...Call For Papers - 10th International Conference on Soft Computing, Artificial...
Call For Papers - 10th International Conference on Soft Computing, Artificial...
 
8 th International Conference on Signal and Image Processing (SIPRO 2022)
8 th International Conference on Signal and Image Processing (SIPRO 2022)8 th International Conference on Signal and Image Processing (SIPRO 2022)
8 th International Conference on Signal and Image Processing (SIPRO 2022)
 
6th International Conference on Image Processing and Pattern Recognition (IPP...
6th International Conference on Image Processing and Pattern Recognition (IPP...6th International Conference on Image Processing and Pattern Recognition (IPP...
6th International Conference on Image Processing and Pattern Recognition (IPP...
 
5th International Conference on Signal and Image Processing (SIGI 2019)
5th International Conference on Signal and Image Processing (SIGI 2019) 5th International Conference on Signal and Image Processing (SIGI 2019)
5th International Conference on Signal and Image Processing (SIGI 2019)
 
11th International Conference on Soft Computing, Artificial Intelligence and ...
11th International Conference on Soft Computing, Artificial Intelligence and ...11th International Conference on Soft Computing, Artificial Intelligence and ...
11th International Conference on Soft Computing, Artificial Intelligence and ...
 

More from Conferencias FIST

Seguridad en Entornos Web Open Source
Seguridad en Entornos Web Open SourceSeguridad en Entornos Web Open Source
Seguridad en Entornos Web Open Source
Conferencias FIST
 
Las Evidencias Digitales en la Informática Forense
Las Evidencias Digitales en la Informática ForenseLas Evidencias Digitales en la Informática Forense
Las Evidencias Digitales en la Informática Forense
Conferencias FIST
 
Evolución y situación actual de la seguridad en redes WiFi
Evolución y situación actual de la seguridad en redes WiFiEvolución y situación actual de la seguridad en redes WiFi
Evolución y situación actual de la seguridad en redes WiFi
Conferencias FIST
 
El Information Security Forum
El Information Security ForumEl Information Security Forum
El Information Security Forum
Conferencias FIST
 
Inseguridad en Redes Wireless
Inseguridad en Redes WirelessInseguridad en Redes Wireless
Inseguridad en Redes Wireless
Conferencias FIST
 
Mas allá de la Concienciación
Mas allá de la ConcienciaciónMas allá de la Concienciación
Mas allá de la Concienciación
Conferencias FIST
 
Riesgo y Vulnerabilidades en el Desarrollo
Riesgo y Vulnerabilidades en el DesarrolloRiesgo y Vulnerabilidades en el Desarrollo
Riesgo y Vulnerabilidades en el Desarrollo
Conferencias FIST
 
Demostracion Hacking Honeypot y Análisis Forense
Demostracion Hacking Honeypot y Análisis ForenseDemostracion Hacking Honeypot y Análisis Forense
Demostracion Hacking Honeypot y Análisis Forense
Conferencias FIST
 

More from Conferencias FIST (20)

Seguridad en Open Solaris
Seguridad en Open SolarisSeguridad en Open Solaris
Seguridad en Open Solaris
 
Seguridad en Entornos Web Open Source
Seguridad en Entornos Web Open SourceSeguridad en Entornos Web Open Source
Seguridad en Entornos Web Open Source
 
Spanish Honeynet Project
Spanish Honeynet ProjectSpanish Honeynet Project
Spanish Honeynet Project
 
Seguridad en Windows Mobile
Seguridad en Windows MobileSeguridad en Windows Mobile
Seguridad en Windows Mobile
 
SAP Security
SAP SecuritySAP Security
SAP Security
 
Que es Seguridad
Que es SeguridadQue es Seguridad
Que es Seguridad
 
Network Access Protection
Network Access ProtectionNetwork Access Protection
Network Access Protection
 
Las Evidencias Digitales en la Informática Forense
Las Evidencias Digitales en la Informática ForenseLas Evidencias Digitales en la Informática Forense
Las Evidencias Digitales en la Informática Forense
 
Evolución y situación actual de la seguridad en redes WiFi
Evolución y situación actual de la seguridad en redes WiFiEvolución y situación actual de la seguridad en redes WiFi
Evolución y situación actual de la seguridad en redes WiFi
 
El Information Security Forum
El Information Security ForumEl Information Security Forum
El Information Security Forum
 
Criptografia Cuántica
Criptografia CuánticaCriptografia Cuántica
Criptografia Cuántica
 
Inseguridad en Redes Wireless
Inseguridad en Redes WirelessInseguridad en Redes Wireless
Inseguridad en Redes Wireless
 
Mas allá de la Concienciación
Mas allá de la ConcienciaciónMas allá de la Concienciación
Mas allá de la Concienciación
 
Security Metrics
Security MetricsSecurity Metrics
Security Metrics
 
PKI Interoperability
PKI InteroperabilityPKI Interoperability
PKI Interoperability
 
Wifislax 3.1
Wifislax 3.1Wifislax 3.1
Wifislax 3.1
 
Network Forensics
Network ForensicsNetwork Forensics
Network Forensics
 
Riesgo y Vulnerabilidades en el Desarrollo
Riesgo y Vulnerabilidades en el DesarrolloRiesgo y Vulnerabilidades en el Desarrollo
Riesgo y Vulnerabilidades en el Desarrollo
 
Demostracion Hacking Honeypot y Análisis Forense
Demostracion Hacking Honeypot y Análisis ForenseDemostracion Hacking Honeypot y Análisis Forense
Demostracion Hacking Honeypot y Análisis Forense
 
Security Maturity Model
Security Maturity ModelSecurity Maturity Model
Security Maturity Model
 

Recently uploaded

Slack (or Teams) Automation for Bonterra Impact Management (fka Social Soluti...
Slack (or Teams) Automation for Bonterra Impact Management (fka Social Soluti...Slack (or Teams) Automation for Bonterra Impact Management (fka Social Soluti...
Slack (or Teams) Automation for Bonterra Impact Management (fka Social Soluti...
Jeffrey Haguewood
 
Future Visions: Predictions to Guide and Time Tech Innovation, Peter Udo Diehl
Future Visions: Predictions to Guide and Time Tech Innovation, Peter Udo DiehlFuture Visions: Predictions to Guide and Time Tech Innovation, Peter Udo Diehl
Future Visions: Predictions to Guide and Time Tech Innovation, Peter Udo Diehl
Peter Udo Diehl
 
Software Delivery At the Speed of AI: Inflectra Invests In AI-Powered Quality
Software Delivery At the Speed of AI: Inflectra Invests In AI-Powered QualitySoftware Delivery At the Speed of AI: Inflectra Invests In AI-Powered Quality
Software Delivery At the Speed of AI: Inflectra Invests In AI-Powered Quality
Inflectra
 

Recently uploaded (20)

Measures in SQL (a talk at SF Distributed Systems meetup, 2024-05-22)
Measures in SQL (a talk at SF Distributed Systems meetup, 2024-05-22)Measures in SQL (a talk at SF Distributed Systems meetup, 2024-05-22)
Measures in SQL (a talk at SF Distributed Systems meetup, 2024-05-22)
 
Exploring UiPath Orchestrator API: updates and limits in 2024 🚀
Exploring UiPath Orchestrator API: updates and limits in 2024 🚀Exploring UiPath Orchestrator API: updates and limits in 2024 🚀
Exploring UiPath Orchestrator API: updates and limits in 2024 🚀
 
Empowering NextGen Mobility via Large Action Model Infrastructure (LAMI): pav...
Empowering NextGen Mobility via Large Action Model Infrastructure (LAMI): pav...Empowering NextGen Mobility via Large Action Model Infrastructure (LAMI): pav...
Empowering NextGen Mobility via Large Action Model Infrastructure (LAMI): pav...
 
Knowledge engineering: from people to machines and back
Knowledge engineering: from people to machines and backKnowledge engineering: from people to machines and back
Knowledge engineering: from people to machines and back
 
Key Trends Shaping the Future of Infrastructure.pdf
Key Trends Shaping the Future of Infrastructure.pdfKey Trends Shaping the Future of Infrastructure.pdf
Key Trends Shaping the Future of Infrastructure.pdf
 
Slack (or Teams) Automation for Bonterra Impact Management (fka Social Soluti...
Slack (or Teams) Automation for Bonterra Impact Management (fka Social Soluti...Slack (or Teams) Automation for Bonterra Impact Management (fka Social Soluti...
Slack (or Teams) Automation for Bonterra Impact Management (fka Social Soluti...
 
Future Visions: Predictions to Guide and Time Tech Innovation, Peter Udo Diehl
Future Visions: Predictions to Guide and Time Tech Innovation, Peter Udo DiehlFuture Visions: Predictions to Guide and Time Tech Innovation, Peter Udo Diehl
Future Visions: Predictions to Guide and Time Tech Innovation, Peter Udo Diehl
 
UiPath Test Automation using UiPath Test Suite series, part 3
UiPath Test Automation using UiPath Test Suite series, part 3UiPath Test Automation using UiPath Test Suite series, part 3
UiPath Test Automation using UiPath Test Suite series, part 3
 
UiPath Test Automation using UiPath Test Suite series, part 1
UiPath Test Automation using UiPath Test Suite series, part 1UiPath Test Automation using UiPath Test Suite series, part 1
UiPath Test Automation using UiPath Test Suite series, part 1
 
How world-class product teams are winning in the AI era by CEO and Founder, P...
How world-class product teams are winning in the AI era by CEO and Founder, P...How world-class product teams are winning in the AI era by CEO and Founder, P...
How world-class product teams are winning in the AI era by CEO and Founder, P...
 
Speed Wins: From Kafka to APIs in Minutes
Speed Wins: From Kafka to APIs in MinutesSpeed Wins: From Kafka to APIs in Minutes
Speed Wins: From Kafka to APIs in Minutes
 
Unsubscribed: Combat Subscription Fatigue With a Membership Mentality by Head...
Unsubscribed: Combat Subscription Fatigue With a Membership Mentality by Head...Unsubscribed: Combat Subscription Fatigue With a Membership Mentality by Head...
Unsubscribed: Combat Subscription Fatigue With a Membership Mentality by Head...
 
Software Delivery At the Speed of AI: Inflectra Invests In AI-Powered Quality
Software Delivery At the Speed of AI: Inflectra Invests In AI-Powered QualitySoftware Delivery At the Speed of AI: Inflectra Invests In AI-Powered Quality
Software Delivery At the Speed of AI: Inflectra Invests In AI-Powered Quality
 
Custom Approval Process: A New Perspective, Pavel Hrbacek & Anindya Halder
Custom Approval Process: A New Perspective, Pavel Hrbacek & Anindya HalderCustom Approval Process: A New Perspective, Pavel Hrbacek & Anindya Halder
Custom Approval Process: A New Perspective, Pavel Hrbacek & Anindya Halder
 
SOQL 201 for Admins & Developers: Slice & Dice Your Org’s Data With Aggregate...
SOQL 201 for Admins & Developers: Slice & Dice Your Org’s Data With Aggregate...SOQL 201 for Admins & Developers: Slice & Dice Your Org’s Data With Aggregate...
SOQL 201 for Admins & Developers: Slice & Dice Your Org’s Data With Aggregate...
 
Mission to Decommission: Importance of Decommissioning Products to Increase E...
Mission to Decommission: Importance of Decommissioning Products to Increase E...Mission to Decommission: Importance of Decommissioning Products to Increase E...
Mission to Decommission: Importance of Decommissioning Products to Increase E...
 
Salesforce Adoption – Metrics, Methods, and Motivation, Antone Kom
Salesforce Adoption – Metrics, Methods, and Motivation, Antone KomSalesforce Adoption – Metrics, Methods, and Motivation, Antone Kom
Salesforce Adoption – Metrics, Methods, and Motivation, Antone Kom
 
ODC, Data Fabric and Architecture User Group
ODC, Data Fabric and Architecture User GroupODC, Data Fabric and Architecture User Group
ODC, Data Fabric and Architecture User Group
 
IESVE for Early Stage Design and Planning
IESVE for Early Stage Design and PlanningIESVE for Early Stage Design and Planning
IESVE for Early Stage Design and Planning
 
"Impact of front-end architecture on development cost", Viktor Turskyi
"Impact of front-end architecture on development cost", Viktor Turskyi"Impact of front-end architecture on development cost", Viktor Turskyi
"Impact of front-end architecture on development cost", Viktor Turskyi
 

IDS with Artificial Intelligence

  • 1. Intrusion Detection System with Artificial Intelligence Mario Castro Ponce Universidad Pontificia Comillas de Madrid FIST Conference - June 2004 edition Sponsored by: MLP Private Finance IDS with AI marioc@dsi.icai.upco.es FIST Conference - june 2004 edition– 1/28
  • 2. Aim of the talk 1. Showing you a different approach to Intrussion Detection based on Artificial Intelligence 2. Contact experts in the field to exchange ideas and maybe creating a (pioneer!!!!) working group IDS with AI marioc@dsi.icai.upco.es FIST Conference - june 2004 edition– 2/28
  • 3. Sketch of the talk What is an IDS? Architecture of a Vulnerability Detector Why using A.I.? Neurons and other animals Neural-IDS Fuzzy-Correlator Conclusions IDS with AI marioc@dsi.icai.upco.es FIST Conference - june 2004 edition– 3/28
  • 4. What is an IDS? Any hardware, software, or combination of thereof that monitors a system or network of systems for malicious activity IDS with AI marioc@dsi.icai.upco.es FIST Conference - june 2004 edition– 4/28
  • 5. What is an IDS? Any hardware, software, or combination of thereof that monitors a system or network of systems for malicious activity Main functions Dissuade Prevent Documentate IDS with AI marioc@dsi.icai.upco.es FIST Conference - june 2004 edition– 4/28
  • 6. What is an IDS? Any hardware, software, or combination of thereof that monitors a system or network of systems for malicious activity Main functions Dissuade Prevent Documentate Two kinds of IDS Host based Network based IDS with AI marioc@dsi.icai.upco.es FIST Conference - june 2004 edition– 4/28
  • 7. Architecture of a Vulnerability Detector Example: OSSIM n IDS with AI marioc@dsi.icai.upco.es FIST Conference - june 2004 edition– 5/28
  • 8. Why using AI? The system manager nightmare: The false positives. IDS with AI marioc@dsi.icai.upco.es FIST Conference - june 2004 edition– 6/28
  • 9. Why using AI? The system manager nightmare: The false positives. Then? A.I. for three main reasons Flexibility (vs threshold definition) Adaptability (vs specific rules) Pattern recognition (and detection of new patterns) IDS with AI marioc@dsi.icai.upco.es FIST Conference - june 2004 edition– 6/28
  • 10. Why using AI? The system manager nightmare: The false positives. Then? A.I. for three main reasons Flexibility (vs threshold definition) Adaptability (vs specific rules) Pattern recognition (and detection of new patterns) Moreover Fast computing (faster than humans, actually) Learning abilities. IDS with AI marioc@dsi.icai.upco.es FIST Conference - june 2004 edition– 6/28
  • 11. Neurons and other animals AI TOOLS Neural Networks Fuzzy Logic Other... IDS with AI marioc@dsi.icai.upco.es FIST Conference - june 2004 edition– 7/28
  • 12. Artificial Neural networks Change of paradigm in computing science: Many dummy processors with a simple task to do against one (or few) powerful versatile processors IDS with AI marioc@dsi.icai.upco.es FIST Conference - june 2004 edition– 8/28
  • 13. Neurons and artificial neurons IDS with AI marioc@dsi.icai.upco.es FIST Conference - june 2004 edition– 9/28
  • 14. Main types of ANN Multilayer perceptrons OUTPUT LAYER INPUT LAYER HIDDEN LAYER Self-organized maps Radial basis neural networks Other IDS with AI marioc@dsi.icai.upco.es FIST Conference - june 2004 edition– 10/28
  • 15. Neural IDS Designed for DoS and port scan attacks IDS based on a multilayer perceptron IDS with AI marioc@dsi.icai.upco.es FIST Conference - june 2004 edition– 11/28
  • 16. Neural IDS Designed for DoS and port scan attacks IDS based on a multilayer perceptron Designing the tool Analysis Quantification Topology feed−back Learning & validation IDS with AI marioc@dsi.icai.upco.es FIST Conference - june 2004 edition– 11/28
  • 17. First scenario: Port scan Pouring rain analogy Packets from the same source @IP 21 22 23 25 80 PORT NUMBERS IDS with AI marioc@dsi.icai.upco.es FIST Conference - june 2004 edition– 12/28
  • 18. Second scenario: Denial of Service Pouring rain analogy Packets from the same source @IP 21 22 23 25 80 PORT NUMBERS IDS with AI marioc@dsi.icai.upco.es FIST Conference - june 2004 edition– 13/28
  • 19. Measures Visually the difference between them is clear. . . but quantitatively? IDS with AI marioc@dsi.icai.upco.es FIST Conference - june 2004 edition– 14/28
  • 20. Measures Visually the difference between them is clear. . . but quantitatively? Measures borrowed from Physics IDS with AI marioc@dsi.icai.upco.es FIST Conference - june 2004 edition– 14/28
  • 21. Measures Visually the difference between them is clear. . . but quantitatively? Measures borrowed from Physics Statistical Mechanics Order = Low Entropy Disorder = High Entropy IDS with AI marioc@dsi.icai.upco.es FIST Conference - june 2004 edition– 14/28
  • 22. Measures Visually the difference between them is clear. . . but quantitatively? Measures borrowed from Physics Solid State Physics (electronics) ATOMS INSULATOR ATOMS CONDUCTOR IDS with AI marioc@dsi.icai.upco.es FIST Conference - june 2004 edition– 14/28
  • 23. Measures Visually the difference between them is clear. . . but quantitatively? Measures borrowed from Physics Packets from the same source @IP Disorder = High Entropy 21 22 23 25 80 PORT NUMBERS CONDUCTOR IDS with AI marioc@dsi.icai.upco.es FIST Conference - june 2004 edition– 14/28
  • 24. Measures Visually the difference between them is clear. . . but quantitatively? Measures borrowed from Physics Packets from the same source @IP Order = Low Entropy 21 22 23 25 80 PORT NUMBERS INSULATOR IDS with AI marioc@dsi.icai.upco.es FIST Conference - june 2004 edition– 14/28
  • 25. Measures Visually the difference between them is clear. . . but quantitatively? Measures borrowed from Physics Traffic parameters Packets per second Fraction of total packets to a port Inverse of the total number of packets IDS with AI marioc@dsi.icai.upco.es FIST Conference - june 2004 edition– 14/28
  • 26. Measures Visually the difference between them is clear. . . but quantitatively? Measures borrowed from Physics Traffic parameters Packets per second Fraction of total packets to a port Inverse of the total number of packets All measures are evaluated within a time window. Parallel time windows: e.g., 15 sec, 30 sec, 5 minutes, 30 minutes IDS with AI marioc@dsi.icai.upco.es FIST Conference - june 2004 edition– 14/28
  • 27. Topology ENTROPY PORT SCAN IPR DENIAL OF SERVICE PACKETS/SEC FRACTION OF PACKETS NONE 1/PACKETS IDS with AI marioc@dsi.icai.upco.es FIST Conference - june 2004 edition– 15/28
  • 28. Learning and testing TYPE OF ATTACK LEARNING PATTERNS RATE OF SUCCESS SEQUENCIAL SCAN 20 100 % SEQUENCIAL SCAN 50 100 % RANDOM SCAN 20 100 % RANDOM SCAN 50 100 % DoS 20 70 % DoS 50 80 % ALL 20 60 % ALL 50 65 % IDS with AI marioc@dsi.icai.upco.es FIST Conference - june 2004 edition– 16/28
  • 29. Learning and testing TYPE OF ATTACK LEARNING PATTERNS RATE OF SUCCESS SEQUENCIAL SCAN 20 100 % SEQUENCIAL SCAN 50 100 % RANDOM SCAN 20 100 % RANDOM SCAN 50 100 % DoS 20 70 % DoS 50 80 % ALL 20 60 % ALL 50 65 % Best choice: Specialized neural detectors IDS with AI marioc@dsi.icai.upco.es FIST Conference - june 2004 edition– 16/28
  • 30. Fuzzy Logic Imitates human perception: Approximate reasoning IDS with AI marioc@dsi.icai.upco.es FIST Conference - june 2004 edition– 17/28
  • 31. Fuzzy Logic Imitates human perception: Approximate reasoning Example: Air cooler Classical rules: IF Temperature > 25 THEN Switch-on IF Temperature < 21 THEN Switch-off ... IDS with AI marioc@dsi.icai.upco.es FIST Conference - june 2004 edition– 17/28
  • 32. Fuzzy Logic Imitates human perception: Approximate reasoning Example: Air cooler Classical rules: IF Temperature > 25 THEN Switch-on IF Temperature < 21 THEN Switch-off ... Fuzzy rules: IF Temperature is high THEN Switch-on IF Temperature is too low THEN Switch-off ... IDS with AI marioc@dsi.icai.upco.es FIST Conference - june 2004 edition– 17/28
  • 33. Fuzzy Logic Imitates human perception: Approximate reasoning Example: Air cooler Classical rules: IF Temperature > 25 THEN Switch-on IF Temperature < 21 THEN Switch-off ... Fuzzy rules: IF Temperature is high THEN Switch-on IF Temperature is too low THEN Switch-off ... More sofisticated fuzzy rules: IF Temperature is moderate AND my wife is very pregnant THEN Switch-on ... IDS with AI marioc@dsi.icai.upco.es FIST Conference - june 2004 edition– 17/28
  • 34. Term sets and grade of membership Thresholds More than 3000 packets/sec ⇒ Possible DoS More than 5000 packets/sec ⇒ DoS! IDS with AI marioc@dsi.icai.upco.es FIST Conference - june 2004 edition– 18/28
  • 35. Term sets: Thresholds 0 1 IDS with AI marioc@dsi.icai.upco.es 0 ¡ ¡ ¡ ¡ ¡ ¡ ¡ ¡ ¡ ¡ ¡ ¡ ¡ ¡ ¡ ¡ ¡                                   ¡ ¡ ¡ ¡ ¡ ¡ ¡ ¡ ¡ ¡ ¡ ¡ ¡ ¡ ¡ ¡ ¡                                   ¡ ¡ ¡ ¡ ¡ ¡ ¡ ¡ ¡ ¡ ¡ ¡ ¡ ¡ ¡ ¡ ¡                                   ¡ ¡ ¡ ¡ ¡ ¡ ¡ ¡ ¡ ¡ ¡ ¡ ¡ ¡ ¡ ¡ ¡                                   1000 ¡ ¡ ¡ ¡ ¡ ¡ ¡ ¡ ¡ ¡ ¡ ¡ ¡ ¡ ¡ ¡ ¡                                   ¡ ¡ ¡ ¡ ¡ ¡ ¡ ¡ ¡ ¡ ¡ ¡ ¡ ¡ ¡ ¡ ¡                                   low ¡ ¡ ¡ ¡ ¡ ¡ ¡ ¡ ¡ ¡ ¡ ¡ ¡ ¡ ¡ ¡ ¡                                   ¡ ¡ ¡ ¡ ¡ ¡ ¡ ¡ ¡ ¡ ¡ ¡ ¡ ¡ ¡ ¡ ¡                                   ¡ ¡ ¡ ¡ ¡ ¡ ¡ ¡ ¡ ¡ ¡ ¡ ¡ ¡ ¡ ¡ ¡                                   ¡ ¡ ¡ ¡ ¡ ¡ ¡ ¡ ¡ ¡ ¡ ¡ ¡ ¡ ¡ ¡ ¡                                   ¡ ¡ ¡ ¡ ¡ ¡ ¡ ¡ ¡ ¡ ¡ ¡ ¡ ¡ ¡ ¡ ¡                                   2000 ¡ ¡ ¡ ¡ ¡ ¡ ¡ ¡ ¡ ¡ ¡ ¡ ¡ ¡ ¡ ¡ ¡                                   VOLUME OF TRAFFIC ¡ ¡ ¡ ¡ ¡ ¡ ¡ ¡ ¡ ¡ ¡ ¡ ¡ ¡ ¡ ¡ ¡                                   ¡ ¡ ¡ ¡ ¡ ¡ ¡ ¡ ¡ ¡ ¡ ¡ ¡ ¡ ¡ ¡ ¡                                   More than 5000 packets/sec ⇒ DoS! More than 3000 packets/sec ⇒ Possible DoS Term sets and grade of membership FIST Conference - june 2004 edition– 18/28
  • 36. Fuzzy correlator: Preliminary work Aim of the research: Use the flexibility and human language features of Fuzzy Logic and include them in the OSSIM Correlation Engine IDS with AI marioc@dsi.icai.upco.es FIST Conference - june 2004 edition– 19/28
  • 37. Fuzzy correlator: Preliminary work Aim of the research: Use the flexibility and human language features of Fuzzy Logic and include them in the OSSIM Correlation Engine Status: Preliminary definitions and precedures. IDS with AI marioc@dsi.icai.upco.es FIST Conference - june 2004 edition– 19/28
  • 38. More on term sets Input variable: Volume of traffic very low low normal high very high 1 0 0 1000 2000 3000 4000 5000 IDS with AI marioc@dsi.icai.upco.es FIST Conference - june 2004 edition– 20/28
  • 39. More on term sets (II) Input variable: Number of visited ports very low low normal high very high 1 0 0 2 4 6 8 10 IDS with AI marioc@dsi.icai.upco.es FIST Conference - june 2004 edition– 21/28
  • 40. More on term sets (III) Output variable: DoS Attack? improbable maybe almost sure 1 0 0 0.5 1 Rules (example): IF traffic is high AND number of destination ports is low THEN DoS Evaluating rules gives the required answer ’DoS Attack?’: almost sure IDS with AI marioc@dsi.icai.upco.es FIST Conference - june 2004 edition– 22/28
  • 41. OSSIM Correlation Engine Characteristics Depends strongly on timers All the variants of an attack must be coded Cannot detect new attacks Complex sintax IDS with AI marioc@dsi.icai.upco.es FIST Conference - june 2004 edition– 23/28
  • 42. Sample scenario: NETBIOS DCERPC ISystemActivator IDS with AI marioc@dsi.icai.upco.es FIST Conference - june 2004 edition– 24/28
  • 43. Sample scenario: NETBIOS DCERPC ISystemActivator TIME_OUT IF destination_ports = 135,445 THEN Generate Alarm with Reliability 1 and wait 60 seconds for next rule TIME_OUT AND IF DEST_IP and SRC_IP talk again THEN Alarm, Reliability 3 and wait 60 seconds for next rule AND IF DEST_PORT and SRC_PORT talk again AND plugin_sid=2123 (CMD.EXE) THEN Alarm TIME_OUT Reliability 6 and wait 60 seconds for next rule TIME_OUT AND FINALLY IF plugin_id=2002 and conection lasts more than 10 THEN Alarm with Reliability 10 IDS with AI marioc@dsi.icai.upco.es FIST Conference - june 2004 edition– 25/28
  • 44. Fuzzy Correlator revisited: Objectives Going beyond the sequential arrival of packets Integrating different sensors: IDS with AI marioc@dsi.icai.upco.es FIST Conference - june 2004 edition– 26/28
  • 45. Fuzzy Correlator revisited: Objectives Going beyond the sequential arrival of packets Integrating different sensors: SNORT Anomaly detection: Abnormal connection to an open port (firewall) Thresholds High traffic at nights or weekends, . . . Neural-IDS Other IDS with AI marioc@dsi.icai.upco.es FIST Conference - june 2004 edition– 26/28
  • 46. Fuzzy Correlator revisited: Objectives Going beyond the sequential arrival of packets Integrating different sensors: SNORT Anomaly detection: Abnormal connection to an open port (firewall) Thresholds High traffic at nights or weekends, . . . Neural-IDS Other Defining rules according to Security Manager’s experience IDS with AI marioc@dsi.icai.upco.es FIST Conference - june 2004 edition– 26/28
  • 47. Conclusions and open questions AI techniques are Flexible Suitable for pattern recognition Powerful (Neural-IDS) Easy to design (human language) IDS with AI marioc@dsi.icai.upco.es FIST Conference - june 2004 edition– 27/28
  • 48. Conclusions and open questions AI techniques are Flexible Suitable for pattern recognition Powerful (Neural-IDS) Easy to design (human language) But there is still a lot of work to do. . . IDS with AI marioc@dsi.icai.upco.es FIST Conference - june 2004 edition– 27/28
  • 49. Conclusions and open questions AI techniques are Flexible Suitable for pattern recognition Powerful (Neural-IDS) Easy to design (human language) But there is still a lot of work to do. . . We need more time. We need more people Students Security experts (working group?) And of course. . . IDS with AI marioc@dsi.icai.upco.es FIST Conference - june 2004 edition– 27/28
  • 50. Conclusions and open questions AI techniques are Flexible Suitable for pattern recognition Powerful (Neural-IDS) Easy to design (human language) But there is still a lot of work to do. . . We need more time We need more people Students Security experts (working group?) And of course. . . some money to pay it IDS with AI marioc@dsi.icai.upco.es FIST Conference - june 2004 edition– 27/28
  • 51. And that’s all folks. . . IDS with AI marioc@dsi.icai.upco.es FIST Conference - june 2004 edition– 28/28