Date post: | 27-Dec-2014 |
Category: |
Technology |
Upload: | conferencias-fist |
View: | 563 times |
Download: | 1 times |
Intrusion Detection Systemwith Artificial Intelligence
Mario Castro Ponce
Universidad Pontificia Comillas de Madrid
FIST Conference - June 2004 edition
Sponsored by: MLP Private Finance
IDS with AI [email protected] FIST Conference - june 2004 edition– 1/28
Aim of the talk
1. Showing you a different approach to IntrussionDetection based on Artificial Intelligence
2. Contact experts in the field to exchange ideas andmaybe creating a (pioneer!!!!) working group
IDS with AI [email protected] FIST Conference - june 2004 edition– 2/28
Sketch of the talk
What is an IDS?
Architecture of a Vulnerability Detector
Why using A.I.?
Neurons and other animals
Neural-IDS
Fuzzy-Correlator
Conclusions
IDS with AI [email protected] FIST Conference - june 2004 edition– 3/28
What is an IDS?
Any hardware, software, or combination of thereof thatmonitors a system or network of systems for malicious activity
Main functionsDissuadePreventDocumentate
Two kinds of IDSHost basedNetwork based
IDS with AI [email protected] FIST Conference - june 2004 edition– 4/28
What is an IDS?
Any hardware, software, or combination of thereof thatmonitors a system or network of systems for malicious activity
Main functionsDissuadePreventDocumentate
Two kinds of IDSHost basedNetwork based
IDS with AI [email protected] FIST Conference - june 2004 edition– 4/28
What is an IDS?
Any hardware, software, or combination of thereof thatmonitors a system or network of systems for malicious activity
Main functionsDissuadePreventDocumentate
Two kinds of IDSHost basedNetwork based
IDS with AI [email protected] FIST Conference - june 2004 edition– 4/28
Architecture of a Vulnerability Detector
Example: OSSIM
n
IDS with AI [email protected] FIST Conference - june 2004 edition– 5/28
Why using AI?
The system manager nightmare: The false positives.
Then? A.I. for three main reasonsFlexibility (vs threshold definition)Adaptability (vs specific rules)Pattern recognition (and detection of new patterns)
MoreoverFast computing (faster than humans, actually)Learning abilities.
IDS with AI [email protected] FIST Conference - june 2004 edition– 6/28
Why using AI?
The system manager nightmare: The false positives.
Then? A.I. for three main reasonsFlexibility (vs threshold definition)Adaptability (vs specific rules)Pattern recognition (and detection of new patterns)
MoreoverFast computing (faster than humans, actually)Learning abilities.
IDS with AI [email protected] FIST Conference - june 2004 edition– 6/28
Why using AI?
The system manager nightmare: The false positives.
Then? A.I. for three main reasonsFlexibility (vs threshold definition)Adaptability (vs specific rules)Pattern recognition (and detection of new patterns)
MoreoverFast computing (faster than humans, actually)Learning abilities.
IDS with AI [email protected] FIST Conference - june 2004 edition– 6/28
Neurons and other animals
Neural Networks Fuzzy Logic
AI TOOLS
Other...
IDS with AI [email protected] FIST Conference - june 2004 edition– 7/28
Artificial Neural networks
Change of paradigm in computing science:
Many dummy processors with a simple task to do against one(or few) powerful versatile processors
IDS with AI [email protected] FIST Conference - june 2004 edition– 8/28
Neurons and artificial neurons
IDS with AI [email protected] FIST Conference - june 2004 edition– 9/28
Main types of ANN
Multilayer perceptrons
INPUTHIDDENLAYER
OUTPUTLAYER
LAYER
Self-organized maps
Radial basis neural networks
Other
IDS with AI [email protected] FIST Conference - june 2004 edition– 10/28
Neural IDS
Designed for DoS and port scan attacks
IDS based on a multilayer perceptron
Designing the tool
feed−back
Analysis
Topology
Learning & validation
Quantification
IDS with AI [email protected] FIST Conference - june 2004 edition– 11/28
Neural IDS
Designed for DoS and port scan attacks
IDS based on a multilayer perceptron
Designing the tool
feed−back
Analysis
Topology
Learning & validation
Quantification
IDS with AI [email protected] FIST Conference - june 2004 edition– 11/28
First scenario: Port scan
Pouring rain analogy
Packets from the same source @IP
PORT NUMBERS
8025232221
IDS with AI [email protected] FIST Conference - june 2004 edition– 12/28
Second scenario: Denial of Service
Pouring rain analogy
PORT NUMBERS
8025232221
Packets from the same source @IP
IDS with AI [email protected] FIST Conference - june 2004 edition– 13/28
Measures
Visually the difference between them is clear. . . butquantitatively?
Measures borrowed from PhysicsTraffic parameters
Packets per secondFraction of total packets to a portInverse of the total number of packets
All measures are evaluated within a time window.Parallel time windows: e.g., 15 sec, 30 sec, 5minutes, 30 minutes
IDS with AI [email protected] FIST Conference - june 2004 edition– 14/28
Measures
Visually the difference between them is clear. . . butquantitatively?
Measures borrowed from Physics
Traffic parametersPackets per secondFraction of total packets to a portInverse of the total number of packets
All measures are evaluated within a time window.Parallel time windows: e.g., 15 sec, 30 sec, 5minutes, 30 minutes
IDS with AI [email protected] FIST Conference - june 2004 edition– 14/28
Measures
Visually the difference between them is clear. . . butquantitatively?
Measures borrowed from Physics
Order = Low Entropy Disorder = High Entropy
Statistical Mechanics
Traffic parametersPackets per secondFraction of total packets to a portInverse of the total number of packets
All measures are evaluated within a time window.Parallel time windows: e.g., 15 sec, 30 sec, 5minutes, 30 minutes
IDS with AI [email protected] FIST Conference - june 2004 edition– 14/28
Measures
Visually the difference between them is clear. . . butquantitatively?
Measures borrowed from Physics
ATOMS
ATOMS
INSULATOR
CONDUCTOR
Solid State Physics (electronics)
Traffic parametersPackets per secondFraction of total packets to a portInverse of the total number of packets
All measures are evaluated within a time window.Parallel time windows: e.g., 15 sec, 30 sec, 5minutes, 30 minutes
IDS with AI [email protected] FIST Conference - june 2004 edition– 14/28
Measures
Visually the difference between them is clear. . . butquantitatively?
Measures borrowed from Physics
CONDUCTOR
Disorder = High Entropy
Packets from the same source @IP
PORT NUMBERS
8025232221
Traffic parametersPackets per secondFraction of total packets to a portInverse of the total number of packets
All measures are evaluated within a time window.Parallel time windows: e.g., 15 sec, 30 sec, 5minutes, 30 minutes
IDS with AI [email protected] FIST Conference - june 2004 edition– 14/28
Measures
Visually the difference between them is clear. . . butquantitatively?
Measures borrowed from Physics
INSULATOR
Order = Low Entropy
PORT NUMBERS
8025232221
Packets from the same source @IP
Traffic parametersPackets per secondFraction of total packets to a portInverse of the total number of packets
All measures are evaluated within a time window.Parallel time windows: e.g., 15 sec, 30 sec, 5minutes, 30 minutes
IDS with AI [email protected] FIST Conference - june 2004 edition– 14/28
Measures
Visually the difference between them is clear. . . butquantitatively?
Measures borrowed from PhysicsTraffic parameters
Packets per secondFraction of total packets to a portInverse of the total number of packets
All measures are evaluated within a time window.Parallel time windows: e.g., 15 sec, 30 sec, 5minutes, 30 minutes
IDS with AI [email protected] FIST Conference - june 2004 edition– 14/28
Measures
Visually the difference between them is clear. . . butquantitatively?
Measures borrowed from PhysicsTraffic parameters
Packets per secondFraction of total packets to a portInverse of the total number of packets
All measures are evaluated within a time window.Parallel time windows: e.g., 15 sec, 30 sec, 5minutes, 30 minutes
IDS with AI [email protected] FIST Conference - june 2004 edition– 14/28
Topology
ENTROPY
IPR
PACKETS/SEC
FRACTION OF PACKETS
1/PACKETS
NONE
DENIAL OF SERVICE
PORT SCAN
IDS with AI [email protected] FIST Conference - june 2004 edition– 15/28
Learning and testing
SEQUENCIAL SCAN
SEQUENCIAL SCAN
RANDOM SCAN
RANDOM SCAN
DoS
DoS
ALL
ALL 50205020
50
5020
20
80 %
100 %100 %100 %100 %
TYPE OF ATTACK LEARNING PATTERNS RATE OF SUCCESS
70 %
60 %65 %
Best choice: Specialized neural detectors
IDS with AI [email protected] FIST Conference - june 2004 edition– 16/28
Learning and testing
SEQUENCIAL SCAN
SEQUENCIAL SCAN
RANDOM SCAN
RANDOM SCAN
DoS
DoS
ALL
ALL 50205020
50
5020
20
80 %
100 %100 %100 %100 %
TYPE OF ATTACK LEARNING PATTERNS RATE OF SUCCESS
70 %
60 %65 %
Best choice: Specialized neural detectors
IDS with AI [email protected] FIST Conference - june 2004 edition– 16/28
Fuzzy Logic
Imitates human perception: Approximate reasoning
Example: Air coolerClassical rules:IF Temperature > 25 THEN Switch-onIF Temperature < 21 THEN Switch-off...
Fuzzy rules:IF Temperature is high THEN Switch-onIF Temperature is too low THENSwitch-off...
More sofisticated fuzzy rules:IF Temperature is moderate AND my wifeis very pregnant THEN Switch-on...
IDS with AI [email protected] FIST Conference - june 2004 edition– 17/28
Fuzzy Logic
Imitates human perception: Approximate reasoning
Example: Air coolerClassical rules:IF Temperature > 25 THEN Switch-onIF Temperature < 21 THEN Switch-off...
Fuzzy rules:IF Temperature is high THEN Switch-onIF Temperature is too low THENSwitch-off...
More sofisticated fuzzy rules:IF Temperature is moderate AND my wifeis very pregnant THEN Switch-on...
IDS with AI [email protected] FIST Conference - june 2004 edition– 17/28
Fuzzy Logic
Imitates human perception: Approximate reasoning
Example: Air coolerClassical rules:IF Temperature > 25 THEN Switch-onIF Temperature < 21 THEN Switch-off...
Fuzzy rules:IF Temperature is high THEN Switch-onIF Temperature is too low THENSwitch-off...
More sofisticated fuzzy rules:IF Temperature is moderate AND my wifeis very pregnant THEN Switch-on...
IDS with AI [email protected] FIST Conference - june 2004 edition– 17/28
Fuzzy Logic
Imitates human perception: Approximate reasoning
Example: Air coolerClassical rules:IF Temperature > 25 THEN Switch-onIF Temperature < 21 THEN Switch-off...
Fuzzy rules:IF Temperature is high THEN Switch-onIF Temperature is too low THENSwitch-off...
More sofisticated fuzzy rules:IF Temperature is moderate AND my wifeis very pregnant THEN Switch-on...
IDS with AI [email protected] FIST Conference - june 2004 edition– 17/28
Term sets and grade of membership
ThresholdsMore than 3000 packets/sec⇒ Possible DoSMore than 5000 packets/sec⇒ DoS!
Term sets:
00
low
20001000
1
VOLUME OF TRAFFIC
IDS with AI [email protected] FIST Conference - june 2004 edition– 18/28
Term sets and grade of membership
ThresholdsMore than 3000 packets/sec⇒ Possible DoSMore than 5000 packets/sec⇒ DoS!
Term sets:
� � � � � � � � � � � � � �
� � � � � � � � � � � � � �
� � � � � � � � � � � � � �
� � � � � � � � � � � � � �
� � � � � � � � � � � � � �
� � � � � � � � � � � � � �
� � � � � � � � � � � � � �
� � � � � � � � � � � � � �
� � � � � � � � � � � � � �
� � � � � � � � � � � � � �
� � � � � � � � � � � � � �
� � � � � � � � � � � � � �
� � � � � � � � � � � � � �
� � � � � � � � � � � � � �
� � � � � � � � � � � � � �
� � � � � � � � � � � � � �
� � � � � � � � � � � � � �
� � � � � � � � � � � � � �
� � � � � � � � � � � � � �
� � � � � � � � � � � � � �
� � � � � � � � � � � � � �
� � � � � � � � � � � � � �
� � � � � � � � � � � � � �
� � � � � � � � � � � � � �
� � � � � � � � � � � � � �
� � � � � � � � � � � � � �
� � � � � � � � � � � � � �
� � � � � � � � � � � � � �
� � � � � � � � � � � � � �
� � � � � � � � � � � � � �
� � � � � � � � � � � � � �
� � � � � � � � � � � � � �
� � � � � � � � � � � � � �
� � � � � � � � � � � � � �
00
low
20001000
1
VOLUME OF TRAFFIC
IDS with AI [email protected] FIST Conference - june 2004 edition– 18/28
Fuzzy correlator: Preliminary work
Aim of the research:
Use the flexibility and human language features of FuzzyLogic and include them in the OSSIM Correlation Engine
Status: Preliminary definitions and precedures.
IDS with AI [email protected] FIST Conference - june 2004 edition– 19/28
Fuzzy correlator: Preliminary work
Aim of the research:
Use the flexibility and human language features of FuzzyLogic and include them in the OSSIM Correlation Engine
Status: Preliminary definitions and precedures.
IDS with AI [email protected] FIST Conference - june 2004 edition– 19/28
More on term sets
Input variable: Volume of traffic
20001000 3000 4000 5000
lowvery low very highhighnormal
00
1
IDS with AI [email protected] FIST Conference - june 2004 edition– 20/28
More on term sets (II)
Input variable: Number of visited ports
00
1
normalvery low high very highlow
2 4 6 8 10
IDS with AI [email protected] FIST Conference - june 2004 edition– 21/28
More on term sets (III)
Output variable: DoS Attack?
00
1
almost sureimprobable maybe
0.5 1
Rules (example):
IF traffic is high AND number ofdestination ports is low THEN DoS
Evaluating rules gives the required answer
’DoS Attack?’: almost sure
IDS with AI [email protected] FIST Conference - june 2004 edition– 22/28
OSSIM Correlation Engine
CharacteristicsDepends strongly on timersAll the variants of an attack must be codedCannot detect new attacksComplex sintax
IDS with AI [email protected] FIST Conference - june 2004 edition– 23/28
Sample scenario: NETBIOS DCERPC ISystemActivator
IDS with AI [email protected] FIST Conference - june 2004 edition– 24/28
Sample scenario: NETBIOS DCERPC ISystemActivator
TIME_OUT
TIME_OUT
TIME_OUT
TIME_OUT
IF destination_ports = 135,445 THEN Generate Alarm with Reliability 1 and wait 60 seconds for next rule
AND IF DEST_IP and SRC_IP talk again THEN Alarm, Reliability 3 and wait 60 seconds for next rule
Reliability 6 and wait 60 seconds for next ruleAND IF DEST_PORT and SRC_PORT talk again AND plugin_sid=2123 (CMD.EXE) THEN Alarm
AND FINALLY IF plugin_id=2002 and conection lasts more than 10 THEN Alarm with Reliability 10
IDS with AI [email protected] FIST Conference - june 2004 edition– 25/28
Fuzzy Correlator revisited: Objectives
Going beyond the sequential arrival of packets
Integrating different sensors:
SNORTAnomaly detection:
Abnormal connection to an open port (firewall)ThresholdsHigh traffic at nights or weekends, . . .
Neural-IDSOther
Defining rules according to Security Manager’sexperience
IDS with AI [email protected] FIST Conference - june 2004 edition– 26/28
Fuzzy Correlator revisited: Objectives
Going beyond the sequential arrival of packets
Integrating different sensors:SNORTAnomaly detection:
Abnormal connection to an open port (firewall)ThresholdsHigh traffic at nights or weekends, . . .
Neural-IDSOther
Defining rules according to Security Manager’sexperience
IDS with AI [email protected] FIST Conference - june 2004 edition– 26/28
Fuzzy Correlator revisited: Objectives
Going beyond the sequential arrival of packets
Integrating different sensors:SNORTAnomaly detection:
Abnormal connection to an open port (firewall)ThresholdsHigh traffic at nights or weekends, . . .
Neural-IDSOther
Defining rules according to Security Manager’sexperience
IDS with AI [email protected] FIST Conference - june 2004 edition– 26/28
Conclusions and open questions
AI techniques areFlexibleSuitable for pattern recognitionPowerful (Neural-IDS)Easy to design (human language)
But there is still a lot of work to do. . .We need more timeWe need more people
StudentsSecurity experts (working group?)
And of course. . . some money to pay it
IDS with AI [email protected] FIST Conference - june 2004 edition– 27/28
Conclusions and open questions
AI techniques areFlexibleSuitable for pattern recognitionPowerful (Neural-IDS)Easy to design (human language)
But there is still a lot of work to do. . .
We need more timeWe need more people
StudentsSecurity experts (working group?)
And of course. . . some money to pay it
IDS with AI [email protected] FIST Conference - june 2004 edition– 27/28
Conclusions and open questions
AI techniques areFlexibleSuitable for pattern recognitionPowerful (Neural-IDS)Easy to design (human language)
But there is still a lot of work to do. . .We need more time.We need more people
StudentsSecurity experts (working group?)
And of course. . .
We need more timeWe need more people
StudentsSecurity experts (working group?)
And of course. . . some money to pay it
IDS with AI [email protected] FIST Conference - june 2004 edition– 27/28
Conclusions and open questions
AI techniques areFlexibleSuitable for pattern recognitionPowerful (Neural-IDS)Easy to design (human language)
But there is still a lot of work to do. . .We need more timeWe need more people
StudentsSecurity experts (working group?)
And of course. . . some money to pay it
IDS with AI [email protected] FIST Conference - june 2004 edition– 27/28