Download Heather Ames Chuan-Heng Chsiao Chaitanya Sai Gaddam Feb, 21

Survey
yes no Was this document useful for you?
   Thank you for your participation!

* Your assessment is very important for improving the workof artificial intelligence, which forms the content of this project

page
1
page
2
page
3
page
4
Document related concepts

Piggybacking (Internet access) wikipedia , lookup

Asynchronous Transfer Mode wikipedia , lookup

Deep packet inspection wikipedia , lookup

Wake-on-LAN wikipedia , lookup

Network tap wikipedia , lookup

IEEE 1355 wikipedia , lookup

Cracking of wireless networks wikipedia , lookup

Airborne Networking wikipedia , lookup

Functional Database Model wikipedia , lookup

UniPro protocol stack wikipedia , lookup

Transcript 
Heather Ames
Chuan-Heng Chsiao
Chaitanya Sai Gaddam
Feb, 21, 2006
CN710: Network Intrusion Detection
Intrusion detection systems (IDS) can be classified into two main categories: misusebased systems and anomaly-based systems. Misuse-based IDS look for signatures of
previously known attacks and consequently cannot be of any use in detecting novel
attacks. Anomaly-based systems are trained to learn the normal behavior of a system and
signal any deviation (differing from the normal up to a certain threshold) from it.
Host-based IDS look at system data and reside on each computer in a network. Networkbased systems are usually installed on one computer on the network, that gates internet
connections, and mainly look at the data from packets.
Intrusion detection can be cast as a machine learning problem where the task is to learn to
distinguish between harmless behavior (data) and potentially malicious behavior (data).
Design issues commonly associated with machine learning tasks (preprocessing of data,
choosing initial input feature sets, metrics for similarity of data points, and network
parameters) need to be addressed.
Preprocessing: wavelets
Network traffic has been observed to be self-similar in nature, which means it is a natural
candidate for wavelet preprocessing. Self-similarity is considered to be attenuated in
abnormal conditions, so detecting abnormal behavior can be boiled down to detecting
outliers in wavelet coefficient sequences.
Network Design Choices
Researchers have used Fuzzy ARTMAP on this problem. Assigning pre-defined class
labels to the ARTB makes the network a misuse-based system. An anomaly-based
detection system can be created by having unsupervised feedback from the system as
input to the ARTB layer. The problem then becomes one of predicting this diagnostic
feedback, which can lead to the detection of novel anomalies. A dynamic vigilance
parameter, tied to the feedback, is used to prevent proliferation of F2 nodes.
In using support vector machines to tackle the problem, researchers have used multiple
categories along with the usual binary case of normal/anomalous behavior.
Artificial Immune Systems (AIS)
Artificial immune systems adopt the metaphor of vertebrate immune systems in detecting
foreign elements. The computational procedure is divided into three parts: negative
selection (behavior that is normal or intrinsic to the system is learnt), clonal selection
(detectors good at detecting anomalies are allowed to proliferate and mutate), and
immune network formation (detectors form suppressive networks to prevent too many
false positives)
Discussion Questions
What kind of data is likely to be most informative?
Is self-similarity a good characterization of the data?
What effect does c-index (paucity of attack data) have?
Is AIS really a new paradigm? What are the radical departures from normal computation?
deCastro and Timmis (2002) Comparative Analysis of AIS and ANN
Categories
Component
Location of the
components
Structure
Memory
Adaptation
Plasticity and
diversity
Interaction with
other components
Interaction with
the environment
AIS
ANN
Attribute string, s, (information
Neuron (processing elements) composed
storage and processing) represented
of an activation function, summing
in appropriate shape-space; might
junction, connection strengths, and
correspond to an immune cell or
activation threshold
molecule
Located according to the
Fixed, predetermined locations
environmental stimuli
Usually follows the spatial
Pre-defined architectures and weights
distribution of the antigens
biased by the environment
represented in shape-space
Content-addressable and
Knowledge in connection strengths;
distributed; carried in the attribute
self-associative or content-addressable
strength as well as connections
and distributed
Learning and evolution
Learning
Continuous insertion and
Pruning and/or insertion of new
elimination of the basic elements
connections, units, and layers in the
(cells/molecules) of the system
network
Match attribute strings by cell
Interconnected neurons through
receptors; cells have weighted
connection strengths
connections
Attribute string is compared with
Neurons receive input signals from the
patterns in the environment; some environment; whole ANN might be used
Threshold
Robustness
State
Control
Generalization
capability
Non-linearities
or all of the components might be
involved in pattern recognition
Affinity threshold determines the
degree of recognition between
immune cells and the presented
input pattern
Highly flexible and noise tolerant;
self-tolerant (learn to recognize
themselves)
Concentration of immune cells and
molecules and/or their affinities
and connection strengths
Any immune principle or theory
(i.e. clonal selection)
Cross-reactivity allows recognition
of similar patterns and components
can be multi-specific
Activation functions that define the
degree of recognition between 2
components
to recognize the pattern
Threshold determines the neuron’s
activation
Highly flexible and noise tolerant
Activation level of the output neuron
Unsupervised, supervised, and
reinforcement learning for training
Good generalization provided training;
satisfactory generalization by reducing
the dimensions of parameter space and
the size of the dimensions
Activation functions of individual
neurons
Some common intrusion terminology
Buffer overflow
What happens when you try to stuff more data into a buffer (holding area) than it can
handle. This problem is commonly exploited by crackers to get arbitrary commands
executed by a program running with root permissions.
DoS attack
This abbreviation for Denial-of-Service attack is used to label attempts to shut down
websites by flooding network links with large amounts of traffic
Syn attack
When a session is initiated between the Transport Control Program (TCP) client and
server in a network, a very small buffer space exists to handle the usually rapid "handshaking" exchange of messages that sets up the session. The session-establishing packets
include a SYN field that identifies the sequence in the message exchange. An attacker
can send a number of connection requests very rapidly and then fail to respond to the
reply. This leaves the first packet in the buffer so that other, legitimate connection
requests can't be accommodated.
Teardrop attack
This type of denial of service attack exploits the way that the Internet Protocol (IP)
requires a packet that is too large for the next router to handle be divided into fragments.
The fragment packet identifies an offset to the beginning of the first packet that enables
the entire packet to be reassembled by the receiving system. In the teardrop attack, the
attacker's IP puts a confusing offset value in the second or later fragment.
Related documents
An insatiable curiosity, combined with meticulous
An insatiable curiosity, combined with meticulous
Human Body Systems
Human Body Systems
Heather Ames Chuan-Heng Chsiao Chaitanya Sai Gaddam 13
Heather Ames Chuan-Heng Chsiao Chaitanya Sai Gaddam 13
Immune System - Mayfield City Schools
Immune System - Mayfield City Schools
Cancer Prevention Education
Cancer Prevention Education
PDF
PDF
PPT
PPT
Psychology Department Colloquium
Psychology Department Colloquium
Unt 12 Immune System Disorders Powerpoint
Unt 12 Immune System Disorders Powerpoint
The Immune System Checklist
The Immune System Checklist
Immune System notes
Immune System notes
Immune-system-preview-nobelprize-org
Immune-system-preview-nobelprize-org
Current Opinion in Immunology 2009, 21:440–445 Biomarkers of
Current Opinion in Immunology 2009, 21:440–445 Biomarkers of
Immune regulating Es-products in parasitic nematodes
Immune regulating Es-products in parasitic nematodes
Immunity Student Outline
Immunity Student Outline
BSC 361
BSC 361
Immunology
Immunology
Download PDF
Download PDF
Generalized immune activation as a direct result of activated CD4 T
Generalized immune activation as a direct result of activated CD4 T
Key Concepts in B cell Activation-I
Key Concepts in B cell Activation-I
Key Concepts in B cell Activation-I
Key Concepts in B cell Activation-I
Key Concepts in B cell Activation-I
Key Concepts in B cell Activation-I