Survey
* Your assessment is very important for improving the workof artificial intelligence, which forms the content of this project
* Your assessment is very important for improving the workof artificial intelligence, which forms the content of this project
Piggybacking (Internet access) wikipedia , lookup
Asynchronous Transfer Mode wikipedia , lookup
Deep packet inspection wikipedia , lookup
Wake-on-LAN wikipedia , lookup
Network tap wikipedia , lookup
Cracking of wireless networks wikipedia , lookup
Airborne Networking wikipedia , lookup
Heather Ames Chuan-Heng Chsiao Chaitanya Sai Gaddam Feb, 21, 2006 CN710: Network Intrusion Detection Intrusion detection systems (IDS) can be classified into two main categories: misusebased systems and anomaly-based systems. Misuse-based IDS look for signatures of previously known attacks and consequently cannot be of any use in detecting novel attacks. Anomaly-based systems are trained to learn the normal behavior of a system and signal any deviation (differing from the normal up to a certain threshold) from it. Host-based IDS look at system data and reside on each computer in a network. Networkbased systems are usually installed on one computer on the network, that gates internet connections, and mainly look at the data from packets. Intrusion detection can be cast as a machine learning problem where the task is to learn to distinguish between harmless behavior (data) and potentially malicious behavior (data). Design issues commonly associated with machine learning tasks (preprocessing of data, choosing initial input feature sets, metrics for similarity of data points, and network parameters) need to be addressed. Preprocessing: wavelets Network traffic has been observed to be self-similar in nature, which means it is a natural candidate for wavelet preprocessing. Self-similarity is considered to be attenuated in abnormal conditions, so detecting abnormal behavior can be boiled down to detecting outliers in wavelet coefficient sequences. Network Design Choices Researchers have used Fuzzy ARTMAP on this problem. Assigning pre-defined class labels to the ARTB makes the network a misuse-based system. An anomaly-based detection system can be created by having unsupervised feedback from the system as input to the ARTB layer. The problem then becomes one of predicting this diagnostic feedback, which can lead to the detection of novel anomalies. A dynamic vigilance parameter, tied to the feedback, is used to prevent proliferation of F2 nodes. In using support vector machines to tackle the problem, researchers have used multiple categories along with the usual binary case of normal/anomalous behavior. Artificial Immune Systems (AIS) Artificial immune systems adopt the metaphor of vertebrate immune systems in detecting foreign elements. The computational procedure is divided into three parts: negative selection (behavior that is normal or intrinsic to the system is learnt), clonal selection (detectors good at detecting anomalies are allowed to proliferate and mutate), and immune network formation (detectors form suppressive networks to prevent too many false positives) Discussion Questions What kind of data is likely to be most informative? Is self-similarity a good characterization of the data? What effect does c-index (paucity of attack data) have? Is AIS really a new paradigm? What are the radical departures from normal computation? deCastro and Timmis (2002) Comparative Analysis of AIS and ANN Categories Component Location of the components Structure Memory Adaptation Plasticity and diversity Interaction with other components Interaction with the environment AIS ANN Attribute string, s, (information Neuron (processing elements) composed storage and processing) represented of an activation function, summing in appropriate shape-space; might junction, connection strengths, and correspond to an immune cell or activation threshold molecule Located according to the Fixed, predetermined locations environmental stimuli Usually follows the spatial Pre-defined architectures and weights distribution of the antigens biased by the environment represented in shape-space Content-addressable and Knowledge in connection strengths; distributed; carried in the attribute self-associative or content-addressable strength as well as connections and distributed Learning and evolution Learning Continuous insertion and Pruning and/or insertion of new elimination of the basic elements connections, units, and layers in the (cells/molecules) of the system network Match attribute strings by cell Interconnected neurons through receptors; cells have weighted connection strengths connections Attribute string is compared with Neurons receive input signals from the patterns in the environment; some environment; whole ANN might be used Threshold Robustness State Control Generalization capability Non-linearities or all of the components might be involved in pattern recognition Affinity threshold determines the degree of recognition between immune cells and the presented input pattern Highly flexible and noise tolerant; self-tolerant (learn to recognize themselves) Concentration of immune cells and molecules and/or their affinities and connection strengths Any immune principle or theory (i.e. clonal selection) Cross-reactivity allows recognition of similar patterns and components can be multi-specific Activation functions that define the degree of recognition between 2 components to recognize the pattern Threshold determines the neuron’s activation Highly flexible and noise tolerant Activation level of the output neuron Unsupervised, supervised, and reinforcement learning for training Good generalization provided training; satisfactory generalization by reducing the dimensions of parameter space and the size of the dimensions Activation functions of individual neurons Some common intrusion terminology Buffer overflow What happens when you try to stuff more data into a buffer (holding area) than it can handle. This problem is commonly exploited by crackers to get arbitrary commands executed by a program running with root permissions. DoS attack This abbreviation for Denial-of-Service attack is used to label attempts to shut down websites by flooding network links with large amounts of traffic Syn attack When a session is initiated between the Transport Control Program (TCP) client and server in a network, a very small buffer space exists to handle the usually rapid "handshaking" exchange of messages that sets up the session. The session-establishing packets include a SYN field that identifies the sequence in the message exchange. An attacker can send a number of connection requests very rapidly and then fail to respond to the reply. This leaves the first packet in the buffer so that other, legitimate connection requests can't be accommodated. Teardrop attack This type of denial of service attack exploits the way that the Internet Protocol (IP) requires a packet that is too large for the next router to handle be divided into fragments. The fragment packet identifies an offset to the beginning of the first packet that enables the entire packet to be reassembled by the receiving system. In the teardrop attack, the attacker's IP puts a confusing offset value in the second or later fragment.