Download Intrusion Detection using Genetic Programming

Survey
yes no Was this document useful for you?
   Thank you for your participation!

* Your assessment is very important for improving the workof artificial intelligence, which forms the content of this project

Document related concepts

Nonlinear dimensionality reduction wikipedia , lookup

Transcript
Intrusion Detection using
Genetic Programming
Presented by Chris Chambers
Overview
General idea:
Body very good at distinguishing between
self/not-self
 Has a memory for old intrusions
 If only IDS’s were that good!
 “It is to be noted that the mechanisms of the
immune system are remarkably complex and
poorly understood, even by immunologists.”
–Dasgupta, Attoh-Okine

Overview
Fuzzy Data Mining and GA Applied to
Intrusion Detection
New Paradigms for ID Using GP
(CHIMERA)
Fuzzy Data Mining and GA
Applied to Intrusion Detection
S. Bridges, R. Vaughn, Mississippi State
University, NISSC 2000
Premise:



Body is good at detecting intrusions by pattern
matching
Can use this for securing systems
Given a learning trace, evolve a program over a
series of generations to detect intrusions
Novel idea:


Using training data and rules develops rules overspecific to training data
Fuzzy rules are less specific
What is fuzziness?
Technique
Fuzzy Data Mining

Fuzzy Association Rules computed for baseline
 Example rule: {time = 11-12pm} => {load = LOW}
 Compared with rules for abnormals
 “Distance” computed

Fuzzy Frequency Episodes
 (grouping data into repetitive sequences)
 Same trick, “distance” computed between series
Technique (con’t)
Misuse Detection expert system also
used

Hardwired rules, like, >3 login attempts
== bad
Genetic Algorithms: used to tune fuzzy
sets
Swiped from
http://csrc.nist.gov/nissc/2000/proceedings/papers/005slide.pdf
Results
Anomaly % == #anomalies detected / #actual anomalies
More Results
Conclusions
GA only used to optimize results
Fuzzy data mining works okay
Fuzzy results 
New Paradigms for Intrusion Detection
Using Genetic Programming
Bob Adolf, 2003 (from Northwestern?)
Premise:



Body is good at detecting intrusions by
pattern matching
Can use this for securing systems
Given a learning trace, evolve a program
over a series of generations to detect
intrusions
Design of CHIMERA
Linear phenome

“string of 1’s and 0’s” vs. “tree program”
Brood Recombination

“lots of kids per parent”
Small mutations

more like life
Code Locality number

Supposed to help crossover
Evaluation of CHIMERA
Cool trace: 3 days long, 20 flagged
intrusions
100 generations, 10k members /
generation, top 100 kept as survivors
Results and Conclusion
Results and Conclusion
Total failure of CHIMERA
Best members not as good as random strings
Code locality numbers didn’t work (no
coherent code blocks)
Conclusion:


GP requires way more resources and generations
than normal programs
IDS is hard for GP. 20 intrusions in a trace of tens
of millions of events is “magnificently sparse”
Final Conclusion
Using GP to Improve IDS:


Still formative
Poorly understood