Download Fuzzy Alerts

Fuzzy Network Profiling for
Intrusion Detection
Dickerson, J.E.; Dickerson, J.A.
Fuzzy Information Processing Society, 2000.
NAFIPS. 19th International Conference of the
North American , 2000
Reporter : Chien-Chung Su
Agenda

Introduction
 System Architecture
 Implementation example
 Conclusion
Introduction

Intrusion Detection System
– A process to identifying network activity that
can lead to the compromise of a security policy

Two primary form
– Misuse Detection
 Matching known patterns of hostile activity against
database of past attacks
– Anomaly Detection
 Applying statistical measures or artificial knowledge
to compare current activity against historical
knowledge of network utilization
System Architecture (1/5)

Fuzzy Intrusion Recognition Engine(FIRE)
– Anomaly-based intrusion detection system
– Applying Fuzzy Theory
– Applying simple data mining technique
System Architecture (2/5)
A Local Area Local
Network Data
Collector
(NDC)
Fuzzy Alerts
Raw data
Network Data
Processor
(NDP)
Fuzzy Threat
Analyzer
(FTA)
Mined data
System Architecture (3/5)

Network Data Collector(NDC)
– Grab all packets that cross the wire and stores
them to disk
– To help avoid packet loss in the data collection
system, it is important that the tasks performed
by the NDC be very limited
System Architecture (4/5)

Network Data Processor(NDP)
– Perform a kind of data mining on the collected
packets
– Compare the current data with the historical
mined data to create the “normalized” value
that reflect how the new data differs from what
was observed in the past
System Architecture (5/5)

Fuzzy Threat Analyzer(FTA)
– A fuzzy rules can incorporate one or more
fuzzy inputs
– Depending on the fuzzy values, the fuzzy rules
designer can make the types of intrusions they
can detect either very general or very specific
Implementation example (1/4)

What metrics we wants?
– SrcIP , DstIP , SrcPort , DstPort
– TCP flags , data length
– Data content
– Time the packet was sent

Example
– sdp = (SrcIP , DstIP ,SrcPort , DstPort)
– Represents the existence of a TCP channel(whether
successful or not) between two IP end points
Implementation example (2/4)

Define fuzzy variables
– COUNT
– UNIQUENESS
– VARIANCE

Membership Function
LOW
MED-LOW
MED
10
25
MED-HIGH
HIGH
1
2
5
50
100
Implementation example (3/4)

Design fuzzy rules
– Scenario : Network scan
– Rules examples




If (COUNT == LOW) && (UNIQUENESS == MED)
Then “Network Scan” = MED-LOW
If (COUNT == MED) && (UNIQUENESS == LOW)
Then “Network Scan” = LOW
If (COUNT == MED) && (UNIQUENESS == HIGH)
Then “Network Scan” = HIGH
If (COUNT of ForeignHosts == HIGH) &&
(UNIQUENESS of DNS == HIGH)
Then “DNS Scan” == HIGH
Implementation example (4/4)

System issues
– Data collection interval
– Define fuzzy variables
– Data mining techniques
– Fuzzy rules
Conclusion

Intrusion detection with a part of fuzziness
 Expert system should be supported
 Real-time data mining issues