Download Hybrid Intrusion Detection with Weighted Signature

Survey
yes no Was this document useful for you?
   Thank you for your participation!

* Your assessment is very important for improving the workof artificial intelligence, which forms the content of this project

page
1
page
2
page
3
page
4
page
5
page
6
page
7
page
8
page
9
page
10
Document related concepts
no text concepts found
Transcript 
Hybrid Intrusion Detection
with Weighted Signature Generation
over Anomalous Internet Episodes
Kai Hwang, Fellow, IEEE, Min Cai, Member, IEEE, Ying
Chen, Student Member, IEEE, and Min Qin
IEEE TRANSACTIONS ON DEPENDABLE AND SECURE
COMPUTING, VOL. 4, NO. 1, JANUARY-MARCH 2007
Presented by Yong Sun Kim
Summary
This hybrid system combines
 advantage
of low false-positive rate of
signature-based IDS(intrusion detection system)
 ability of detect novel unknown attacks of
ADS(anomaly detection system)
Experimental results show
 60
percent detection rate of the HIDS,compared
with 30 percent and 22 percent in using the
SNORT and Bro systems,respectively. And it
was obtained with less than 3 percent false
alarms.
 The signatures generated by ADS upgrade the
SNORT performance by 33 percent.
A hybrid intrusion detection system built with a SNORT and an
anomaly detection subsystem (ADS) through automated signature
generation from Internet episodes.
Data mining scheme for network anomaly
detection over Internet connection records.
The anomaly is detected
once the episode rule ca
nnot find any match with
normal connection rules
in database.
Use the attack data set
as a mixture of
locally captured trace file
and DARPA 1999 IDS eva
luation data set(MIT/LL).
Appreciative Comment 1
To maximize the effectiveness,various
algorithms and schemes are introduced
 Mining
FERs( frequent episode rules) for
anomaly detection
 Episode Rule Training from Normal Traffic
 Pruning techniques for episode rules
Appreciative Comment 2
By using a weighted signature generation
algorithm, improve accuracy and reduce
false alarms
ADS assigns an anomaly score and a
normality score for each connection after
processing a traffic data set
 Define signatures when patterns have high
anomaly scores but relatively low normality
scores.
 The
Critical Comments
There exist a different description about False-Alarm
Rate and Detection Rate



In Abstract :”results show a 60 percent…
less than 3 percent false alarm..”
In 8 Conclusions and Further Research 4. :
”Our HIDS results in a detection rate of 60 percent…
false alarms must be maintained below 3 percent.”
In 7.3 Effects of False Alarms on IDS Performance :
”The HIDS achieved a low 47 percent detection rate at 1
percent false alarms.However,the detection rate can be
raised to 60 percent if the false alarms can be tolerated
up to 30 percent”
Fig. 13. ROC curves showing the variation of the average
intrusion
detection rate of three detection systems as the false alarm
rate
increases.
Question
Is this passive way which generates
signature in ADS still effective under the
fast network attack such as “Code Red” ?
Signature mapping
Dataset-I, the < attribute; condition > pair is decoded
as follows:
(ip proto = icmp), (icmp type = echo req),
(1,480 <= src bytes < 1,490),(dst count > 10)
The < attribute; condition > pairs form an abstract
signature of the Pod attack. Using the attribute
mappings in Table 4, we translate the signature into a
SNORT rule as follows:
alert icmp$EXTERNAL NET any <> $HOME NET any
(msg :”possible pod attack”; itype : 8;
dsize : 1,480 <> 1,490; threshold : type both,track
by_dst,count 10 seconds 1; sid : 900,001; rev : 0;).
Related documents