Hybrid Profiling Strategy for Intrusion Detection - PowerPoint PPT Presentation

1 / 14

About This Presentation

Title:

Hybrid Profiling Strategy for Intrusion Detection

Description:

Number of Views:22

Avg rating:3.0/5.0

Slides: 15

Provided by: kk11

Category:

more less

Transcript and Presenter's Notes

Title: Hybrid Profiling Strategy for Intrusion Detection

1
Hybrid Profiling Strategy for Intrusion Detection

2
Overview

3
The problem of Intrusion

worldwide impact of malicious code was 13.2B in
the year 2001 Computer Economics
"ID theft costs banks 1B a year. Nearly 10,000
victims had home loans - totaling about 300M -
taken out in their name in 2002 and another
68,000 had new credit cards issued in their name"
- MSN news, March 2003
The market for web intrusion protection services
and products is expected to increase to nearly US
700M by 2006. IDC, 2002
and the list goes on .

4
Classifying the IDS

5
Self Learning IDS

Machine learning approach to learn what is
normal
User-based profiles
Based on the belief that user leaves a print
while using a system that can be learned as an
identity of the user
Sequence of commands can be used as a criteria
E.g. some people prefer vi over emacs, some
gcc over cc

6
Self Learning IDS (contd)

Program-based profiles
Based on what system calls are made by a program
Each trace is a sequence of system calls issued
by a process from the beginning of its execution
till the end
E.g. the command lpr makes several system calls
that leave one single trace that can be learned

7
Hybrid Profiling

Motivation
Users profile give idea what applications are
being invoked by a user, it doesnt give
information how he/she is using a particular
application
Program profiles give an idea about the
application but no idea about what the user did
before using the application
With growing popularity of UI-based applications,
we are interested in knowing what features of a
particular application is being used by a
particular user
Solution
Why not combine both the models ?

8
Hybrid Profiling (contd)

Idea
Sequence of commands used before invoking an
application and system calls to monitor the
application, are used to model the Hybrid profile
for a particular user
E.g. userA may prefer emacs for just writing
the latex code, userB may prefer it for
compilation and debugging
Most machine learning approaches for learning
user profiles and program profiles can be
extended to Hybrid profiles

9
Learning Algorithms

Artificial Neural Networks
Activation value propagated from input
nodes towards output
Deviation of the output
from Expected value
passed as
the updated arc weights by back-
propagation
Process repeated till a satisfactory level
of learning is reached

10
Learning Algorithms (contd)

11
Learning Algorithms (contd)

Hidden Markov Models
Powerful finite state machine
Each state represents a sequence of system calls
or user commands
In each state, there is a certain probability of
producing any of the output states and a
probability indicating the next likely states
HMMs are really effective in terms of number of
false positive and false negatives, but take
really long time in training
Deciding the size of the model is another big
issue

12
Learning Algorithms (contd)

Reinforcement Learning approach
Use of modified Cerebellar Model Articulation
Controller Network (CMAC) network, which is a
form of feed-forward neural network
Utilize feedback from the environment in the form
of system state
Output is inversely proportional to the feedback
A modified LMS learning algorithm is used to
update the CMAC weights

13
Conclusions and Future Work

Hybrid profile is a combination of both user
profiles and program profiles
Gives more specific information about how a user
uses a particular application, especially
UI-based applications
Idea needs to be tested for the amount of data
needed for learning in actual world scenarios.
Performance in terms of number of false positives
and false negatives needs to be explored
Scalability in terms of number of users also
needs to be checked