17-03-2011, 09:35 AM
Submitted by
Shiv Kumar
[attachment=10355]
INTRUSION DETECTION USING EXPERT SYSTEM
Intrusion Detection
Intrusion detection is a set of techniques and methods that are used to detect suspicious activity both at network level and host level.
Various examples of suspicious activities
Attempted break-in
Masquerading
Penetration by legitimate user
Trojan Horse
Virus
Denial of Service
Techniques of Intrusion Detection
Generally there are two techniques
Misuse Detection: detection on the basis of known attacks with high success rate and low time cost, but when faces the unknown attacks it becomes powerless
Anomaly Detection: This technique identifies the observed activities that deviate unknown intrusions, which can't be addressed by former technique. Disadvantages?
Intrusion Detection Expert System
The intrusion detection expert system is software or hardware or combination of both used to detect intruder activity with the help of knowledge base and inferencing technique of expert system
- Dorothy E. Denning
Intrusion Detection Model
The model given is the base model.
Important Terms used are:
Subjects
Objects
Audit records
Profiles
Anomaly records
Activity rules
Brief detail of components
Subject: Initiators of activity
Object: Resources managed by system like files
Audit records:
<Subject, Action, Object, Exception-condition, Resource-Usage, Time-stamp>
Profiles: <Variable-Name, Action-Pattern, Exception-Pattern, Resource-Usage, Period, Variable-Type, Threshold, Subject-Pattern, Object-Pattern, Value>
Activity rules are actions when some condition is satisfied
Intrusion Detection Based on Site
Based on site two types are there
Host based: These act as agents on a host. Here system and log files are detected for any intruder activity.
Network based: These capture data packets traveling on the network media and match them to a database of signatures.
Host based Intrusion
Reactive systems: They inform only when something has happened.
Proactive systems: They sniff the network traffic coming to a particular host
These typically monitor system, event, and security logs. When any of these changes, it is compared to attack signatures to see if there is match.
One popular method for detecting intrusion checks key system files and executables via checksums .
Types of Host based
These can be classified into four types
File system monitoring
Log file analysis
Connection analysis
Kernel based analysis
Strength:
Detects attack missed by network based
Overcome deployment challenges faced by their counterparts
Lower cost of entry
Verifies success or failure of an attack
Strengths of Network based Intrusion
Lower cost of ownership
Detect attacks that host based miss like IP-based DOS.
More difficult for an attacker to remove evidence
Real time detection and response
Detect unsuccessful attacks and malicious intent
Operating system independence
Continuous expert voting algorithm
It deals with the fatal disadvantage of machine learning approach.
Some terminology
Knowledge: A program or network behavior
Expert: Composed of different type of knowledge
Suspicious set: Knowledge extract from suspicious data
Expert matching: If suspicious set include the same type and number of knowledge as expert
Expert power: Expert a1 can deduce a result r1 which represent the detection accuracy, then r1 is said to be expert power
Arbitrage value: If the expert power below the average, it can be regarded this trend as normal or abnormal.
Steps:
Form the expert knowledge database.
Perform expert matching of suspicious set
If succeed and arbitrage value is less than expert power, mark set as normal
Otherwise calculate contiguous expert
Example
The table shows the expert set
what will happen if suspicious set contains
Auto-start=N, Keylogger=N, ProcessI=Y
If the number of expert which its power value below the arbitrage value is more than the number of expert which its power value beyond the arbitrage value, data is abnormal.
Data Mining Technique
Data mining generally refers to the process of extracting descriptive models from large stores of data. Various data mining technique can be used in intrusion detection like
SVM based classification which is based on support vectors. In this optimized hyperplane is achieved which performs classification.
Outlier Detection in which subspace outlying technique is used. SPOT can be used as the tool.
Frequent Association rule mining
Association Rule Mining
The goal of mining association rules is to derive multi feature correlation from a database table. Any association rule is described by support and confidence.
Am, pascal → dir1 { c=2/3 }
Axis feature
Auxiliary feature
Frequent Episode: Study the frequent sequential patterns of network events in order to understand the nature of many attacks.
Frequent sequential pattern are computed in two steps
(a) Frequent association computation
(b) Frequent serial pattern from these association
Example
(service=http, flag = S0, dst_host=victim), (service = http, flag = S0, dst_host=victim) → (service = http, flag =S0, dst_host=victim) [.93, .03, 2]
Feature Construction
Intrusion patterns is used as a guideline for adding additional features into the connection records to build better classification models. The following automatic procedure for parsing a frequent episode and construct feature
Assume F0 is used as reference feature
Add the following features that examine only the connections in past w seconds share the same value in F0 as current feature
- A count of these connection
- F1 different from F0 have same value in all items in episode, add a percentage of these connections
- V2 be a value of a feature F2 other than F0 and F1. If V2 is in all itemsets of episode, add a percentage of connections that have same value otherwise average value
Fuzzy Expert System Based Approach
Fuzzy logic addresses the formal principle of approximate reasoning.
Provide sound foundation to handle imprecision and vagueness as well as mature inference mechanisms.
Every fuzzy set is represented by membership function.
Fuzzy inference system uses the concept of FAM(Fuzzy associative mapping) unlike traditional expert system mapping.
Good Membership function decision is the bottleneck of fuzzy system which is solved by Genetic algorithm approaches.
SNORT
Snort is a libcap based packet sniffer and logger
It features rules based logging to perform content pattern matching and detect variety of attacks.
Both snort and tcpdump has the capability to filter traffic.
Difference between snort and tcpdump?
FB-SNORT CASE STUDY
Snort detects many kinds of attacks, but it gives many false positive alarms especially when detecting port scanning attacks.
To solve this problem Fuzzy expert system is added with snort.
The main advantage of adding this is to make snort more intelligent. Now it can tell what is the level of port scanning attack on the basis of audit data and also reducing false alarms.
Port scanning attack
Attackers commonly attempt to connect to other hosts and scan their ports as starter to other attacks.
By this they try to deduce what are the services available on a host.
Port scanning has three variants
Open Scan
Half-open scan
Stealth scan
Architecture of FB-SNORT
Parameters for fuzzy logic:
NSP: number of sent packets
ART: Average time between received packets by destination/victim
NRP: number of received packets
For a port scanning attack ART must be low and NRP and NSP is high.
The value of these parameters can be calculated at victim with the help of wireshark for defining initial membership functions
Conclusion
We have seen some of the techniques by which we can make expert system for intrusion detection more intelligent.
We have discussed types of intrusion detection systems and also their strengths and limitations
Snort and its components are discussed alongwith FB-Snort which performs better in case of port scanning attacks.
