mayukh dass artificial intelligence center, university of georgia athens,georgia, u.s.a

Mayukh DassArtificial Intelligence Center,

University of GeorgiaAthens,Georgia,

U.S.A.

ContentsContents

What is Intrusion Detection? How it is affecting the society? What are the present techniques used? What is new in LIDS? Why should we use autonomous agents? What are the components of LIDS? Is LIDS working? What is left to do in future?

Intrusion DetectionIntrusion Detection

Problem of identifying unauthorized users.

Protect the system from being compromised.

2 categories: Misuse Detection. Anomaly Detection.

Revenue loss in 2002 = $455,848,000(CSI/FBI Computer Crime and Security Survey,

2002.)

Invaders of the Invaders of the civilizationcivilization

Altruistic side of Altruistic side of hackinghacking

Next-generation Next-generation hackershackers

Intrusions provide jobsIntrusions provide jobs

Intrusion Detection Intrusion Detection TechniquesTechniques

Rule-based. Data Mining. Artificial Neural Network. Genetic Algorithm. Statistical Methods. Agent framework:

Autonomous Agents. Intelligent Agent. Mobile Agents.

Mapping Human Immunization

Commercial Intrusion Commercial Intrusion Detection SystemsDetection Systems

• they are rule based.

• high maintenance cost.

• not very reliable.

• large number of false positive alerts.

• not very flexible.

• non-scalable (snort : for “average” system).

• high overall cost.

Example : Snort, SHADOW, and so on..

Reliable Network Reliable Network Security System. Security System.

What??What??

Features of LIDS:Features of LIDS:Learning Intrusion Learning Intrusion Detection System.Detection System.

Reliable. Flexible. Behavior based. Blackboard-based architecture. controlled by autonomous agents. Learning and adapting capability. Low maintenance cost. Uses building blocks of computational

intelligence as intrusion analyzer. Low rate of false positive alarm.

Why should we use Why should we use Autonomous Agents for Autonomous Agents for

detecting Intrusion in the detecting Intrusion in the network ?network ?

• Runs continually.

• Fault tolerant.

• Resist subversion (monitor itself)

• Minimal overhead

• Configurable

• Adaptable

• Scalable

• Graceful degradation of service

• Dynamic reconfiguration.

Autonomous AgentsAutonomous Agents

• Network Reader

• Initial Analyzer

• Initial Alert Agent

• System data Reader

• Attack Classifier (GA-based filter)

• ANN Analyzer

• Teaching Agent

• Report Generator

GENERATED REPORTS

Future DirectionsFuture Directions

Complete building the learning agent of LIDS.

Test LIDS in a more complex environment.

Add new functionalities like visual representation of the reports.

Try to increase the speed and optimization of the processes.

AcknowledgementAcknowledgement

Dr. J. Cannady

Dr. D. Potter.

Dr. D. Nute.

Dr R. McClendon