![Page 2: Computer Network Intrusion Detection Via Neural Networks … · 2014. 2. 1. · Computer Network Intrusion Detection Via Neural Networks Methods Vu Dao phongvu_98@yahoo.com July 18,](https://reader035.vdocuments.net/reader035/viewer/2022071009/5fc759a49e6f6559645f823a/html5/thumbnails/2.jpg)
Outline
GoalsBackground on Intrusion Detection Systems (IDS)Types of IDSWhy Applying Neural Networks Techniques?User Profiling in the UNIX OS EnvironmentStudy of the Proposed Methods
Implementation of the Proposed IDSResultsTrade-Offs of the Proposed Methods
SummaryFuture Work
![Page 3: Computer Network Intrusion Detection Via Neural Networks … · 2014. 2. 1. · Computer Network Intrusion Detection Via Neural Networks Methods Vu Dao phongvu_98@yahoo.com July 18,](https://reader035.vdocuments.net/reader035/viewer/2022071009/5fc759a49e6f6559645f823a/html5/thumbnails/3.jpg)
Goals
Design and implement new intrusion detection systems that deal with changes in user profile (i.e. user behavior)Compare the proposed methods with other statistical methods to the intrusion detection problem, explain the trade-offs and the potential advantages of the proposed methods
![Page 4: Computer Network Intrusion Detection Via Neural Networks … · 2014. 2. 1. · Computer Network Intrusion Detection Via Neural Networks Methods Vu Dao phongvu_98@yahoo.com July 18,](https://reader035.vdocuments.net/reader035/viewer/2022071009/5fc759a49e6f6559645f823a/html5/thumbnails/4.jpg)
Background on Intrusion Detection Systems
1999 DARPA Study [1]Types of Evaluation
U2R - User Illegally Became Root (eject, fdformat, ps, …)DoS - Denial of Service (selfping, smurf, tcpreset, …)R2L - Remote User Illegally Accessed a Local Host (guest, ftpwrite, xsnoop, …)
Results of Detecting Intruders80% Success for Old Attacks25% Success for New and Novel Attacks
DARPA: Defense Advanced Research Project Agency[1] R. Lippmann, et. al., The 1999 DARPA off-line intrusion detection evaluation, Computer
Networks, 2000
![Page 5: Computer Network Intrusion Detection Via Neural Networks … · 2014. 2. 1. · Computer Network Intrusion Detection Via Neural Networks Methods Vu Dao phongvu_98@yahoo.com July 18,](https://reader035.vdocuments.net/reader035/viewer/2022071009/5fc759a49e6f6559645f823a/html5/thumbnails/5.jpg)
Types of IDS
Audit-Trail IDSNetwork Monitoring IDSOthers
![Page 6: Computer Network Intrusion Detection Via Neural Networks … · 2014. 2. 1. · Computer Network Intrusion Detection Via Neural Networks Methods Vu Dao phongvu_98@yahoo.com July 18,](https://reader035.vdocuments.net/reader035/viewer/2022071009/5fc759a49e6f6559645f823a/html5/thumbnails/6.jpg)
Audit-Trail Methods
Audit-Trail MethodsClassical Artificial Intelligence (AI)
Statistical or AnomalyRule-Based, Signature or Misuse
Soft-Computing Artificial IntelligenceBack Propagation (BP)Radial Basis Function (RBF)Genetic Algorithm (GA)
![Page 7: Computer Network Intrusion Detection Via Neural Networks … · 2014. 2. 1. · Computer Network Intrusion Detection Via Neural Networks Methods Vu Dao phongvu_98@yahoo.com July 18,](https://reader035.vdocuments.net/reader035/viewer/2022071009/5fc759a49e6f6559645f823a/html5/thumbnails/7.jpg)
Research Concentration
Previous Works Concentrate on System or NetworkSystem Traffic or System LogGoal is to Detect Intrusion on System or Network
This Research Concentrates on User AccountAccount Traffic or Account LogGoal is to Detect Intrusion on a Specified Account
![Page 8: Computer Network Intrusion Detection Via Neural Networks … · 2014. 2. 1. · Computer Network Intrusion Detection Via Neural Networks Methods Vu Dao phongvu_98@yahoo.com July 18,](https://reader035.vdocuments.net/reader035/viewer/2022071009/5fc759a49e6f6559645f823a/html5/thumbnails/8.jpg)
Why Applying Neural Network?
Statistical MethodUsed in Detecting New AttacksInaccurate
75% Success Rate [2] for currently best research system
Neural Network Has Self Learning CapabilitySupervised Learning for Input-Output MappingAdapt Synaptic Weights to Changes in the Surrounding Environment
[2] Pete Lindstrom, IDS at the Crossroads, Information Security, June 2002
![Page 9: Computer Network Intrusion Detection Via Neural Networks … · 2014. 2. 1. · Computer Network Intrusion Detection Via Neural Networks Methods Vu Dao phongvu_98@yahoo.com July 18,](https://reader035.vdocuments.net/reader035/viewer/2022071009/5fc759a49e6f6559645f823a/html5/thumbnails/9.jpg)
User Profiling in the UNIX OS Environment (1/2)
Events Used in User Profiling[3]Activities of the System as a WholeActivities of UsersActivities of Particular TerminalsTransactions Involving Particularly Sensitive Files or ProgramsTransactions Involving Particular Sensitive System Files or Programs
[3] Dorothy Denning, “An Intrusion Detection Model,” IEEE Transactions on Software Engineering, 1987
![Page 10: Computer Network Intrusion Detection Via Neural Networks … · 2014. 2. 1. · Computer Network Intrusion Detection Via Neural Networks Methods Vu Dao phongvu_98@yahoo.com July 18,](https://reader035.vdocuments.net/reader035/viewer/2022071009/5fc759a49e6f6559645f823a/html5/thumbnails/10.jpg)
User Profiling in the UNIX OS Environment (2/2)
Attributes of Users in ProfilingCommand Sets, Time of Login, Host, CPU Time
Issues in User Profiling [4]Short-Term
Constant Profile
Long TermProfile Drift
Case Study
[4] Vu Dao, et. al. “Profiling Users in the UNIX OS Environment”, International Computer Science Conventions Conference, Dec. 2000
![Page 11: Computer Network Intrusion Detection Via Neural Networks … · 2014. 2. 1. · Computer Network Intrusion Detection Via Neural Networks Methods Vu Dao phongvu_98@yahoo.com July 18,](https://reader035.vdocuments.net/reader035/viewer/2022071009/5fc759a49e6f6559645f823a/html5/thumbnails/11.jpg)
User Profiling -- Case Study (1/2)
![Page 12: Computer Network Intrusion Detection Via Neural Networks … · 2014. 2. 1. · Computer Network Intrusion Detection Via Neural Networks Methods Vu Dao phongvu_98@yahoo.com July 18,](https://reader035.vdocuments.net/reader035/viewer/2022071009/5fc759a49e6f6559645f823a/html5/thumbnails/12.jpg)
User Profiling -- Case Study (2/2)
![Page 13: Computer Network Intrusion Detection Via Neural Networks … · 2014. 2. 1. · Computer Network Intrusion Detection Via Neural Networks Methods Vu Dao phongvu_98@yahoo.com July 18,](https://reader035.vdocuments.net/reader035/viewer/2022071009/5fc759a49e6f6559645f823a/html5/thumbnails/13.jpg)
Study of the Proposed Methods
Neural Network MethodsBack Propagation
Gradient Descent (GD)Gradient Descent with MomentumVariable Learning Rate GD with MomentumConjugate GradientQuasi Newton
![Page 14: Computer Network Intrusion Detection Via Neural Networks … · 2014. 2. 1. · Computer Network Intrusion Detection Via Neural Networks Methods Vu Dao phongvu_98@yahoo.com July 18,](https://reader035.vdocuments.net/reader035/viewer/2022071009/5fc759a49e6f6559645f823a/html5/thumbnails/14.jpg)
Feed Forward Neural Networks
X1
X2
X3
Xn
Input Layer
Hidden Layer
Output Layer
Feed Forward Neural Networks
::
::
![Page 15: Computer Network Intrusion Detection Via Neural Networks … · 2014. 2. 1. · Computer Network Intrusion Detection Via Neural Networks Methods Vu Dao phongvu_98@yahoo.com July 18,](https://reader035.vdocuments.net/reader035/viewer/2022071009/5fc759a49e6f6559645f823a/html5/thumbnails/15.jpg)
Generated Data File
File 2CU = 6
File 3CU = 7
File 1CU = 5
3000025000Training Data
Testing DataTotal
10000 12000
35000
14000
35000 42000 49000
Training Data(5000 Samples)
Testing Data(2000 Samples)
CU1 CU2 CU3 ……
![Page 16: Computer Network Intrusion Detection Via Neural Networks … · 2014. 2. 1. · Computer Network Intrusion Detection Via Neural Networks Methods Vu Dao phongvu_98@yahoo.com July 18,](https://reader035.vdocuments.net/reader035/viewer/2022071009/5fc759a49e6f6559645f823a/html5/thumbnails/16.jpg)
Data set 1, CU = 5
![Page 17: Computer Network Intrusion Detection Via Neural Networks … · 2014. 2. 1. · Computer Network Intrusion Detection Via Neural Networks Methods Vu Dao phongvu_98@yahoo.com July 18,](https://reader035.vdocuments.net/reader035/viewer/2022071009/5fc759a49e6f6559645f823a/html5/thumbnails/17.jpg)
Data set 2, CU = 5
![Page 18: Computer Network Intrusion Detection Via Neural Networks … · 2014. 2. 1. · Computer Network Intrusion Detection Via Neural Networks Methods Vu Dao phongvu_98@yahoo.com July 18,](https://reader035.vdocuments.net/reader035/viewer/2022071009/5fc759a49e6f6559645f823a/html5/thumbnails/18.jpg)
Data set 3, CU = 5
![Page 19: Computer Network Intrusion Detection Via Neural Networks … · 2014. 2. 1. · Computer Network Intrusion Detection Via Neural Networks Methods Vu Dao phongvu_98@yahoo.com July 18,](https://reader035.vdocuments.net/reader035/viewer/2022071009/5fc759a49e6f6559645f823a/html5/thumbnails/19.jpg)
Results (BFGS - 5 Samples) Test Data 1
BFGS = Broyden, Fletcher, Goldfarb, Shanno
![Page 20: Computer Network Intrusion Detection Via Neural Networks … · 2014. 2. 1. · Computer Network Intrusion Detection Via Neural Networks Methods Vu Dao phongvu_98@yahoo.com July 18,](https://reader035.vdocuments.net/reader035/viewer/2022071009/5fc759a49e6f6559645f823a/html5/thumbnails/20.jpg)
Results (BFGS - 6 Samples) Test Data 1
![Page 21: Computer Network Intrusion Detection Via Neural Networks … · 2014. 2. 1. · Computer Network Intrusion Detection Via Neural Networks Methods Vu Dao phongvu_98@yahoo.com July 18,](https://reader035.vdocuments.net/reader035/viewer/2022071009/5fc759a49e6f6559645f823a/html5/thumbnails/21.jpg)
Results (BFGS - 7 Samples) Test Data 1
![Page 22: Computer Network Intrusion Detection Via Neural Networks … · 2014. 2. 1. · Computer Network Intrusion Detection Via Neural Networks Methods Vu Dao phongvu_98@yahoo.com July 18,](https://reader035.vdocuments.net/reader035/viewer/2022071009/5fc759a49e6f6559645f823a/html5/thumbnails/22.jpg)
BFGS Result
CU = 5 CU = 6
Host Error2.7% 18%
2.5%19%
CPU Error3.6% 16%
1.8%19%
1%21%
CU = 7
1%21%
Memory Error3.1%18%
3.9%16%
3.3%20%
Combined Error
1.9%18%
1%21%
2%19%
![Page 23: Computer Network Intrusion Detection Via Neural Networks … · 2014. 2. 1. · Computer Network Intrusion Detection Via Neural Networks Methods Vu Dao phongvu_98@yahoo.com July 18,](https://reader035.vdocuments.net/reader035/viewer/2022071009/5fc759a49e6f6559645f823a/html5/thumbnails/23.jpg)
CGP Result
CU = 5 CU = 6
Host Error0.4% 20%
1.1%21.4%
CPU Error2.0% 2.9%
2.23%18.6%
2.84%20%
CU = 7
2.0%17%
Memory Error0.7%
18.5%0.5%20%
3.1%19%
Combined Error
0%20%
2.0%20%
0.31%21.43%
![Page 24: Computer Network Intrusion Detection Via Neural Networks … · 2014. 2. 1. · Computer Network Intrusion Detection Via Neural Networks Methods Vu Dao phongvu_98@yahoo.com July 18,](https://reader035.vdocuments.net/reader035/viewer/2022071009/5fc759a49e6f6559645f823a/html5/thumbnails/24.jpg)
Summary Result
![Page 25: Computer Network Intrusion Detection Via Neural Networks … · 2014. 2. 1. · Computer Network Intrusion Detection Via Neural Networks Methods Vu Dao phongvu_98@yahoo.com July 18,](https://reader035.vdocuments.net/reader035/viewer/2022071009/5fc759a49e6f6559645f823a/html5/thumbnails/25.jpg)
Trade-Offs of the Proposed Methods
AdvantageAdaptive to Profile DriftSoftware Based Neural NetworksAdded protection to critical account / system
DisadvantageRequires More Computing ResourcesRequire Negative Samples to Train Neural NetworksMust be configured to each user
![Page 26: Computer Network Intrusion Detection Via Neural Networks … · 2014. 2. 1. · Computer Network Intrusion Detection Via Neural Networks Methods Vu Dao phongvu_98@yahoo.com July 18,](https://reader035.vdocuments.net/reader035/viewer/2022071009/5fc759a49e6f6559645f823a/html5/thumbnails/26.jpg)
Summary
Profile Computer Users Successfully via Basic Attributes Neural Networks Capable of Classifying Users
![Page 27: Computer Network Intrusion Detection Via Neural Networks … · 2014. 2. 1. · Computer Network Intrusion Detection Via Neural Networks Methods Vu Dao phongvu_98@yahoo.com July 18,](https://reader035.vdocuments.net/reader035/viewer/2022071009/5fc759a49e6f6559645f823a/html5/thumbnails/27.jpg)
Future Work
Implement Other Neural Network TechniquesRadial Basis Functions
Weights has local affect on neuron
Use Other User Profile AttributesAnalyze Results to Improve Performance