embeddable hybrid intrusion detection system

EMBEDDABLE HYBRID INTRUSION DETECTION SYSTEM

Adrian P. LaufDepartment of Electrical Engineering and Computer

ScienceVanderbilt University

2

Embeddable Intrusion Detection System (IDS) Scenario:

Identify a malicious agent in networked embedded systems while minimizing computational overhead

Research goals: System-on-a-chip implementation Minimal HW resource overhead Consume low power Provide flexibility for changes in

the system

Method: Develop a system to provide high-level

analysis of interactions in a homogenous device network

Embedded Device Outlook Provide a hybrid detection system while

minimizing performance impacts Reduces memory allocation requirements

HybrIDS performance underscores an efficient management of computational cycles

Balanced computational requirements and accuracy yield embedded application performance

Multiple interface compatibility TCP/UPD network interface (UDP default) Disk-based interface for simulation purposes Serial I/O capability

Java 5 platform yields portable embedded device platform

Optimization for ARM9 development environment

Outline Concept Primitives

Example Scenario System-level abstraction Computational Effort Management and Terminology

Maxima Detection System (MDS) System configuration Algorithmic Detail Performance Assessment

Cross-Correlative Intrusion Detection System (CCIDS) System Configuration Detection Method

Score Analysis Threshold Determination

Hybrid Intrusion Detection System (HybrIDS) Transitioning Methodology HybrIDS performance System-level Implementation

Summary

What is a traditional IDS? Classifies traffic patterns Centralized point of analysis

Observation of data packets Not context-sensitive

Packet analysis is compute intensive

Less effective for ad-hoc networks

6

A Decentralized Approach for Embedded Networks Reduce dependence on a single

system Reduce power consumption

Reduce compute-intensive operations

Allows for group consensus decisions Each unit maintains a model of the

world Reduces chance of tampering

with a centralized system

7

Scenario: Autonomous Aircraft Network A collection of several aircraft (i.e.,

agents) A general mission or goal established

(e.g. reconnaissance) Bidirectional communication between

all agents Inter-node communications can include:

Attitude/position requests Grouping pattern requests Obstacle Avoidance Mission Updates

8

Simplifying by Abstraction

Actions classified by labels Action histories recorded

Each node maintains action histories from its point of view

Abstraction permits context independence Applicable to any system using

predetermined actions

Action 1

Action n-1

Action n

Aircraft 1

1 30 25

Aircraft 2

2 32 20

Aircraft 3

1 50 22

Aircraft 4

12 2 80

Action 1

Action n-1

Action n

020406080

100

Computational Cycle Management Scalability and Embedded Performance Aspects

Reduce computational intensity Allow for node addition with minimal impact on

performance Terminology:

DPC – Data Processing Cycle A computationally intensive cycle Performs IDS analysis

DCC – Data Collection Cycle Minimally computationally intensive Executed for received transaction requests

Number of DCCs per DPC Computed by DPC executed upon

reaching τ DCCs per node (average)

More nodes yield more accurate representation of system Requires fewer data

points Yields earlier transition

)(0 gk







Summary

12

Maxima Detection: Theory Histograms formed for

each connected node Node A will track B, C, and D.

Average system behavior obtained by averaging across observed nodes

Bins correspond to action labels

Data must be normalized to a distribution E.g. Gaussian, Chi2

Σ/(n-1)

Labels

.

.

.

.

.

Node

s

Avg. behavioral PDF for system

13

Maxima Detection Algorithm Resultant vector yields

approximate PDF Find global maximum,

exclude it Identify, mark local maxima Local maximum yields likely

intrusion-motivated behaviors

Reverse-map this label to node with most frequent occurrence

MDS Identification Performance

Deviant Node Pervasion Percentage of nodes in

cluster that are issuing malicious requests

MDS typically detects a deviant node within first iteration

Detected node fluctuates within the space of deviant nodes







Summary

Cross Correlation Cross correlation technique generates

individual profile scores Compared to average score for system

PDF Provides multiple detection capability Induces false positives

False positives typically disappear after future iterations

Resolved by setting proper threshold

17

Detection Method: Cross-correlation

Labels

.

.

.

.

.

Node

s

Σ/(n

-1)

17

= Score

Average PDF

Threshold Setting

Score Analysis Average score

is computed Each score is

compared to the average

Deviance determined by a threshold

0 1 2 3 4 5 6 7 8 9 100

0.050.1

0.150.2

0.250.3

0.350.4

0.450.5

Threshold Bounds Node Number

Scor

e

Mean Score LineSuspected Deviant Node

Threshold Requirements Threshold varies for each scenario

Representative of a percentage deviation required for suspicion of a node

Variability of thresholds is a weakness of CCIDS

Can cause generation of false positives Reduced by selecting proper threshold Minimal baseline threshold is possible –

system may never converge

Required Thresholds for Proper Detection (CCIDS) Threshold drops linearly

dependent on deviant node pervasion

Number of nodes has negligible impact on threshold requirements

0.2 represents 100% deviation in this figure Detects only nodes that

vary significantly 0.02 represents a 10%

deviation More sensitive to smaller

node deviations







Summary

22

Why a hybrid approach?

MDS requires no training data

Can isolate a single anomaly

CCIDS requires training data

Can detect multiple anomalies

More flexible to system changes

MDS CCIDS

Time/DCC Progression

How does HybrIDS Choose?

HybridState objectdetermines if transitionpoint has been reached

If one of the results from CCIDS matches a suspectednode from MDS, a matchis considered found

Transitioning Increasing the deviant

node pervasion requires more tuning cycles

Threshold adjusted once per tuning cycle

Figure represents an average for all node sizes # transition cycles is

independent of node cluster size

How does it perform? HybrIDS Performance Analyzed

HybrIDS can reliably detect deviant nodes upto 22% pervasion

25% pervasion and up removes element of determinacy

Scalability by percentage pervasion

Number of nodes in cluster does not affect scalability concerns

Graph includes total time – MDS, transition and CCIDS cycles

HybrIDS Implementation Implemented in Java 5 (1.5)

Introduces Code Portability ARM9 development board

target 2.73 KB memory footprint for a

35-agent system with 10 behaviors MDS and CCIDS use a shared

data structure Storage footprint less than 46

KB Flexible interface

implementation TCP/UDP for network interface Disk-based access for simulation RS-232/Serial interface possible







Summary

Summary Two-phased approach gives HybrIDS a detection advantage in an abstracted

homogeneous device network MDS provides accurate, single-anomaly detection

Requires no training data CCIDS provides multiple-anomaly detection

Requires training threshold DPC/DCC computational cycle management reduces embedded device load Decentralized approach increases reliability and allows for ad-hoc network

arrangement HybrIDS detection accuracy and determinacy viable through 22% deviant

node pervasion Java implementation and small footprint assures integration ease and

platform cross-compatibility HybrIDS is scalable based on the deviant node pervasion, not the number of

nodes

embeddable hybrid intrusion detection system

Documents

hybrid detection system

system method

embedded device outlookprovide

networked embedded systems

node addition

action naircraft

homogenous device network

node averagemore nodes