intrusion detection with neural networks
DESCRIPTION
With the growth of computer networking, electronic commerce and web services, security networking systems have become very important to protect infomation and networks againts malicious usage or attacks. In this report, it is designed an Intrusion Detection System using two artificial neural networks: one for Intrusion Detection and the another for Attack Classification.TRANSCRIPT
Intrusion Detection and Classification Using Neural Networks
Antonio Moran, Ph.D.
Stockholm University, SwedenMay 17, 2013
Information Security in Computer Networks
Information assurance is an issue of serious global concern.
Malicious usage, attacks and sabotage have been on the rise.
Connecting information systems to public networks (Internet, telephone) magnifies the potential for intrusion and attack.
Intrusion in Information Systems and Networks
Any set of actions that attempt to compromise the integrity, confidentiality or availability of a resource
Intrusion
Intrusion in Information Systems
Any anauthorized access, unauthorized attempt to access, damage, or malicious use of information resources
Motives to Launch Attacks
Force a network to stop a service(s)
Steal some information stored in a network
To show unhappiness or uneasiness
To obtain economical benefits
Network Attacks
liability for compromised customer data
Attacks could result in:
Liability for compromised customer data
Loss of intellectual property
Degraded quality of network service
Great business loss
………..
Need for and Intrusion Detection System
It is difficult (impossible) to ensure that aninformation system will be free of security flaws.
Computer systems suffer from security vulnerabilities regardless of their purpose, manufacturer or origin.
It is technically difficult as well as economically costly, to ensure that computer systems and networks are not susceptible to attacks
Intrusion Detection in Information Systems
Attempting to detect computer attacks by examining data records observed by processes on the same network
Components of an Intrusion Detection System
Information source providing a stream of event records
Analysis engine identifying signs of intrusion, attacks or other policy violations
Response component generating reactions to assure system correct operation
Data
AnalysisIdentification
Action
Types of Information Sources
Data from network traffic and packet streams
Data from sources internal to a computer. Operating system level
Data from running applicationsApplication based
Network based
Host based
Categories of Analysis Engine
Searching for something defined to be bad. Detect intrusions that follow a well-known patterns of attacks.
Can not detect unknown future intrusions.
Misuse Detection
Searching for something rare or unusual. Analyze system event streams to find patterns of activity appearing to be abnormal.
Computationally intensive.
AnomalyDetection
Categories of Analysis Engine
Detect known attacks using pre-defined attack patterns and signatures
Misuse Detection
Detect attacks by observing deviations from the normal behavior of the system
AnomalyDetection
Hybrid Analysis Engine
Anomaly Detection
PreProcessing
Misuse Detection
Normal
Normal
AttackInternetAlert
Implementation of Analysis Engine
Runs periodically detecting intrusions after the fact.Act in a reactive way.
Off-Line
Detect intrusions while they are happening allowing a quick response. Computationally expensive (continuous monitoring).
On-Line Real-Time
Dynamic Intrusion Deteccion System
Hybrid system using misuse and anomaly detection strategies
Not allowing an intruder to train (update) the
system incorrectly
Running in real-time
Updating itself continuously over periods of
time
Types of Network Attacks
The attacker makes the computing or memory resources too busy or full to handle legitimate requests or denies legitimate users access
Remote to User
User to Root
Denial of Service
Probing (Scanning)
The attacker, starting out with access to a normal user account, tries to gain root (superuser) access and privilegies
The attacker gains access as a local user of the network
The attacker scans the network to gather information or detect vulnerabilities
Approaches for Anomaly Detection
Detecting abnormal activity on a server or network whose magnitude overcome a given threshold.Ex: Abnormal consumption of CPU or memory of one server.
Rule-based Measures
Statistical Measures
Threshold
Soft Computing
Based on sets of predefined rules that are provided by a network administrator or generated by expert systems.
Neural Networks, Fuzzy Logic, Genetic Algorithms, Support Vector Machines.
Statistical models based on historical values. Asumptions about the underlying statistical distribution of user behavior. Ex: Hidden Markov Models.
Rule Based Intrusion Detection
liability for compromised customer data
Detecting attacks by signature matching.
A set of signatures, describing the characteristics of possible attacks, and the corresponding rules are stored.
The rules are used to evaluate incoming packet stream and detect hostile traffic.
Easy to implement and customize but requires human domain experts to find signatures and their rules. It works for known patterns of attacks
Artificial intelligence techniques could be useful
Rule Based Instrusion Detection
IF CountConnection=50 THEN AttackType=’smurf’
Human network administrators usually generate low-complexity rules:
IF Src_Byte=0 OR Src_Byte>500 THEN ‘Alert’
same host within 2 sec.
IF ip_flags = 0 AND ip_len <=256 AND tcp_csum =0 AND ip_length > 120 AND ip_src <= 1.451703E9 AND tcp_dport <= 82 AND tcp_win <= 23 THEN Malicious.
Complex rules can be generated using AI techniques:
Intrusion Deteccion Systems
Intrusion Detection Systems alone will not ensure the security of a computer network
Intrusion detection systems must be complemented by firewalls, vulnerability assessment, and a comprehensive security policy
Intrusion Detection and Clasification Using Neural Networks
Application of neural networks in Intrusion Deteccion Systems date back to 1992
When a Computer Network is Working in Normal / Abnormal State
It is difficult to define all the attributes that characterize a normal or abnormal state.
Let a neural network discovers the patterns characterizing a normal state and an abnormal state.
Intrusion Detection and Clasification Using Neural Networks
Discover underlying patterns that describe normal user or computer network behavior
Use the patterns to determine:
The state of the network
The type of user
Normal
Attacked
Authorized
Intruder
Neural Network
Intrusion Detection and Classification Using Neural Networks
Hybrid SystemMisuse Detection
Anomaly Detection
Runs in real-time
Network Based Packet streams
Intrusion Detection and Classification Using Neural Networks
Two Neural Networks
Neural Network for detecting intrusion.State of the network: normal or with intrusion
Neural Network for classifying intrusion. Four types of intrusion
Intrusion Detection and Classification Using Neural Networks
Two Neural Networks
Neural NetworkPacket Stream
Normal
Intrusion
Neural NetworkIntrusion Detection
Intrusion Classification
Denial of Service
User to Root
Remote to User
Probing
Neural Network Design Process
Data collection
Definition of inputs and outputs
Input and output data generation
Data normalization
Selection of neural network structure
Neural network training
Neural network validation
What Data To Be Used?
Main features (attributes) of network packet stream
Take a set of network packets
Determine main features to be analyzedfrom packet header (and packet data)
……....Pi+1 Pi+2 PrPk+1 Pk+2 Pk+NPzPi Pz-1Pz-2Pj
…… ……
Packet stream
P
Window
Window Packets Features Vector
Attributes Extraction
…
Window size: 50 - 500
Features vector size: 10 - 50
Features Extraction of Window Based Packet Stream
……....Pi+1 Pi+2 PrPk+1 Pk+2 Pk+NPzPi Pz-1Pz-2Pj
…… ……
Packet stream
P
Window
Window Packets Features Vector
Attributes Extraction
…
Window size: 50 - 500
Features vector size: 10 - 50
Features of Window Based Packet Stream
Features are chosen such that their values change perceivably in normal and intrusive conditions.
……....Pi+1 Pi+2 PrPk+1 Pk+2 Pk+NPzPi Pz-1Pz-2Pj
…… ……
Packet stream
P
Window
Attributes Extraction
Number of IP addresses
Packet Stream Features
Number of protocols and types
Network service on destination. http, telnet
Number of packets with 0 data length
Average data length
Average window size
Number of packets with 0 window size
Number of packets with 0 data length Number of failed login attempts
Number of wrong fragments
Number of urgent packets
Number of data bytes from source to destination
Number of data bytes from destination to source
Number of file creation operations
Number of connections with SYN errors
Number of coonections to the same service
…….... ……....
Neural Network for Intrusion Detection
Inputs Outputs
Window packet features vector
40 features
Code for every state of the network
Intrusion : 0 1
Normal: 1 0
40 Inputs2 Outputs
(Attack)
Neural Network Training Data
40 Inputs 2 Outputs
12 24 05 00 02 04 09 14 15 21 08 00……. 0 1
04 21 16 12 10 21 01 17 04 13 19 10……. 1 0
01 13 15 21 12 11 12 11 05 11 06 12……. 1 0
14 14 06 15 08 13 10 11 14 06 08 19……. 0 1
…...
…...
…...
:::
40 Inputs 2 Outputs
:
16000 Pairs
vijwjk
10000 Normal
6000 Attack
Neural Network Training and Validation
Training: 16000 input-output pairs
Validation: 5000 input (feature vectors)
Determining coefficients vij wjk
Computing network outputs for every input and determining state of network: normal or attack
40 Inputs 2 Outputs::
:
:
vijwjk
Neural Network Validation
In validation (testing), inputs are different to those used in training
Input 1 Output : 0.85 0.15
1 0Normal
Input 2 Output : 0.11 0.88
0 1Attack
…...
40 Inputs 2 Outputs::
:
:
vijwjk
Neural Network Validation
Normal 3000 94% 6%
Attack 2000 90% 10%
Correct Detection
Rate
Detected as Attack
Detected as Normal
Number of Tests
False positive (normal behavior is rejected) : 6%
False negative (attack considered as normal) : 10%
Intrusion Detection
Neural Network for Intrusion Detection
It is expected that any significantly deviation from the normal behavior is considered an attack
It is expected to perform well detecting unknown intrusions and even zero-day attacks
Neural Network for Attack Classification
From the previous neural network an attack has been detected.
Now, it is required to determine the type of attack
Denial of Service
User to Root
Remote to User
Probing
Neural Network for Attack Classification
Inputs Outputs
Window packet features vector
40 features
Code for every type of attack
Denial of Service: 1 0 0 0
User to root: 0 1 0 0
Remote to user: 0 0 1 0
Probing: 0 0 0 140 Inputs
4 Outputs
Neural Network Training Data
40 Inputs 4 Outputs
12 24 05 00 02 04 09 14 15 21 08 00……. 0 1 0 0
04 21 16 12 10 21 01 17 04 13 19 10……. 1 0 0 0
01 13 15 21 12 11 12 11 05 11 06 12……. 0 0 0 1
14 14 06 15 08 13 10 11 14 06 08 19……. 0 1 0 0
…...
…...
…...
:::
40 Inputs 4 Outputs
:
6000 Pairs
vij wjk
Neural Network Training and Validation
Training: 6000 input-output pairs
Validation: 2000 input (feature vectors)
Determining coefficients vij wjk
Computing network outputs for every input and determining type of attack
:::
40 Inputs 4 Outputs
:
vij wjk
Neural Network Validation
In validation (testing), inputs are different to those used in training
Input 1 Output : 0.85 0.15 0.24 0.01
1 0 0 0Denial of service
Input 2 Output : 0.11 0.08 0.18 0.91
0 0 0 1Probing
…...
:::
40 Inputs 4 Outputs
:
vij wjk
Neural Network Validation
Denial of Service 600 91%
User to Root 500 81%
Remote to User 300 69%
Probing 600 90%
Correct Detection
Rate
Number of Tests
Type of Attack
Attack Classification
Data to Design and Evaluate IDS Systems
Own Generation
Knowledge Discovery and Data Mining Tools Competition.
DARPA KDD Data Base
Standard benchmark for intrusion detection evaluations.