Presented by: Preeti Anday Dept of Computer & Information Sciences University of Delaware
description
Transcript of Presented by: Preeti Anday Dept of Computer & Information Sciences University of Delaware
CISC 879 - Machine Learning for Solving Systems Problems
Presented by: Preeti AndayDept of Computer & Information Sciences
University of Delaware
A Blackboard-Based Learning Intrusion Detection System: A
New Approach
CISC 879 - Machine Learning for Solving Systems Problems
What is a blackboard?
CISC 879 - Machine Learning for Solving Systems Problems
Blackboard
KS
KS
KS
KS
KS
Controller
Blackboard Architecture
Knowledge Sources (KS)
CISC 879 - Machine Learning for Solving Systems Problems
What is an IDS?
An intrusion detection system (IDS) is a device (or application) that monitors network and/or system activities for malicious activities or policy violations.
CISC 879 - Machine Learning for Solving Systems Problems
Intrusion Detection
Anomaly Detection Misuse Detection
CISC 879 - Machine Learning for Solving Systems Problems
Based on Network system area they audit:
• Host based
Security system that is detecting inside abuses in a computer system
• Network based
Capable of identifying abusive uses or attempts of unauthorized usage of the computer network from outside the system
Intrusion Detection
CISC 879 - Machine Learning for Solving Systems Problems
Prior Approaches
Rule based analysis:
1. Predefined rule set
2. Expert systems
3. Drawbacks• Inability to detect attack scenarios • Lack flexibility• Variations in the attack sequence reduce effectiveness
of the system
CISC 879 - Machine Learning for Solving Systems Problems
Common Types Of Malicious Attacks
• Denial-of-service Attack (DoS)• Guessing rlogin Attack• Scanning Attack
CISC 879 - Machine Learning for Solving Systems Problems
Autonomous Agents
What are Autonomous agents?• Software agents that perform
certain security monitoring functions at the host
• Independent entities• Have minimal overhead and
can resist subversion• Dynamically reconfigurable,
scalable and easily adaptable• Degrade gracefully
CISC 879 - Machine Learning for Solving Systems Problems
Learning Intrusion Detection System Architecture
CISC 879 - Machine Learning for Solving Systems Problems
Tier 1
Contains autonomous agents required for initial alert feature,
A1: Network reader
Collects network data with the help of a program called tcpdump
Pastes them on the blackboard
A2: Initial Analyzer
Calls a rule based classifier that is written as a dll in C++
A3: Display/Output agent
Reports the initial analysis to the user
CISC 879 - Machine Learning for Solving Systems Problems
Tier 2
Contains agents that analyze the system specific information,
A4: System reader
Gathers system specific information on the protected system
Posts it on the blackboard
A5: Attack classifier
Identifies different subclasses of intrusions present in the network
Send information from blackboard to the classifier which performs the diagnosis and posts the results on the Blackboard
CISC 879 - Machine Learning for Solving Systems Problems
Tier 2 contd.
The information gathered in A4 includes, • Available network bandwidth• CPU Usage
• Network packets• Memory usage• Number of connections• Connection attempts• Protocol• Packet length
CISC 879 - Machine Learning for Solving Systems Problems
Tier 2 contd.
The classifier used in A5 is a micro genetic algorithm based classifier that uses the multiple fault diagnosis concept to perform the necessary function.
The result states what of attack is present and what is its probability of presence in the data set.
The genetic algorithm is capable of determining the sub-classifications of attacks.
CISC 879 - Machine Learning for Solving Systems Problems
Tier 3
Contains autonomous agents that give full details of the attacks
A6: Analyzer with ANN
Analyzes information
Decides which type of ANN will be useful for further analysis
If the analysis finds no attack in the dataset, the agent flags the dataset as false positive alarm
CISC 879 - Machine Learning for Solving Systems Problems
Tier 3
A7: Teaching agent
Updates the rule set of A2
A8: Report generation
Displays a complete report of the analysis to the user
Since the agents are autonomous, a control pattern is included to ensure that each agent gets at least one chance to look at the blackboard in one process cycle.
CISC 879 - Machine Learning for Solving Systems Problems
Questions