Presented by: Preeti Anday Dept of Computer & Information Sciences University of Delaware

CISC 879 - Machine Learning for Solving Systems Problems

Presented by: Preeti AndayDept of Computer & Information Sciences

University of Delaware

A Blackboard-Based Learning Intrusion Detection System: A

New Approach


What is a blackboard?


Blackboard

KS

KS

KS

KS

KS

Controller

Blackboard Architecture

Knowledge Sources (KS)


What is an IDS?

An intrusion detection system (IDS) is a device (or application) that monitors network and/or system activities for malicious activities or policy violations.


Intrusion Detection

Anomaly Detection Misuse Detection


Based on Network system area they audit:

• Host based

Security system that is detecting inside abuses in a computer system

• Network based

Capable of identifying abusive uses or attempts of unauthorized usage of the computer network from outside the system

Intrusion Detection


Prior Approaches

Rule based analysis:

1. Predefined rule set

2. Expert systems

3. Drawbacks• Inability to detect attack scenarios • Lack flexibility• Variations in the attack sequence reduce effectiveness

of the system


Common Types Of Malicious Attacks

• Denial-of-service Attack (DoS)• Guessing rlogin Attack• Scanning Attack


Autonomous Agents

What are Autonomous agents?• Software agents that perform

certain security monitoring functions at the host

• Independent entities• Have minimal overhead and

can resist subversion• Dynamically reconfigurable,

scalable and easily adaptable• Degrade gracefully


Learning Intrusion Detection System Architecture


Tier 1

Contains autonomous agents required for initial alert feature,

A1: Network reader

Collects network data with the help of a program called tcpdump

Pastes them on the blackboard

A2: Initial Analyzer

Calls a rule based classifier that is written as a dll in C++

A3: Display/Output agent

Reports the initial analysis to the user


Tier 2

Contains agents that analyze the system specific information,

A4: System reader

Gathers system specific information on the protected system

Posts it on the blackboard

A5: Attack classifier

Identifies different subclasses of intrusions present in the network

Send information from blackboard to the classifier which performs the diagnosis and posts the results on the Blackboard


Tier 2 contd.

The information gathered in A4 includes, • Available network bandwidth• CPU Usage

• Network packets• Memory usage• Number of connections• Connection attempts• Protocol• Packet length


Tier 2 contd.

The classifier used in A5 is a micro genetic algorithm based classifier that uses the multiple fault diagnosis concept to perform the necessary function.

The result states what of attack is present and what is its probability of presence in the data set.

The genetic algorithm is capable of determining the sub-classifications of attacks.


Tier 3

Contains autonomous agents that give full details of the attacks

A6: Analyzer with ANN

Analyzes information

Decides which type of ANN will be useful for further analysis

If the analysis finds no attack in the dataset, the agent flags the dataset as false positive alarm


Tier 3

A7: Teaching agent

Updates the rule set of A2

A8: Report generation

Displays a complete report of the analysis to the user

Since the agents are autonomous, a control pattern is included to ensure that each agent gets at least one chance to look at the blackboard in one process cycle.


Questions

Presented by: Preeti Anday Dept of Computer & Information Sciences University of Delaware

Documents

Transcript of Presented by: Preeti Anday Dept of Computer & Information Sciences University of Delaware