2. Outline The Development of IDS The Architecher and Strategies of IDS IDSwith GA The Implementation of IDS with Some Other Popular Methods
3. Outline The Development of IDS The Architecher and Strategies of IDS IDSwith GA The Implementation of IDS with Some Other Popular Methods
4. Security Audit Generate, record, review, and then sort the system events for some security purposes. System monitoring Avoid misusing Event reconstructing Accountability Damage assessing and recovering
5. The Development of IDS In 1950s, a document of requirements of Electronic Data Processing (EDP) audit was defined. In 1970s, audit processing was subsumed into "Trusted Computer System Evaluation Criteria“.
6. The Development of IDS (cont.) Audit reduction Distinguish risks and threats. Statistic analysis Masquerade attack Intrusion detection systems after 1980s Discovery, Haystack, MIDAS, NADIR, NSM, etc. Commercial product
7. Outline The Development of IDS The Architecher and Strategies of IDS IDSwith GA The Implementation of IDS with Some Other Popular Methods
8. Architecture Functional device information source analysis engine response component Separated audit and audited system Intruder may shut down the IDS. Audit records may be altered or deleted. Reduce the loading of IDS
13. Why Genetic Algorithm(GA)? Misused detection is not treated well.(Because it needs continous updating) System based on GA can be easily re-trained. The space of potential solution is truely huge. Due to the parallelism that allows them to implicitly evaluate many schemas at once.
14. System Implementation(Developed by Bancovic et al.) Rule-Based IDS: If-then rules are trained to recognize normal connections. ‧MultiExpressionProgramming(MEP)isappliedtoconstructtherules. ‧Very low false-positive rate Linear classifier: Classifies connections into normal ones and potential attacks. ‧Low false-negative rate ‧high false-positive rate ->its decision has to be re-checked.
15. System Implementation Linear classifier: Population = 1000 ;Generation = 300 The features used to Describe the Attack: gene[1]*duration + gene[2]*src_bytes + gene[3]*dst_host_srv_serr_rate < gene[4] FitnessFunction: # squared percentage achieves better performance
16. System Implementation Rule-Based IDS: FitnessFunction :F-Measure If-then rules are trained to recognize normal connections. ‧MultiExpressionProgramming(MEP)isappliedtoconstructtherules. ‧Very low false-positive rate Service Hot Logged Threshold SampleRule used to identifyNormal Connections: ----------------------------------------------------------------- If(service==“http”andhot==“0”andlogged_in==“0”) Thennormal A rule
17. Results The experimental results of whole system Trained by 250000 of 491021 data from “KDD_10_percent” Retrained by the remaining data from KDD_10_percent
18. Discussion ‧Advantage: Perform the training process and the process of detecting intrusions faster while maintaining high detection rate. #Because only six feature are defined to train. ‧Drawback: The distribution of the attacks and normal connection in the datasets is not very realistic [7], i.e. only 20% of the training data set makes normal connections while in real world the situation is quite opposite, as the percentage of normal packets highly exceeds the percentage of intrusive ones.
19. Outline The Development of IDS The Architecher and Strategies of IDS IDSwith GA The Implementation of IDS with Some Other Popular Methods
21. Reference GASSATA, A Genetic Algorithm as an Alternative Tool for Security Audit Trails Analysis, Ludovic Me,2000 A Genetic Algorithm-based Solution for Intrusion Detection , ZoranaBanković et al,2009 駭客入侵偵測專業手冊,旗標出版社,Rebecca Gurley Bace著,賴冠州編譯,2001