Hybrid Intelligent Systems for Network Security

Download Report

Transcript Hybrid Intelligent Systems for Network Security 

Hybrid Intelligent Systems
for Network Security
Lane Thames
Georgia Institute of Technology
Savannah, GA
[email protected]
Presentation Overview
Discuss Network Security Issues
Discuss the goals of this paper’s project
Overview of Self Organizing Maps
Overview of Bayesian Learning Networks
Describe the details of the Hybrid System
Review the Experimental Results
Discuss Future Work and Conclusions
Q&A
Network Security Motivation
Internet Growth is Steadily Increasing
Over 1 Billion Internet Users
Many different types of applications are
now using the Internet as a
communication channel
Data Source: www.idc.com
Network Security Motivation
No more “Script Kiddies”
Hacking is now more than just a hobby
Hackers have created their own revenue
generating channels
Common hacking “commodities”




Hacking software that is for sale
Corporate Extortion
Corporate Espionage
Identity Theft
Network Security Motivation
Classical Attack Types







Buffer Overflow
Denial of Service (DoS)
Distributed Denial of Service (DDoS)
Reconnaissance
Virus
Worms
Trojan Horse
Network Security Motivation
Hackers are using more sophisticated
mechanisms
Phishing—Less Sophisticated
Easy to fool a novice user
Pharming—More Sophisticated
Easy to fool novice and expert users
DoS and DDoS—Used for extortion
Remote Root Access—Used for espionage and
identity theft
Network Security Motivation
The numbers do not lie
Hackers are constantly looking for ways to
cause mischief



Steal your data
Handicap your machines
Take your money, etc, etc.
Data Source: http://www.cert.org/stats/cert_stats.html
Network Security Motivation
The Bottom Line: Network Security
Research and Commerce is here to stay!
Project Goals
Develop an Intelligent System that works
reliably with data that can be collected
purely within a Network
Why? If security mechanisms are difficult
to use, people will not use them.
Using data from the network takes the
burden off the end user
Hybrid Intelligent Systems
A system was developed that made use of
two types of Intelligence Algorithms:

Self-Organizing Maps

Bayesian Learning Networks
Training and Testing Data Set
KDD-CUP 99 Data Set
The Data set used for the Third
International Knowledge Discovery and
Data Mining Tools Competition
Training and Testing Data Set
41 Total Features Categorized as:




Basic TCP/IP features
Content Features
Time Based Traffic Features
Host Based Traffic Features
Training and Testing Data Set
Attack Type Categories




Remote to Local Exploits
User to Root Exploits
Denial of Service
Probing (Reconnaissance)
Self Organizing Maps—SOM
Pioneered by Dr. Teuvo Kohonen
An algorithm that transforms high
dimensional input data domains to
elements of a low dimensional array of
nodes
A fixed size grid of nodes—sometimes
denoted as neurons to reflect neural net
similarity
Self-Organizing Maps
Input Data Vectors
X  [ x1  xr ]
Self Organizing Maps
Let a parametric real set of vectors be
associated with each element, i, of the
SOM grid
M i  [mi1  mik ]
Self-Organizing Maps
Furthermore,
X , M i {x   , mi   }
n
n
Self-Organizing Map
A decoder function is defined on the
basis of distance between the input
vector and the parametric vector.
d ( x , M i )
The decoder function is used to map the
image of the input vector onto the SOM
grid. The decoder function is usually
chosen to be either the Manhattan or
Euclidean distance metric.
Self-Organizing Maps
A Best Matching Unit, denoted as the
index c, is chosen as the node on the SOM
grid that is closest to the input vector
c  arg min i {d ( x , M i )}
Self-Organizing Maps
The dynamics of the SOM algorithm
demand that the Mi be shifted towards the
order of X such that a set of values {Mi} are
obtained as the limit of convergence of the
following:
mi (t  1)  mi (t )   (t )[ x(t )  mi (t )]H ic
SOM Demo
The next few plots will demonstrate how
the parametric vector will converge to the
input data vector
Demonstrate the effects of parameters on
one another
Display the error function for this demo
Bayesian Learning Networks--BLN
A BLN is a probabilistic model built on the
concept of the Directed Acyclic Graph
(DAG)
The DAG is a graph of nodes where each
node is a random variable of interest
The directed edges of the graph represent
relationships among the variables
If an arc is emitted from a node h to a
node D, we say that h is the parent of D
Bayesian Learning Networks
The Fundamental Equation: Bayes Theorem
P ( D | h) P ( h )
P ( h | D) 
P ( D)
Bayesian Learning Networks
In Bayesian learning, we calculate the
probability of an hypothesis and make
predictions on that basis
Predictions or classifications are reduced
to probabilistic inference
Bayesian Learning Networks
With BLN, we have
conditional probabilities
for each node given its
parents
The graph shows causal
connections, not the flow
of information thru the
graph
Prediction versus
abduction
x1
x2
x3
x4
x5
Naïve Bayesian Learning Network
The Naïve BLN is a special
case of the general BLN
It contains one root (parent)
node which is called the class
variable, C
The leaf nodes are the
attribute variables (X1 … Xi)
It is Naïve because it assumes
the attributes are conditionally
independent given the class.
C
x1
x2
xi
The Naïve BLN Classifier
Once the network is trained, it can be used
to classify new examples where the
attributes are given and the class variable
is unobserved—abduction
The Goal: Find the most probable class
value given a set of attribute instantiations
(X1 … Xi)
Naïve BLN Classifier
C NB  arg max P (c j | X 1 ,  X i )
c j C
C NB  arg max
c j C
P ( X 1 ,  , X i | c j ) P (c j )
P( X 1 ,, X i )
C NB  arg max P ( X 1 ,  , X i | c j ) P (c j )
c j C
 P( X 1 ,, X i | c j )   P( X i | c j )
i
C NB  arg max P (c j )  P ( X i | c j )
c j C
i
Hybrid System Architecture
Experimental Results
4 types of analyses were made with the
dataset




BLN analysis with network and host based
data
BLN analysis with network data
Hybrid analysis with network and host based
data
Hybrid analysis with network based data
Experimental Results
BLNHost/Network
Based
BLNNetwork
Based
HybridHost/Network
Based
HybridNetwork
Based
Total
Cases
65,505
62,047
65,505
62,047
Correctly
Classified
65,019
59,734
65,238
61,631
%
Correctly
Classified
99.26%
96.27%
99.59%
99.33%
Number of
486
2315
267
416
Incorrectly
Classified
Future and Current Work
HoneyNet Project
Resource
Management
System with
Intelligent System
Processing at the
Core
Conclusion
Intelligent Systems algorithms are very useful
tools for applications in Network Security
Experimental results show that a hybrid system
built with SOM and BLN can produce very
accurate responses when classifying Network
based data flows which is very promising for
those wishing design classification systems that
do not rely on host based data