Intrusion Detection using Genetic Programming
Download
Report
Transcript Intrusion Detection using Genetic Programming
Intrusion Detection using
Genetic Programming
Presented by Chris Chambers
Overview
General idea:
Body very good at distinguishing between
self/not-self
Has a memory for old intrusions
If only IDS’s were that good!
“It is to be noted that the mechanisms of the
immune system are remarkably complex and
poorly understood, even by immunologists.”
–Dasgupta, Attoh-Okine
Overview
Fuzzy Data Mining and GA Applied to
Intrusion Detection
New Paradigms for ID Using GP
(CHIMERA)
Fuzzy Data Mining and GA
Applied to Intrusion Detection
S. Bridges, R. Vaughn, Mississippi State
University, NISSC 2000
Premise:
Body is good at detecting intrusions by pattern
matching
Can use this for securing systems
Given a learning trace, evolve a program over a
series of generations to detect intrusions
Novel idea:
Using training data and rules develops rules overspecific to training data
Fuzzy rules are less specific
What is fuzziness?
Technique
Fuzzy Data Mining
Fuzzy Association Rules computed for baseline
Example rule: {time = 11-12pm} => {load = LOW}
Compared with rules for abnormals
“Distance” computed
Fuzzy Frequency Episodes
(grouping data into repetitive sequences)
Same trick, “distance” computed between series
Technique (con’t)
Misuse Detection expert system also
used
Hardwired rules, like, >3 login attempts
== bad
Genetic Algorithms: used to tune fuzzy
sets
Swiped from
http://csrc.nist.gov/nissc/2000/proceedings/papers/005slide.pdf
Results
Anomaly % == #anomalies detected / #actual anomalies
More Results
Conclusions
GA only used to optimize results
Fuzzy data mining works okay
Fuzzy results
New Paradigms for Intrusion Detection
Using Genetic Programming
Bob Adolf, 2003 (from Northwestern?)
Premise:
Body is good at detecting intrusions by
pattern matching
Can use this for securing systems
Given a learning trace, evolve a program
over a series of generations to detect
intrusions
Design of CHIMERA
Linear phenome
“string of 1’s and 0’s” vs. “tree program”
Brood Recombination
“lots of kids per parent”
Small mutations
more like life
Code Locality number
Supposed to help crossover
Evaluation of CHIMERA
Cool trace: 3 days long, 20 flagged
intrusions
100 generations, 10k members /
generation, top 100 kept as survivors
Results and Conclusion
Results and Conclusion
Total failure of CHIMERA
Best members not as good as random strings
Code locality numbers didn’t work (no
coherent code blocks)
Conclusion:
GP requires way more resources and generations
than normal programs
IDS is hard for GP. 20 intrusions in a trace of tens
of millions of events is “magnificently sparse”
Final Conclusion
Using GP to Improve IDS:
Still formative
Poorly understood