The Utilization of A..
Download
Report
Transcript The Utilization of A..
The Utilization of Artificial Intelligence
in a Hybrid Intrusion Detection System
Authors:Martin Botha, Rossouw von Solms, Kent Perry,
Edwin Loubser and George Yamoyany
Source :Proceedings of the 2002 Annual Research Conference of South African
Institute for Computer Scientists and Information Technologists (SAICSIT),
pp. 149-155, September 2002.
Speaker:Chien-Jen Hsueh
Date
:2005/12/06
Outline
Introduction
Intrusion Detection System (IDS)
IDS & Overview of Current IDS
Problems of IDS
Fuzzy application
Generic Hybrid Intrusion Identification Strategy
Three independent computational components
Next Generation Proactive Identification Model (NeGPAIM)
Conclusions
Comments
2
Introduction
Computer security gains important
Environment changes fast
Information becomes a precious asset
Increase security requirements
ex: 2001 CSI/FBI Computer Crime & Security Survey
Need more powerful security technology
New techniques
Neural network
Fuzzy engine
3
Introduction
IDS
Fuzzy application
Conclusions
Comments
Intrusion Detection System
IDS & Overview of Current IDS
A process of intelligently monitoring the events
Analysis signs of violation
Attempts to compromise security components
Consists of three functional components
Information source: provider a stream of event records
Analysis engine: finds signs of intrusions
Response component: generates reactions based on the outcome
of the analysis engine
4
Introduction
IDS (1/3)
Fuzzy application
Conclusions
Comments
Problems of IDS_Analyses
Two approaches of analysis engine
Misuse detection
Detects intrusions that follow well-known patterns of attack
Primary limitation of this approach
Looks only for known weakness
May not be of much use in detecting unknown future intrusions
Anomaly detection
Using statistical techniques to find patterns that was abnormal
Main problem of this approach
Tend to be computationally expensive
Trained incorrectly to recognize an intrusive behavior due to
insufficient data
Introduction
IDS (2/3)
Fuzzy application
Conclusions
Comments
5
IDS Problems
Mostly current commercial IDS (CIDS) based on the
misuse detection approach
Make highly ineffective
Intruders do not match the known attack patterns of CIDS
New attack patterns is time consuming
Difficult to identify effectively by IDS due to insufficient data
6
Introduction
IDS (3/3)
Fuzzy application
Conclusions
Comments
Fuzzy Application
Generic Hybrid Intrusion Identification Strategy
Hybrid system idea can be used to improve the monitoring
functionality of current IDS
Three independent computational components
Central analysis engine
Fuzzy engine
Neural engine
7
Introduction
IDS
Fuzzy application (1/11)
Conclusions
Comments
Generic Hybrid
Intrusion Identification Strategy
Implement the misuse
detection approach
8
Introduction
IDS
Fuzzy application (2/11)
Conclusions
Comments
Fuzzy Engine and Fuzzy Logic
Fuzzy Engine
Implements the misuse detection approach based on fuzzy logic
A superset of boolean logic
Extended to handle the concept of partial truth
Completely
False
True values
Completely
True
Provide a more effective monitoring functionality
It will not require regular updates on new intrusion attacks
9
Introduction
IDS
Fuzzy application (3/11)
Conclusions
Comments
Fuzzy logic application
Developing two graphs using fuzzy logic
Compare generic intrusion phases and actions of an intruder
there by prediction patterns of misuse
Template graph represent six generic intrusion phases
User action graph represent the actual action of the intruder
Mapping of graphs possible determine patterns of misuse
10
Introduction
IDS
Fuzzy application (4/11)
Conclusions
Comments
Template Graphs
• Template Graphs will use to represent the six generic intrusion phases
11
Introduction
IDS
Fuzzy application (5/11)
Conclusions
Comments
User Action Graph
• User action graph will represent the actual actions of the misuse
12
Introduction
IDS
Fuzzy application (6/11)
Conclusions
Comments
Mapping of Graphs
and the Functions
The output is a numeric value
Used by the central strategy engine to determine if a intruder is
carrying out an intrusion attack
13
Introduction
IDS
Fuzzy application (7/11)
Conclusions
Comments
Next Generation
Proactive Identification Model
Next Generation Proactive Identification Model (NeGPAIM)
Based on Hybrid Intrusion Identification Strategy
Consists of nine major components
Information Provider, Collector
Coupler, Information Refiner
Neural Engine, Central Analysis Engine
Responder and Manager
Fuzzy Engine
All components are resided on a 3-tier architecture
Client, external host and internal host
14
Introduction
IDS
Fuzzy application (8/11)
Conclusions
Comments
Fuzzy Engine
One of two low-level processing unit of NeGPAIM
Used to determine whether a intruder’s intrusion attack
Compute a template and user action graph for each user
Map the two graphs
Notify the central analysis engine with an intrusion value
Performed on a continuous basis
15
Introduction
IDS
Fuzzy application (9/11)
Conclusions
Comments
General
Representation of NeGPAIM
16
Introduction
IDS
Fuzzy application (10/11)
Conclusions
Comments
Practical Implementation
of NeGPAIM
Implementing Fuzzy Engine Prototype (IFEP)
An initial prototype to test the feasibility of the model
Only implemented the fuzzy engine
Developed by employing CLIPS developing software
Tested by way of several independent case studies
IFEP was successful in performing misuse detection
17
Introduction
IDS
Fuzzy application (11/11)
Conclusions
Comments
Conclusions
NeGPAIM provide stronger detection approach
Monitor and identify intrusion proactively and dynamically
Ex: A attacker has the objective of stealing credit card information
identify at an early stage and disconnect the attack session
Fuzzy engine implements misuse detection
Differs from current misuse detection system
It does not search for particular pattern of attack
Searches for general misuse of resources and objects
Still need the information security officer
18
Introduction
IDS
Fuzzy application
Conclusions
Comments
Comments
Fuzzy logic and engine may usefully use in
other security techniques
Authentication, Key distribution…
Combine with other AI concept
Neural engine, Intelligence Agent…
Fuzzy logic using in Digital Rights
Management
19
Introduction
IDS
Fuzzy application
Conclusions
Comments
Thank you for listening…
20
Fuzzy theory report by Chien-Jen Hsueh, December 2005