Transcript Linda Zhao

Loss-Sensitive Decision Rules for Intrusion
Detection and Response
Linda Zhao
Statistics Department
University of Pennsylvania
Joint work with I. Lee, L. Unger, J. Wang and X. Lei
Topics
1.
2.
3.
4.
5.
Intrusion detection
Attack taxonomy and loss evaluation
Decision rules
Data collection and data anlaysis
Challenges
Current ID Systems
IDS is the mechanism of detecting inappropriate,
incorrect, or anomalous activity.
– Host-based IDS and network-based IDS
– Misuse IDS and Anomaly IDS
Network
Misuse
Internet
ID
Firewall
Protected
Intranet
Host
Misuse ID
Network
Anomaly ID
Host Anomaly
ID
Alert Analysis
Module
Protected
Host
Figure 1. Typical Disparate Alert Analysis Module Deployment
Misuse ID Systems (SNORT)
Advantages:
– The potential for relatively low false alarm rates in comparison
with anomaly alerts
– Detailed contextual information makes preventive actions
easier
Disadvantages:
– Misuse ID systems don’t work for unknown attacks, its
detection rate depends on the signature base
– Not effective to resource abuse activities
– The difficulty of keeping signature databases up to date
– Environment dependent
– False alarm rates remain high
Anomaly ID Systems
(LERAD)
Anomaly: by observing a deviation from normal behavior.
Learning: The process to derive the behavior profiles or
models to describe normality
• Advantages:
– Can be effective for novel and unknown attacks
• Disadvantages:
– High false positive
– Currently must have clean data for training
– Currently alert without any contextual information
Issues
• Unacceptably high false alarm and false
negative alert rate
– As an example (SNORT)
False alarm rate (current protocol): 1-304/7988=96%
Detection rate: 304/962=32%
• Lack of loss evaluation and sensible
decision rules
Current Research
• Classify attacks and propose loss evaluation
• Modify MIT 1999 network design:
– Insert more attacks (new types and increased frequency)
– Simultaneously deploy 5 ID systems
• Generate new data
• Combine the information given from SNORT and
LERAD, use Bayesian decision rule with classification
tools (also use other IDS data)
• Use original TCP/IP packet data to find new detection
rules
Current Research
• Because of large volume of traffic, ID system
can not keep up with all the packets and
currently ignores many. A multiple quieing
system according to priority is needed.
• Decision rules which are not too sensitive to the
loss are needed.
Further Challenges
• Identify hacking activities in a real network
• Small probability events causes unstable
statistical procedures
• Online efficient detection