CN710: Network Intrusion Detection

Heather Ames

Chuan-Heng Chsiao

Chaitanya Sai Gaddam

Feb, 21, 2006

CN710: Network Intrusion Detection

Intrusion detection systems (IDS) can be classified into two main categories: misuse-based systems and anomaly-based systems. Misuse-based IDS look for signatures of previously known attacks and consequently cannot be of any use in detecting novel attacks. Anomaly-based systems are trained to learn the normal behavior of a system and signal any deviation (differing from the normal up to a certain threshold) from it.

Host-based IDS look at system data and reside on each computer in a network. Network-based systems are usually installed on one computer on the network, that gates internet connections, and mainly look at the data from packets.

Intrusion detection can be cast as a machine learning problem where the task is to learn to distinguish between harmless behavior (data) and potentially malicious behavior (data). Design issues commonly associated with machine learning tasks (preprocessing of data, choosing initial input feature sets, metrics for similarity of data points, and network parameters) need to be addressed.

Preprocessing: wavelets

Network traffic has been observed to be self-similar in nature, which means it is a natural candidate for wavelet preprocessing. Self-similarity is considered to be attenuated in abnormal conditions, so detecting abnormal behavior can be boiled down to detecting outliers in wavelet coefficient sequences.

Network Design Choices

Researchers have used Fuzzy ARTMAP on this problem. Assigning pre-defined class labels to the ARTB makes the network a misuse-based system. An anomaly-based detection system can be created by having unsupervised feedback from the system as input to the ARTB layer. The problem then becomes one of predicting this diagnostic feedback, which can lead to the detection of novel anomalies. A dynamic vigilance parameter, tied to the feedback, is used to prevent proliferation of F2 nodes.

In using support vector machines to tackle the problem, researchers have used multiple categories along with the usual binary case of normal/anomalous behavior.

Artificial Immune Systems (AIS)

Artificial immune systems adopt the metaphor of vertebrate immune systems in detecting foreign elements. The computational procedure is divided into three parts: negative selection (behavior that is normal or intrinsic to the system is learnt), clonal selection (detectors good at detecting anomalies are allowed to proliferate and mutate), and immune network formation (detectors form suppressive networks to prevent too many false positives)

Discussion Questions

What kind of data is likely to be most informative?

Is self-similarity a good characterization of the data?

What effect does c-index (paucity of attack data) have?

Is AIS really a new paradigm? What are the radical departures from normal computation?

deCastro and Timmis (2002) Comparative Analysis of AIS and ANN

Categories / AIS / ANN
Component / Attribute string, s, (information storage and processing) represented in appropriate shape-space; might correspond to an immune cell or molecule / Neuron (processing elements) composed of an activation function, summing junction, connection strengths, and activation threshold
Location of the components / Located according to the environmental stimuli / Fixed, predetermined locations
Structure / Usually follows the spatial distribution of the antigens represented in shape-space / Pre-defined architectures and weights biased by the environment
Memory / Content-addressable and distributed; carried in the attribute strength as well as connections / Knowledge in connection strengths; self-associative or content-addressable and distributed
Adaptation / Learning and evolution / Learning
Plasticity and diversity / Continuous insertion and elimination of the basic elements (cells/molecules) of the system / Pruning and/or insertion of new connections, units, and layers in the network
Interaction with other components / Match attribute strings by cell receptors; cells have weighted connections / Interconnected neurons through connection strengths
Interaction with the environment / Attribute string is compared with patterns in the environment; some or all of the components might be involved in pattern recognition / Neurons receive input signals from the environment; whole ANN might be used to recognize the pattern
Threshold / Affinity threshold determines the degree of recognition between immune cells and the presented input pattern / Threshold determines the neuron’s activation
Robustness / Highly flexible and noise tolerant; self-tolerant (learn to recognize themselves) / Highly flexible and noise tolerant
State / Concentration of immune cells and molecules and/or their affinities and connection strengths / Activation level of the output neuron
Control / Any immune principle or theory (i.e. clonal selection) / Unsupervised, supervised, and reinforcement learning for training
Generalization capability / Cross-reactivity allows recognition of similar patterns and components can be multi-specific / Good generalization provided training; satisfactory generalization by reducing the dimensions of parameter space and the size of the dimensions
Non-linearities / Activation functions that define the degree of recognition between 2 components / Activation functions of individual neurons

Some common intrusion terminology

Buffer overflow

What happens when you try to stuff more data into a buffer (holding area) than it can handle. This problem is commonly exploited by crackers to get arbitrary commands executed by a program running with root permissions.

DoS attack

This abbreviation for Denial-of-Service attack is used to label attempts to shut down websites by flooding network links with large amounts of traffic

Syn attack

When a session is initiated between the Transport Control Program (TCP) client and server in a network, a very small buffer space exists to handle the usually rapid"hand-shaking" exchange of messages that sets up the session. The session-establishingpackets include a SYN field that identifies the sequence in the message exchange.An attacker can send a number of connection requests very rapidly and then fail torespond to the reply. This leaves the first packet in the buffer so that other, legitimateconnection requests can't be accommodated.

Teardrop attack

This type of denial of service attack exploits the way that the Internet Protocol (IP) requires a packet that is too large for the next router to handle be divided into fragments. The fragment packet identifies an offset to the beginning of the first packet thatenables the entire packet to be reassembled by the receiving system. In the teardropattack, the attacker's IP puts a confusing offset value in the second or later fragment.