TERM PAPER

Self-Adapting Mechanism for Intrusion Detection

Submitted To:
Ms. Komal Arora

Submitted By:
Sanpreet Singh 11003536

ABSTRACT

We present a mechanism for autonomous self-adaptation of a network-based intrusion detection system (IDS). The system is composed of a set of cooperating agents, each of which is based on an existing network behavior analysis method. The self adaptation mechanism is based on the insertion of a small number of challenges, i.e. known instances of past legitimate or malicious behavior. The response of individual system components to these challenges is used to measure and eventually optimize the system performance in terms of accuracy. In this work we show how to choose the challenges in a way such that the IDS attaches more importance to the detection of attacks that cause much damage General terms are used in this topic is : Security, Management, Measurement.

INTRODUCTION

An intrusion detection system (IDS) is a device or software application that monitors network or system activities for malicious activities or policy violations and produces reports to a management station. IDPSes typically record information related to observed events, notify security administrators of important observed events and produce reports. Many IDPSes can also respond to a detected threat by attempting to prevent it from succeeding.

Network Intrusion Detection Systems Network Intrusion Detection Systems are placed at a strategic point or points within the network to monitor traffic to and from all devices on the network. It performs an analysis for a passing traffic on the entire subnet. Works in a promiscuous mode, and matches the traffic that is passed on the subnets to the library of knows attacks. Once the attack is identified, or abnormal behavior is sensed, the alert can be send to the administrator. Example of the NIDS would be installing it on the subnet where your firewalls are located in order to see if someone is trying to break into your firewall. Ideally you would scan all inbound and outbound traffic, however doing so might create a bottleneck that would impair the overall speed of the network. Host Intrusion Detection Systems Host Intrusion Detection Systems run on individual hosts or devices on the network. A HIDS monitors the inbound and outbound packets from the device only

and will alert the user or administrator of suspicious activity is detected. It takes a snap shot of your existing system files and matches it to the previous snap shot. If the critical system files were modified or deleted, the alert is sent to the administrator to investigate. The example of the HIDS can be seen on the mission critical machines, that are not expected to change their configuration

Adaptation, self-management and self-optimization techniques that are used inside an Intrusion Detection Systems (IDS) can significantly improve their performance in a highly dynamic environment, but are also a potential target for an informed and sophisticated attacker. When the adaptation techniques are installed improperly, they can allow the attacker to reduce the system performance against one or more critical attacks. This paper presents a game theoretical model of adaptation processes inside an agent-based, self-optimizing Intrusion Detection System, and an architecture integrating the process with an existing IDS used as a testbed. The presented architecture integrates the abstract game model into an IDS with self-monitoring capability, in order to simulate the worst case, optimally informed attacker. Such (hypothetical) attacker with full access to system parameters could dynamically identify the best strategy to play against the system. Optimizing the detection performance against the worst case attacker protects the system from more realistic attacks based on long-term searching and adversarial machine learning approaches.

Main Purpose

The main purpose is to present an architecture integrating the abstract game model into an IDS with self-monitoring capability, in order to simulate the worst case, optimally informed attacker. Such (hypothetical) attacker with full access to system parameters could dynamically identify the best strategy to play against the system. Optimizing the detection performance against the worst case attacker protects the system from more realistic attacks based on long-term probing.

Indirect online integration provides interesting security properties in IDS. The solution uses the concept of challenges to mix a controlled sample of real and adversarial behavior with actually observed network traffic. In this case, the real traffic background (including any possible attacks) is used in conjunction with simulated hypothetical attacks within the system. These attacks are then mixed with the real traffic on IDS input and the system response to them is used as an input for game definition. The major advantage is higher robustness w.r.t strategic attacks on adaptation algorithms, and lower system configuration predictability by the adversary, as the simulation runs inside the system itself and its results cannot be easily predicted by the attacker.

We have used presented mechanism as a component of the CAMNEP network intrusion detection system which is used to detect the attacks against computer networks by means of Network Behavior Analysis (NBA) techniques. This system processes NetFlow/IPFIX data provided by routers or other network equipment

and uses this information to identify malicious traffic by means of collaborative, multi-algorithm anomaly detection. The system uses the multi-algorithm and multi-stage approach to optimize the error rate. The system is based on a multi-stage cooperation process of agents that use different network behavior analysis methods to classify network ows into malicious and legitimate flows. The results of the agents are aggregated by different aggregation functions. We employ a self-adaptation procedure that selects the aggregation function which optimally integrates the results of the individual agents. To this end, we insert challenges i.e. known malicious and legitimate Flows, into the real track. This allows us to evaluate the accuracy of the different aggregation functions and eventually select the output of the function that performed best. In this paper we show which challenges to choose such that the IDS attaches more importance to the detection of very harmful attacks. This is possible because the accuracy of the IDS is optimized with respect to the used challenges. More precisely, if the system is evaluated on challenges that are representative for a certain class of attacks, the detection of real attacks in that class becomes more probable. Thus, the composition of challenges should reflect the expected damage of known attack classes. In the following we show how the expected damage of realized threats, each of which is represented by an attack tree, can be used to find a suitable challenge composition.

Main features are:

improved effectiveness, i.e. less false positives/false negatives high performance, the system is able to process 1Gb/sec of traffic on a single (multicore) PC

minimal configuration upon deployment thanks to the self-adaptation features

intuitive and unobtrusive user interface tight integration with open-source nfsen collector

Conclusions

Our work presents an architecture that allows integration of theoretical game model with a wide class of intrusion detection systems and therefore opens the opportunities for their increased use in the production systems. Presented concept of challenge insertion enables the game-theoretical model integration by providing the dynamical measure of the properties of the IDS system