Bayesian

Networks for
Network
Intrusion
Detection
Team 9:
Bayesian Blasters
 Story of RFNow Inc
 RFNow is an emerging service provider in Canada providing 10
Gbps internet services to customers.
 RFNow has a history of total network meltdown due to severe
network attacks.
 RFNow decided to hire someone build a Bayesian based network
intrusion detection model.
 This is the story of how RFNow improved their network with NIDS
system.
 Identifying the problem
 History of attacks , ARP Poisoning, DDOS, Man in the Middle etc.
 Complexity of the attacks (Minor change in the header and it is
not detectable).
 Failure to identify the new unknown attacks, zero-day attacks.
 Selection of paradigms for automated anomaly detection, Finite
Automata, Neural networks, genetic algorithms, fuzzy logics, SVM
etc.
 How to tackle false positive, categorizing true traffic as anomaly?
 Building blocks of RFNow’s
Solution
 Basic IP header and components of network traffic
 Difference between misuse and anomaly detection
 Bayesian based intrusion detection
 Bayesian Network use in ESIDE-Depian
 ESIDE-Depian integration of misuse and anomaly detection
 Difference between misuse and
anomaly detection
 Identifying menace, knowledge base to compare the incoming
traffic with existing user base. Whitelist model.
 How will this identify new type of attack?
 Add information to knowledge base, but the it grows the traffic
becomes slow, 10 Gbps ???
 Anomaly Detection system, compares the traffic with knowledge
base. Any small change it is will be blocked. E.g. changes in the
network adding jumbo frames in the network.
 Bayesian based intrusion
detection
 Bayes theorem (Thomas Bayes 1763)

Given the prior information of the network in the knowledge-base the likelihood of
traffic as intrusion can be calculated.
Basic IP
header and
components
of network
traffic
 Contd..
 Bayesian Network are graphical probabilistic models of
multivariant analysis.
 Graphical Models: Bayesian Networks use a visual structure (a
directed graph) to represent relationships among variables.
 Probabilistic Models: These networks represent how likely different
variables are, given their relationships.
 Multivariate Analysis: They are especially useful when dealing with
multiple variables at the same time, helping to understand and
infer the relationships between them.
Data Collection
(Bayesian
Network)

Supervised and unsupervised

both failed methodology due to
factors like costly expert in
supervised and misuse vs
anomaly problem.
High level
Architectur
e of
Bayesian
network
IDS
Bayesian
Network
use in
ESIDE-
Depian
Functioning of RFNow’s
ESIDE-Depian
Traffic Sampling: Gather both
normal and malicious traffic
samples from the network.
Normal traffic is collected via
sniffing, while malicious traffic is
simulated using hacking tools like
Metasploit.

Adaptation: Update the model Structural Learning: Establish

over time as network conditions the network model using a
change. Sequential or Bayesian Network, where nodes
incremental Maximum Likelihood represent parameters and edges
Estimation is used to keep the show relationships. The PC-
model accurate by incorporating Algorithm is used to determine
changes such as new services or these relationships among
network configurations. network variables.

Parametric Learning: Assign

Alarm Mechanism: Use a probability values to the
threshold to trigger alarms for relationships in the network
packets that exceed a set model using Maximum Likelihood
probability, balancing the rate of Estimation. This step quantifies
false positives and negatives. the strength of dependencies
between parameters.

Bayesian Inference: For every

new packet, determine the
probability of it being malicious
using Bayesian inference based
on the relationships in the model.
This produces a continuous
probability value that indicates
how likely a packet is malicious.
The Lauritzen and Spiegelhalter
method is used here for efficient
inference.
 How ESIDE – Depian works
1. Traffic Sample Obtaining
1. Establish information sources for data collection.
2. Gather normal traffic (e.g., via sniffing, ARP poisoning) and malicious traffic (using tools like Metasploit).
2. Structural Learning
1. Define the operational model for ESIDE-Depian.
2. Use the PC-Algorithm to identify causal/correlative relationships among traffic parameters, forming a Bayesian
structure.
3. Parametric Learning
1. Transition from a qualitative to a quantitative model.
2. Apply Maximum Likelihood Estimation to determine the strength of relationships, filling the Bayesian model with
conditional probability values.
4. Bayesian Inference
1. Analyze packet captures to calculate posterior probabilities of attack likelihood.
2. Implement the Lauritzen and Spiegelhalter method for efficient inference, enabling real-time analysis of network
packets.
5. Adaptation
1. Continuously update the knowledge model to reflect changes in normal traffic behavior.
2. Use incremental maximum likelihood estimates for ongoing adaptation based on system variations.
 How ESIDE – Depian works
1. Expectation Maximization (EM): An MLE-type algorithm that
can learn from data with missing values.
2. Maximum Likelihood Estimation (MLE): Provides point
estimates of the parameters.
3. Bayesian Learning: Maintains an updated distribution over the
parameters, allowing it to continuously learn and improve.
 How ESIDE – Depian works
1. Expectation Maximization (EM): An MLE-type algorithm that
can learn from data with missing values.
2. Maximum Likelihood Estimation (MLE): Provides point
estimates of the parameters.
3. Bayesian Learning: Maintains an updated distribution over the
parameters, allowing it to continuously learn and improve.
How ESIDE – Depian works
 How did RFNow Setup ESIDE-
Depian?
 Obtained Traffic sample
 Established structural learning
 Established parametric learning
 Bayesian inference
 Adaptation
 ESIDE-Depian Final Knowledge
Representation Model (Bayesian Network)
•Two-Tiered Structure:
•Tier 1: Expert modules (TCP-IP, UDP-IP, ICMP-IP, Connection Tracking, Protocol Payload)
analyze network traffic.
•Tier 2: Consolidates results with one class parameter, favoring the most conservative
• decision to minimize false negatives.

•Bayesian Network Implementation:

•Combines individual expert verdicts using a Naive Bayesian classifier.
•Expert modules focus on different aspects of network traffic, ensuring diverse
perspectives on potential threats.

•Flexibility:
•Expert modules can be dynamically enabled or disabled as needed, enhancing adaptability.
•System prioritizes accurate anomaly detection while balancing performance and representational power.
•Misuse and Anomaly Detection Integration:
•Experts handle both known and zero-day attacks using a unified Bayesian network model.
Let’s get our hands dirty
 Problems and Solutions
Integration of Snort:

Initial strategy failed by treating Snort as an external verdict provider.

Solution: Recast Snort as an advisor during both training and real-time operation, allowing the Bayesian
model to absorb and exceed Snort’s knowledge.

Handling Different Parameter Types:

Static parameters (TCP, UDP, ICMP) vs. dynamic parameters (connection tracking and payload analysis
requiring time-based modeling).

Solution: Tailored traffic samples were used for testing dynamic experts.
Thank you for your attention