case based reasoning approach to intrusion detection
DESCRIPTION
Case Based Reasoning Approach to Intrusion Detection. Date: 3/14/2005 Dr. Seong-Moo Yoo Information Assurance Engineering Lab Electrical and Computer Engineering Dept. University of Alabama in Huntsville. Current IDS Systems. Existed IDS systems are mostly static. - PowerPoint PPT PresentationTRANSCRIPT
Case Based Reasoning Approach to Intrusion Detection
Date: 3/14/2005
Dr. Seong-Moo Yoo
Information Assurance Engineering Lab
Electrical and Computer Engineering Dept.
University of Alabama in Huntsville
Current IDS Systems• Existed IDS systems are mostly static.• Tracks known attacks signatures.• Any recognized attack is blocked from
entering the protected system.• Other traffic (friendly and unknown) are
permitted to access the system.– Malicious traffic are mostly of unknown signature
type, so it will not trigger IDS
• Motivation for dynamic approach.
Current ID approaches and CBR
• Knowledge-based approaches– very efficient in detecting intruders of the type
known previously, but ineffective against new forms of threat.
• Behavior-based approaches – it has the potential for guarding against previously
unknown types of threats, is not as precisely efficient.
• CBR can be considered as a mix of these approaches (fuzzy approach)
Proposed CBR Approach
• Goal: transition from a philosophy that “denies known threats” to one that “permits confirmed friends”.
• Dynamic, real-time detection of friends and attacks traffic pattern within evolving environment.
• Completely in software.
CBR (cont’d)
• CBR encompasses three-pronged innovation 1. A proviso for explicit identification of true
friends in addition to the traditional identification of known threats.
2. The use of CBR, hitherto not employed within the Intrusion Detection environment, to accomplish this goal.
3. An unique ongoing learning capability that enhances CBR to self-learn new threats as they arise.
PossibleFriend
Proposed PhilosophyPermit only confirmed friends
IDS(THREAT)
Analysis of Unknowns
Unknown
ConfirmedFriend
Known ThreatsBLOCKED
True FriendDetection
System
Known Friend
SignaturesNew FriendSignature
New Threat Signature
Known Threat
Signatures
1
5
4
2
3
Signature update
input to detection systems
message flow
CBR StepsI. Identify a viable technique to characterize a
known set of threat signatures,
II. Develop a similar technique to characterize known friend signatures,
III. Incorporate threat intrusion detection,
IV. Incorporate true friend detection, and
V. Develop/demonstrate methodology to analysis of unknown signatures.
CBR Step 1
• Recognizes that a growing threat signatures database exists.
• The goal here to
– conduct an analysis to classify these known threats into logical groups,
– characterize the key parameters that define each group, and
– determine an acceptable set of tolerances that can be used to classify unknown signatures as likely threats.
CBR Step 2 & 3
• Step 2 runs parallel to Step 1 with classification, characterization and tolerance definition determined for all known true friend signatures. Where an existing database will drive threat signature characterization, it is recognized that, for a given information system, known friend signatures must be initially decoded.
• Step 3 incorporates an existing IDS into the process.
CBR Step 4
• Enhances the achievable level of information assurance by adding a filtering process that allows only traffic confirmed as friendly into the protected system.
• Operating together, the modified IDS (Threat) and newly established true-friend detector filter known threat and unknown traffic.
CBR Step 5• Facilitates the ongoing learning noted earlier by first analyzing
the filtered unknown signatures for the existence of inherent, similarly characterized clusters.
• The goal of this analysis is to expand threat and friendly signature databases via the CBR based evaluation described above.
Three General Clusters
1. Likely friend
2. Likely threat
3. Continued unknown.
• the threshold mechanism will assess if the closeness is sufficient enough to be truly normal, or if there is ground to suspect a case normal behavior ‘impersonation.’
Other Jobs to Be Done• Conduct a review of the arena’s state of the art
capabilities to ensure no reinvention of the wheel occurs and that funding is utilized judiciously to meet the program objectives
• The potential for exploiting the synergy between our proposed approach and other techniques currently in use will also be investigated
• Our expertise in the field of information and decision fusion will be utilized in exploiting this synergy between the approaches
Jobs to Be Done (cont.)An enhanced IDS that will
I. Identify incoming message streams as “true friends”, “true threats”, and “unknowns”.
II. Use CBR, for the first time, to accomplish this portioning.
III. Incorporate an unique ongoing learning capability that enhances CBR to self-learn new “threats” and “friends” as they arise.
Concept Demonstration• Up-to-date databases of known threat and true friend
mechanisms can be identified.
• System specific true friend and known threat signatures will then be classed, characterized and tolerance limits defined.
• The resulting threat signature knowledge will then be infused into an existing IDS (Threat) filter while the true friend signature characterizations will be packaged within a new true friend filter.
• The proposed enhanced information assurance capability will then be demonstrated by subjecting the selected system to known threat as well as true friend and unknown signature traffic.
Support Component
• To conduct this demonstration we need:– access to the Government selected test system to
identify a emulated network , sponsorship to examine an existing Government information assurance threat database, and a realistic (operational) message traffic characterization.
Evaluation• Performance evaluation of CBR will include
– Comparison of effectiveness between this new IDS philosophy and current IDS capabilities. This comparison will measure such items as effect on protected system’s operating speed and level of protection provided.
– Measurement of the speed and effectiveness of the True Friend Detection System (Step 4).
– Measurement of the speed and effectiveness of the Analysis of Unknowns (Step 5).
Intrinsic Merit
• This project will help to better protect critical computer networks through an enhanced intrusion detection approach.
• Transition from “denies known threats” to “permits only confirmed friends”.
• Threshold mechanism on top of the CBR closest match identifying process
Expected Results• This effort will provide proof of principle to the
proposed IDS philosophy. • The R&D is expected to lead to a feasible set of real-
time algorithms that admit only confirmed friend while blocking known threat and unknown traffic.
• Ongoing learning will also demonstrate as unknown traffic is properly classified and added to the respective databases.
• A laboratory demonstration will facilitate the evaluation metrics.
Program Description
Task 1 – Known Threat Signature Characterization– A set of known threat signature will first be identified for the
selected “target” network. These threats will be characterized to document the nature and catalogue identifying features.
Task 2 – Known Friend Signature Characterization– A methodology for identifying and characterizing a set of
known friend signatures will be developed and tested. The methodology will enhance the “trusted network” concept by documenting the nature and catalogue identifying features truly friendly message traffic for the selected network
Program Description (cont’d)
Task 3 – Threat Intrusion Detection– The results of task 1 will be incorporated into a Threat IDS
package and tested to ensure that known threats are blocked based on the identified signature characterization.
Task 4 – True Friend Detection– The results of task 2 will be incorporated into a Friendly
IDS package and tested to ensure that known friendly message traffic are passed to the target network based on positive matching to the identified friendly signature characterization.
Program Description (cont’d)
Task 5 – Analysis of Unknown Signatures– CBR based screening process will first be used to identify
probable threat and friendly traffic. This traffic will be passed, to the threat signatures data base and on to the targeted network.
Project ScheduleTask Jul-Sep Oct-Dec Jan-Mar Apr-Jun Jul-Sep Oct-Dec
1 2 3 4 5 6
Task 1: Known Threat Signature CharacterizationTask 2: Known Friend Signature CharacterizationTask 3: Threat Intrusion DetectionTask 4: True Friend DetectionTask 5: Analysis of Unknown SignaturesTask 6: Reporting
References– D. A. Frinckea and M. -Y. Huang, “Recent advances in intrusion
detection systems,” Computer Networks, Vol. 34, No. 4, pp. 541-545, October 2000.
– H. Debar, M. Dacier and A. Wespi, “Towards a Taxonomy of Intrusion-Detection Systems,” Computer Networks, Volume 31, Issue 8, pp. 805-822, 23 April 1999.
– B. V. Dasarathy, Nearest Neighbor (NN) Norms - NN Pattern Classification Techniques, IEEE Computer Society Press, Los Alamitos, CA., 1991.
– B. V. Dasarathy, “Nosing Around the Neighborhood - A New System Structure and Classification Rule for Recognition in Partially Exposed Environments,” IEEE Transactions on Pattern Analysis and Machine Intelligence, Vol. PAMI-2, No. 1, pp. 67-71, January 1980.
– B. V. Dasarathy, “There Goes the Neighborhood - An ALIEN Identification Approach to Recognition in Partially Exposed Environments,” Proceedings of the 5th International Conference on Pattern Recognition, pp. 91-93, December 1980