hybrid intrusion detection with weighted signature generation over anomalous internet episodes
DESCRIPTION
Hybrid Intrusion Detection with Weighted Signature Generation over Anomalous Internet Episodes. Kai Hwang, Fellow, IEEE, Min Cai, Member, IEEE, Ying Chen, Student Member, IEEE, and Min Qin IEEE TRANSACTIONS ON DEPENDABLE AND SECURE COMPUTING, VOL. 4, NO. 1, JANUARY-MARCH 2007 - PowerPoint PPT PresentationTRANSCRIPT
Hybrid Intrusion Detection Hybrid Intrusion Detection with Weighted Signature with Weighted Signature GenerationGeneration over Anomalous Internet over Anomalous Internet EpisodesEpisodes
Kai Hwang, Fellow, IEEE, Min Cai, Member, IEEE, Ying Chen, Student Member, IEEE, and Min Qin
IEEE TRANSACTIONS ON DEPENDABLE AND SECURE COMPUTING, VOL. 4, NO. 1, JANUARY-
MARCH 2007
Presented by Yong Sun Kim
This hybrid system combines advantage of low false-positive rate of
signature-based IDS(intrusion detection system)
ability of detect novel unknown attacks of
ADS(anomaly detection system)
SummarySummary
Experimental results show 60 percent detection rate of the
HIDS,compared with 30 percent and 22 percent in using the SNORT and Bro systems,respectively. And it was obtained with less than 3 percent false alarms.
The signatures generated by ADS upgrade the SNORT performance by 33 percent.
A hybrid intrusion detection system built with a SNORT and ananomaly detection subsystem (ADS) through automated signaturegeneration from Internet episodes.
Data mining scheme for network anomaly detection over Internet connection records.
The anomaly is detectedonce the episode rule cannot find any match with normal connection rules in database.Use the attack data set as a mixture oflocally captured trace file
and DARPA 1999 IDS evaluation data set(MIT/LL).
Appreciative Comment 1Appreciative Comment 1
To maximize the effectiveness,various algorithms and schemes are introduced Mining FERs( frequent episode rules) for anom
aly detection Episode Rule Training from Normal Traffic Pruning techniques for episode rules
Appreciative Comment 2Appreciative Comment 2
By using a weighted signature generation algorithm, improve accuracy and reduce false alarms The ADS assigns an anomaly score and a normali
ty score for each connection after processing a traffic data set
Define signatures when patterns have high anomaly scores but relatively low normality scores.
Critical CommentsCritical Comments
There exist a different description about False-Alarm Rate and Detection Rate In Abstract :”results show a 60 percent…
less than 3 percent false alarm..” In 8 Conclusions and Further Research 4. : ”Our HIDS results in a detection rate of 60 percent…
false alarms must be maintained below 3 percent.” In 7.3 Effects of False Alarms on IDS Performance :
”The HIDS achieved a low 47 percent detection rate at 1 percent false alarms.However,the detection rate can be raised to 60 percent if the false alarms can be tolerated up to 30 percent”
Fig. 13. ROC curves showing the variation of the average intrusion
detection rate of three detection systems as the false alarm rateincreases.
QuestionQuestion
Is this passive way which generates signature in ADS still effective under the fast network attack such as “Code Red” ?
Signature mappingSignature mappingDataset-I, the < attribute; condition > pair is decoded as follows:
(ip proto = icmp), (icmp type = echo req), (1,480 <= src bytes < 1,490),(dst count > 10)
The < attribute; condition > pairs form an abstract signature of the Pod attack. Using the attribute
mappings in Table 4, we translate the signature into a SNORT rule as follows:
alert icmp$EXTERNAL NET any <> $HOME NET any (msg :”possible pod attack”; itype : 8; dsize : 1,480 <> 1,490; threshold : type both,track by_dst,count 10 seconds 1; sid : 900,001; rev : 0;).