1、Advance in Intrusion Detection TechniquesAssociate Prof. Fang Xianjin(方賢進(jìn))Computer Science & Engineering School of AUSTOutlineContext of computer security problemBrief summaries of computer security systemWhat is IDS?Architecture and Classification of IDSIntrusion detection techniquesMy current rese

2、arch worksQuestions and answerContext of computer security problem2006 Annual Report by CNCERT/CCContext of computer security problem2006 Annual Report by CNCERT/CCContext of computer security problemFrom 19th June to 31st December in 2006, 18,912 sample had been captured by CNCERT/CCs honeynet.Brie

3、f summaries of computer security systemMulti-layer defense:First layer is static access mechanisms, such as passwords and file permissions.Disadvantages:Limited to provide comprehensive security;Overly restrictive for legitimate users of computer system;Brief summaries of computer security systemMul

4、ti-layer defense:second layer is cryptography, which is used for providing secure channels and host authenticationAnother layer is firewall, which filters out undesirable network traffic in a network system.Brief summaries of computer security systemMulti-layer defense:The latest layer of defense is

5、 provided by dynamic protection systems that can detect and prevent intrusion, namely, is known as Intrusion Detection System(IDS).What is IDS?Mathematical description for IDS:U：universe set,S: normal/legitimate/acceptable pattern set (self set ),N: anomalous/illegitimate/unacceptable pattern set (n

6、onself set),SN=U, SN=IDS=（f, M), f is a nonlinear classification function, M is detection range of detection system, f: U*Unormal, anomalousNonselfSelfFalse positivesFalse negativesUMIDS Architecture and Classification for IDSArchitecture of IDSSensorAnalyzerKnowledge baseResponse/controlPolicy/cont

7、rol infoAlertAnalysis consoleIDS Architecture and Classification for IDSClassification of IDSOn the basis of detection techniques:Misuse detection (signature-based): high detection rate high false negative rate, low false positive rateAnomaly detection: low detection rate, high false positive rateOn

8、 the basis of data inputHIDSNIDSHybrid IDSIntrusion Detection TechniquesMisuse detectionMethod based on Expert system (P-BEST)Firstly, according to experiment, creating knowledge base (attack signature base) Secondly, updating knowledge by using learning and adaptive capacityFor example:EMERALD, eXp

9、ert-BSM (SRI-international developed)Intrusion Detection TechniquesMisuse detectionMethod based on TCP/IP Protocol AnalysisDecoding each packet from all kinds of layers of TCP/IP architectureFor example:When the value of SYN and FIN of a TCP packet is “1”, we can think that a port-scanning attack oc

10、curred.Features:High performance, more accurate, anti-evade attack, low resource requirementIntrusion Detection TechniquesMisuse detectionMethod based on Pattern-matchingFor example:SNORT IDS (Open source code software, Sourcefire Company)Intrusion Detection TechniquesAnomaly detectionStatistic and

11、Analysis methodologyCreating profile database of normal behavior by analyzing a lot of system data;Adaptively learning normal pattern database;Comparing auditing data on system with normal behavior profile, if comparison result exceed the threshold, an attack event may happened.Conventional statisti

12、c models:Average value and standard deviation modelMarkovian modelTime/session/connection sequence modelIntrusion Detection TechniquesAnomaly detectionMethod based on Artificial Neural NetworkCreating signature profile of system by learning a lot of samples in training setPredicting the relationship

13、 between input data and output dataComparison with thresholdIntrusion Detection TechniquesAnomaly detectionData mining approaches for intrusion detectionThe key ideas are to use data mining techniques to discover consistent and useful patterns of system features that describe program and user behavi

14、or, and use the set of relevant system features to compute (inductively learned) classifiers that can recognize anomalies and known intrusions.Intrusion Detection TechniquesAnomaly detectionAgent-based distributed intrusion detection frameworkIntrusion Detection TechniquesAnomaly detectionArtificial

15、 immune model for intrusion detection systemSome terms in Natural Immunity System(NIS):T-cell, B-cellAntigen, epitope, receptorAntibody, paratopeAffinityImmune recognitionImmune toleranceImmune memoryAutoimmune responsevaccnineIntrusion Detection TechniquesAnomaly detectionArtificial immune model fo

16、r intrusion detection systemSelf set (learning by using training set)generating randomly Detector setNegative selection algorithm (non-self set)Anomaly detectionClonal selection algorithmDynamic Clonal selection algorithmGenetic algorithm based on immunityr-contiguous match algorithmIntrusion Detect

17、ion TechniquesAnomaly detectionArtificial immune model for intrusion detection systemLISYS Model is as follows:Intrusion Detection TechniquesIntrusion Detection TechniquesAnomaly detectionArtificial immune model for intrusion detection systemThe following is Kims conceptual model for intrusion detec

18、tion:Intrusion Detection TechniquesMy current research worksTopic: research on immune model for intrusion detection systemDesign An Artificial Immune model with Vaccine operator for Network Intrusion DetectionStudy Immune Evolutionary Algorithm of detectors population.Implement intrusion detection o

19、n network layer, transport layer and application layerAnalyze detection rate, false positive rate detector cover, detector hole in theory References/tip/1,289483,sid1-gci851241,00.html?from Taxonomy=%2fpr%2f5e3,2004CERT/CC Statistics 1998-2002. /stats/,2003康勇建，姚京松，林鵬. “基于P2DR模型的銀行計(jì)算機(jī)網(wǎng)絡(luò)動(dòng)態(tài)適應(yīng)安全系統(tǒng)”. 中國(guó)金

20、融電腦2001年第2期IDC有關(guān)網(wǎng)絡(luò)安全產(chǎn)品市場(chǎng)研究報(bào)告信息安全與通信保密2001.12第12期(總12期):66-67Richard. Lippmann, Joshua W. Haines. The 1999 Darpa Off-Line Intrusion Detection Evaluation. Computer Networks,34 (4),p5 79-595,2000Third Edition of the Intrusion Detection System http:/www.nss.co.uk/ids/edition3/index.htmlStephanie Forrest

21、, Steven A. Hofineyr. John Hollands Invisible Hand: An Artificial Immune System. 2000.Steven A. Hofineyr. An Interpretative Introduction to the Immune System Design Principles for the Immune System and other Distributed Autonomous Systems”. Oxford University Press, Eds, I. Cohen and L. Segel. 2000.J

22、.PAnderson. “Computer security threat monitoring and surveillance”. Technical, James P. Anderson Company, Fort Washington, Pennsylvania, April 1980.Dorothy E. Denning. An Intrusion Detection Model. IEEE TRANSACTIONS on Software Engineering VoL SE-13,No.2,FEBRUARY pp.222-232,1987.ReferencesHenry S.Te

23、ng, Kaihu chen，stephen c-y lu. Adaptive Realtime Anomaly Detection Using Inductively Generated Sequential Paterns. Proceeding of the 1990 IEEE Symposium on security and Privacy 1990.S.Stainford-Chen. “Common intrusion detection framework”. http:/cidf 1998.Nicholas J.Puketza ,Kui Zhang Mandy chung ,B

24、iswanath Mukheriee,Ronald A.Oisson. A Methodology for Testing Intrusion Detection Systems. IEEE Transaction of Software Engineering Vol.22,No.10,pp719-729,1996.Kristopher Kendall. A Database of Computer Attacks for the Evaluation of Intrusion Detection Systems . MIT Master Thesis 1999.Ulf Lindqvist

25、Phillip A.Porras. Detecting Computer and Network Misuse Through the Production-Based Expert System Tool set (P-BEST). IEEE Symposium on Security and Privacy pp.146-166, 1999.Eugene H.Spaford, Diego Zamboni. “Intrusion Detection Using Autonomous Agents”. Computer Network 34(2000) pp.547-570,2000.Weak

26、e Lee Salvatore J.Stolfo Kui W.Mok A Data Mining Framework for Building Intrusion Detection Models. IEEE Symposium on Security and privacy pp.120-132,1999.ReferencesS. Staniford-Chen, S. Cheung, R. Crawford, M. Dilger, J. Frai水J. Hoagland, K. Levitt, C.Wee, R.Yip, and D.Zerkle. “GrIDS一A Graph Based

27、Intrusion Detection System for large networks” .In Proceedings of the 20th National Information Systems Security Conference volume 1 ,pages 361-370,October 1996.Anup K .Ghosh and Aaron Schwartzbard. A Study in Using Neural Networks for Anomaly and Misuse Detection. Proceeding of the 8th USENIS Secur

28、ity Symposium on Washington, D.C.,USA. pp.23 -26,1999.Tim Bass Multi sensor Data Fusion for Next Generation Distributed Intrusion Detection System.1999 IRIS NATIONAL SYMPOSIUM 1999.馬恒太,蔣建春，陳偉鋒，卿斯?jié)h.“基于AGENT的分布式入侵檢測(cè)系統(tǒng)模型”. 軟件學(xué)報(bào)Vol.1l pp.1312-1319,2000.蔣建春，馬恒太，任黨恩，卿斯?jié)h.“網(wǎng)絡(luò)安全入侵檢測(cè):研究綜述”. 軟件學(xué)報(bào) Vol. 11 , pp.

29、1460-1465,2000.陳光英，張千里，李星. “基于SVM分類機(jī)的入侵檢側(cè)系統(tǒng)”，通信學(xué)報(bào)，Vol.23,No.5,2002夏春和 張欣.“網(wǎng)絡(luò)入侵檢測(cè)系統(tǒng)的研究”. 系統(tǒng)仿真學(xué)報(bào), VOL.12, NO.4: pp.375-399,2000.李鴻培 王新梅.“基于神經(jīng)網(wǎng)絡(luò)的入侵檢測(cè)系統(tǒng)模型，西安電子科技大學(xué)學(xué)報(bào), Vol.26,No.5,1999.李鴻培.“入侵檢測(cè)中幾個(gè)關(guān)鍵問(wèn)題的研究”. 博士學(xué)位論文西安電子科技大學(xué)2001.References李信滿, 趙大哲, 趙宏, 劉積仁.“基于應(yīng)用的高速網(wǎng)絡(luò)入侵檢測(cè)系統(tǒng)研究”. 通信學(xué)報(bào)Vo1.23 No.9 2002 pp. l-7.李

30、之堂, 楊紅云. “模糊入侵檢側(cè)模型”. 計(jì)算機(jī)工程與科學(xué), Vol.22,No.2,pp.49-53,2000李之棠, 李家春. “模糊神經(jīng)網(wǎng)絡(luò)在入侵檢測(cè)中的應(yīng)用”. 小型微型計(jì)算機(jī)系統(tǒng)2002 Vol.23 No.10: pp. 1235-1238.S. Forrest, A. S. Perelson, L. Allen and R. Cherukuri. “Self-nonself discrimination in a computer”. In Proceedings of the IEEE Symposium on Research in Security and Privacy.

31、 1994.J. E. Hunt and D. E. Cooke, “An Adaptive and distributed Learning System based on the Immune System”. In Proc. of the IEEE International Conference on SMC, pp. 2494 -2499, 1995.L. C. Jiao and L. Wang. “A novel genetic algorithm based on immunity”. IEEE Trans. Systems, Man and Cybernetics. 30(5

32、): pp. 552-561. 2000.張軍，劉克勝，王煦法. 一種基于免疫調(diào)節(jié)算法的BP網(wǎng)絡(luò)設(shè)計(jì)，安徽大學(xué)學(xué)報(bào)（自然科學(xué)版），1999，23（1）：63-66.張軍，劉克勝，王煦法. 一種基于免疫調(diào)節(jié)和共生進(jìn)化的神經(jīng)網(wǎng)絡(luò)優(yōu)化設(shè)計(jì)方法，計(jì)算機(jī)研究與發(fā)展，2000，37（8）：924-930.Forrest, S., Hofmeyr, S. A., & Somayaji, A. (1997). “Computer immunology”. Communications of the ACM, 40(10), 8896.References36 Jiao L C, Wang L. “A nove

33、l genetic algorithm based on immunity”. IEEE Trans. On Systems, Man, And Cybernetics-Part A: System and Humans, 2000,30(5):552561.37 J.Kim, EBentley. “Immune Memory in the Dynamic Clonal Selection Algorithm”. In: Proc of the 1st International Conference on Artificial Immune Systems, Canterbury, UK ,

34、2002:57-65.38Tarakanov A, Dasgupta D. “A formal model of an artificial immune system”. BioSystems, 2000, 55: 151158.39Tarakanov A O. “Towards immunocompute”. http:/solvayins.ulb.ac.be/fixed/immune/Demosoft.html, 2004.40Timmis J, Neal M. “A resource limited artificial immune system for data analysis”

35、. Knowledge Based Systems, 2001,14(3-4):121130.41Nunes de Castro L, Von Zuben F J. “An evolutionary immune network data clustering”. Proceeding of the sixth Brazilian Symposium on Neural networks, 2000, 8489.42 Stephanie Forrest, Alan s.Perelson, Lawrence Allen. Self-Nonself Discrimination in a Comp

36、uter. In proceedings of the 1994 IEEE symposium on Research in Security and privacy, LosAlamos, CA, 1994.43Stephanie Forrest, Thomas A.Longstaf steven A. Hofmeyr. A sense of self for Unix processes. In proceeding of the 1996 IEEE Symposium on security and Privacy.References44Steven Andrew Hofmeyr. A

37、n Immunological Model of Distributed Detection and its Application to Computer Security. Ph.D. Dissertation. University of New Mexico,1999.45Paul D .Williams, Kevin P Anchor, John L. Bebo, Gregg H.Gunsch, Gray D.Lamout. CDIS: Towards a Computer Immune System for Detecting Network Intrusions. Proceed

38、ings 4th International Symposium, RAID 2001 Davis, CA,USA, October 10-12,2001.46Kim and Bentley P. The Human Immune System and Network Intrusion Detection,7th European Congress on Intelligent Techniques and Soft Computing( EUFIT 99), Aachen Germany, September 13-19.47Kim, J. and Bentley, P., (1999),

39、 The Artificial Immune Model for Network Intrusion Detection. 7th European Congress on Intelligent Techniques and Soft Computing( EUFIT99), Aachen, Germany, September 13-19.48Kim, J. and Bentley, E J. (1999). Negative Selection and Niching by an Artificial Immune System for Network Intrusion Detecti

40、on，Genetic and Evolutionary Computation Conference (GECCO 99),Orlando, Florida, Ju ly13-17.pp .149-158.References49Jungwon Kim, Peter J. Bertley. “An Evaluation of Negative Selection In an Artificial Immune System for Network Intrusion Detection”. Genetic and evolutionary computation conference 2001(GECCO-2001), San Francisco, pp. 1330-1337, July 7-11,2001.50Jungwon Kim, Peter J. Bertley. “Towards an artificial immune system for network intrustion detection: an investigation of clonal selection with a negative selection operator”. Congress on evolutionary computation