COMPSCI 726 Sumeet Outside the Closed World: On Using Machine Learning for Network Intrusion...
-
Upload
brook-mcdaniel -
Category
Documents
-
view
212 -
download
0
Transcript of COMPSCI 726 Sumeet Outside the Closed World: On Using Machine Learning for Network Intrusion...
COMPSCI 726
Sumeet
Outside the Closed World: On Using Machine Learning for Network Intrusion Detection
Robin Sommer and Vern Paxson
2
Background
What is an Intrusion Detection System?
What is Machine Learning?
Misuse Detection VS Anomaly Detection
1. http://www.cisco.com/c/en/us/products/security/firepower-8000-series-appliances/index.html
2. http://googleblog.blogspot.co.nz/2012/06/using-large-scale-brain-simulations-for.html
1.
2.
3
Agenda
Introduction
5 Intrusion Detection Domain Specific Problems
Recommendations by the Authors
Critical Points
Summary
4
Introduction Core idea
General Lack of IDS in production Misuse
Anomaly
Premise: Machine learning – Similarity
Anomaly Detection – Novel
Mind Set
5
Domain Specific Problems
Outlier Detection Classification
High Cost of Errors Recommender Systems
OCR
Spam
Semantic Gap Actionable reports
Report Abnormal behaviour
Anomaly Features
6
Diversity of Network Traffic Traffic Types
Establish normality
Difficulties with Evaluation Data Difficulties
DRAPA 1998, 1999
Mind the gap
Operationally relevant
Adversarial setting
Evasion
Domain Specific Problems
7
Recommendations Understanding the Threat Model
What kind of environment does the system target?
What does a missed attack cost?
What skills and resources will the attackers have?
What concerns does evasion pose?
Keeping the scope narrow Machine Learning Selection
Reducing the cost Reduce Systems Scope
Traffic Aggregation
Post processing
8
Recommendations Evaluation
Working with data Honeypots
Send experiments to data sources
Sub-dividing the dataset for testing
Understanding Results Understand their origins
Relate input and output at low level
Inject set of attacks
Feedback from operators
9
Criticism Author Recommendations vs Proof that suggestions work
No Experiments and results
“The intrusion detection community does not benefit any further from yet another study measuring the performance of some previously untried combination of a machine learning scheme with a particular feature set, applied to something like DARPA dataset”
10
Summary
Imbalance in amount of research in machine learning based anomaly detection vs deployments in production
Intrusion Detection Domain has specific problems
Deep Insight
Initiate discussion
11
Questions ?
The End