Embeddable Hybrid Intrusion Detection System ( HybrIDS )
-
Upload
janna-ryan -
Category
Documents
-
view
24 -
download
0
description
Transcript of Embeddable Hybrid Intrusion Detection System ( HybrIDS )
Embeddable Hybrid Intrusion Detection System (HybrIDS)Adrian P. Lauf, William H. Robinson, Vanderbilt University Institute for Software Integrated SystemsRichard A. Peters, Vanderbilt University Center for Intelligent Systems
March 20, 2007
Project Description
Action 1 Action n-1 Action n
Aircraft 1 1 30 25
Aircraft 2 2 32 20
Aircraft 3 1 50 22
Aircraft 4 12 2 80
• Security Scenario: a network of aircraft shares position and mission information• A deviant node exists• The deviant node behaves differently• Connected aircraft record activities• Each node fitted with embedded IDS
• Method: develop a hybridized system to provide high-level analysis of interactions in a homogenous device network• An activity profile is established• Machine learning techniques used to build
node profiles• Profiles analyzed by the IDS engine• First phase provides fast, single-anomaly detection• Second phase requires tuning, detects multiple
anomalies
Abstraction Levels
Implemented
• Phase 1• Interactions are represented by
classifiers (abstracted integer labels)• Probability density function is computed• Maxima Analysis begins
• Global max excluded• Local maxima identified• Highest maximum to cross threshold likely
represents deviance• Deviant node isolated by reverse-mapping
Phase 1 Phase 2
Time Progression
Maxima Detection (MDS) HybrIDS Performance• Step 1: MDS runs, possibly detects single
deviant node• Step 2: Transition phase starts CCIDS• Step 3: Thresholds tuned until CCIDS agrees
with MDS• Step 4: CCIDS now tuned properly, detects
multiple deviant nodes
• System can reliably detect deviant nodes up to 22% deviant node pervasion
• System performance is scalable according to deviant node pervasion• Size of node cluster has no effective impact on
scalability, ensured by computational management methods
• Operates on a 5-watt footprint (maximum)• Requires 700K of memory, not including JVM
Cross-Correlative IDS (CCIDS)• Phase 2• Cross-Correlation Analysis
• Individual PDFs correlated against average PDF
• Individual scores analyzed against average score• Average score computed from space
of all cross-correlated scores• Threshold Requirements
• A threshold is required to suspect a score as deviant
• Threshold requirement changes according to deviant node pervasion (percentage of deviant nodes in collective)
• Improper threshold yields false positives• Threshold is application-sensitive• Must be set prior to IDS run (if CCIDS used
alone)
Threshold Bounds
Suspect Node Mean Score Line
Sco
re
Node Number